AD-WAN 6.5 Branch Solution

SD-Branch Service Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Document version: 5W100-20240118

 

Contents

Introduction· 1

Overview· 1

Application scenarios· 1

Use a branch site as an AP to manage an AC· 1

Use an AP that connects to a branch site for AC management 3

Layer 2 switch and AP automatically come online to incorporate the AC· 5

Use SDWAN as a spine device for automated device management in the campus network· 7

Use a branch site as an AP to manage an AC·· 10

Configuration workflow· 10

Configure the SDWAN controller 10

Manage wireless services· 11

Configure user authentication· 14

Configure the EIA server 14

Configure the AC· 28

Use an AP that connects to a branch site for AC management 31

Configuration workflow· 31

Configure the SDWAN controller 32

Manage wireless services· 32

Configure user authentication· 36

Configure the authentication server 36

Configure the AC· 36

Layer 2 switch and AP automatically come online to incorporate the AC·· 37

Configuration workflow· 37

Configure the SDWAN controller 38

Configure automated device deployment on Unified Platform·· 38

Zero-touch device onboarding· 38

Maintain online devices through ICC· 41

Manage wireless services· 43

Configure user authentication· 47

Configure the authentication server 47

Configure the AC· 47

Use SDWAN as a spine device for automated device management in the campus network· 48

Configuration workflow· 48

Configure the AD-WAN controller 49

Configure the AD-Campus controller 50

Manage wireless services· 52

Configure MAC portal authentication· 56

Create the BYOD security group· 57

Configure ACL 3001· 59

Enable MAC portal authentication· 61

Initiate MAC portal authentication· 62

Configure global topology settings· 66

Add devices in the WAN scenario· 66

Add configuration to devices· 66

Add a physical device· 66

Custom topology· 69

 

Introduction

Overview

The SD-branch solution enables automated onboarding and deployment of LAN-side switches and APs to save operations and deployment costs and enable rapid deployment. With integration of the AD-WAN branch solution and the AD-Campus solution, the SD-branch solution offers the following features:

·     The solution can adapt to enterprises’ self-built network requirements.

·     The campus solution manages the network in the branches and the campus network, and provides ZTP, switch management, wireless management, and authentication management.

·     The branch solution manages WAN-side networks in the branches to implement management and service configuration for routers and firewalls.

·     Unified topology display.

Application scenarios

Use a branch site as an AP to manage an AC

Network description

As shown in Figure 1, branch site Branch 1 on the WAN supports Wi-Fi, and can provide network services for the AC and manage the AC through the controller.

Figure 1 Network diagram

 

Device node address planning

Table 1 shows the addresses planned for interfaces on devices.

Table 1 Device node address planning

Device	Interface	Interface address	Peer device	Peer interface	Peer address	Remarks
Hub1-1	GE3/4/0	11.1.1.2/24	LAN1		11.1.1.1/24	Management network
	GE3/4/0.1	20.1.10.2/24	LAN1		20.1.10.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.1/24	Hub1-2	GE3/4/1	30.1.1.2/24	Horizontal link
	GE3/4/2	11.1.5.1/24	Spoke1-1	GE0/2	11.1.5.2/24	L2VPN
Hub1-2	GE3/4/0	11.1.2.2/24	LAN1		11.1.2.1/24	Management network
	GE3/4/0.1	20.1.11.2/24	LAN1		20.1.11.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.2/24	Hub1-2	GE3/4/1	30.1.1.1/24	Horizontal link
	GE3/4/2	11.1.6.1/24	Spoke1-2	GE0/2	11.1.6.2/24	L2VPN
Spoke1-1	GE0/0	20.1.2.2/24	LAN2			LAN interface in VPN1 VRRP (master): 20.1.2.1
	GE0/1	30.1.2.1/24	Spoke1-2	GE0/1	30.1.2.2/24	Horizontal link
	GE0/2	11.1.5.2/24	Hub1-1	GE3/4/2	11.1.5.1/24	L2VPN
	GE0/4	20.1.21.1/24	Spoke1-2	GE0/4	20.1.22.2/24	LAN interface in VPN1 Horizontal route synchronization
Spoke1-2	GE0/0	20.1.2.3/24	LAN2			LAN interface in VPN1 VRRP (backup): 20.1.2.1
	GE0/1	30.1.2.2/24	Spoke1-1	GE0/1	30.1.2.1/24	Horizontal link
	GE0/2	11.1.6.2/24	Hub1-2	GE3/4/2	11.1.6.1/24	L2VPN
	GE0/4	20.1.21.2/24	Spoke1-1	GE0/4	20.1.21.1/24	LAN interface in VPN1 Horizontal route synchronization

 

Use an AP that connects to a branch site for AC management

Network configuration

As shown in Figure 2, the AP connects to branch site Branch 1 on the WAN. A device at Branch 1 acts as a DHCP server to assign an IP address to the AP, and uses Option 43 to specify the IP address of the AC. The AP uses the AC’s IP address to discover the AC and establish a CAPWAP tunnel with the AC. The WSM component on the controller manages the AC.

Figure 2 Network diagram

 

Device node address planning

Table 2 shows the addresses planned for interfaces on devices.

Table 2 Device node address planning

Device	Interface	Interface address	Peer device	Peer interface	Peer address	Remarks
Hub1-1	GE3/4/0	11.1.1.2/24	LAN1		11.1.1.1/24	Management network
	GE3/4/0.1	20.1.10.2/24	LAN1		20.1.10.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.1/24	Hub1-2	GE3/4/1	30.1.1.2/24	Horizontal link
	GE3/4/2	11.1.5.1/24	Spoke1-1	GE0/2	11.1.5.2/24	L2VPN
Hub1-2	GE3/4/0	11.1.2.2/24	LAN1		11.1.2.1/24	Management network
	GE3/4/0.1	20.1.11.2/24	LAN1		20.1.11.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.2/24	Hub1-2	GE3/4/1	30.1.1.1/24	Horizontal link
	GE3/4/2	11.1.6.1/24	Spoke1-2	GE0/2	11.1.6.2/24	L2VPN
Spoke1-1	GE0/0	20.1.2.2/24	LAN2			LAN interface in VPN1 VRRP (master): 20.1.2.1
	GE0/1	30.1.2.1/24	Spoke1-2	GE0/1	30.1.2.2/24	Horizontal link
	GE0/2	11.1.5.2/24	Hub1-1	GE3/4/2	11.1.5.1/24	L2VPN
	GE0/4	20.1.21.1/24	Spoke1-2	GE0/4	20.1.22.2/24	LAN interface in VPN1 Horizontal route synchronization
Spoke1-2	GE0/0	20.1.2.3/24	LAN2			LAN interface in VPN1 VRRP (backup): 20.1.2.1
	GE0/1	30.1.2.2/24	Spoke1-1	GE0/1	30.1.2.1/24	Horizontal link
	GE0/2	11.1.6.2/24	Hub1-2	GE3/4/2	11.1.6.1/24	L2VPN
	GE0/4	20.1.21.2/24	Spoke1-1	GE0/4	20.1.21.1/24	LAN interface in VPN1 Horizontal route synchronization

 

Layer 2 switch and AP automatically come online to incorporate the AC

Network description

As shown in Figure 3, the Layer 2 campus switch accesses branch site Branch1 of the WAN network, and the AP accesses the Layer 2 campus switch.

·     The Layer 2 switch comes online automatically through the automated DHCP zero-touch provisioning feature of the basic network management system, and the subsequent configurations are deployed by using ICC.

·     The branch site device acts as the DHCP relay agent, and the HQ site device acts as the DHCP server. The HQ site device assigns an IP address to the AP and configures Option 43 as the IP address of the AC. The AP will use the obtained AC address to discover the AC and establish a CAPWAP tunnel, and use the WSM component of the controller to incorporate the AC.

Figure 3 Network diagram

 

Device node address planning

Table 3 shows the addresses planned for interfaces on devices.

Table 3 Device node address planning

Device	Interface	Interface address	Peer device	Peer interface	Peer address	Remarks
Hub1-1	GE3/4/0	11.1.1.2/24	LAN1	N/A	11.1.1.1/24	Management network
	GE3/4/0.1	20.1.10.2/24	LAN1	N/A	20.1.10.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.1/24	Hub1-2	GE3/4/1	30.1.1.2/24	Horizontal link
	GE3/4/2	11.1.5.1/24	Spoke1-1	GE0/2	11.1.5.2/24	L2VPN
Hub1-2	GE3/4/0	11.1.2.2/24	LAN1	N/A	11.1.2.1/24	Management network
	GE3/4/0.1	20.1.11.2/24	LAN1	N/A	20.1.11.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.2/24	Hub1-2	GE3/4/1	30.1.1.1/24	Horizontal link
	GE3/4/2	11.1.6.1/24	Spoke1-2	GE0/2	11.1.6.2/24	L2VPN
Spoke1-1	GE0/0	20.1.2.2/24	LAN2	N/A	N/A	LAN interface in VPN1 VRRP 20.1.2.1 (master)
	GE0/1	30.1.2.1/24	Spoke1-2	GE0/1	30.1.2.2/24	Horizontal link
	GE0/2	11.1.5.2/24	Hub1-1	GE3/4/2	11.1.5.1/24	L2VPN
	GE0/4	20.1.21.1/24	Spoke1-2	GE0/4	20.1.22.2/24	LAN interface in VPN1 Horizontal route synchronization
Spoke1-2	GE0/0	20.1.2.3/24	LAN2	N/A	N/A	LAN interface in VPN1 VRRP 20.1.2.1(backup)
	GE0/1	30.1.2.2/24	Spoke1-1	GE0/1	30.1.2.1/24	Horizontal link
	GE0/2	11.1.6.2/24	Hub1-2	GE3/4/2	11.1.6.1/24	L2VPN
	GE0/4	20.1.21.2/24	Spoke1-1	GE0/4	20.1.21.1/24	LAN interface in VPN1 Horizontal route synchronization

 

Use SDWAN as a spine device for automated device management in the campus network

Network configuration

As shown in Figure 4, SDWAN acts as a spine device and a DHCP relay agent, and Unified Platform acts as a DHCP server. After Unified Platform allocates an IP address to the underlay devices, SDWAN deploys the IP addresses to the underlay devices.

Figure 4 Network diagram

 

Device node address planning

Table 4 shows the addresses planned for interfaces on devices.

Table 4 Device node address planning

Device	Interface	Interface address	Peer device	Peer interface	Peer address	Remarks
Hub1-1	GE3/4/0	11.1.1.2/24	LAN1		11.1.1.1/24	Management network
	GE3/4/0.1	20.1.10.2/24	LAN1		20.1.10.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.1/24	Hub1-2	GE3/4/1	30.1.1.2/24	Horizontal link
	GE3/4/2	11.1.5.1/24	Spoke1-1	GE0/2	11.1.5.2/24	L2VPN
Hub1-2	GE3/4/0	11.1.2.2/24	LAN1		11.1.2.1/24	Management network
	GE3/4/0.1	20.1.11.2/24	LAN1		20.1.11.1/24	LAN interface in VPN1
	GE3/4/1	30.1.1.2/24	Hub1-2	GE3/4/1	30.1.1.1/24	Horizontal link
	GE3/4/2	11.1.6.1/24	Spoke1-2	GE0/2	11.1.6.2/24	L2VPN
Spoke1-1	GE0/0	20.1.2.2/24	LAN2			LAN interface in VPN1 VRRP (master): 20.1.2.1
	GE0/1	30.1.2.1/24	Spoke1-2	GE0/1	30.1.2.2/24	Horizontal link
	GE0/2	11.1.5.2/24	Hub1-1	GE3/4/2	11.1.5.1/24	L2VPN
	GE0/4	20.1.21.1/24	Spoke1-2	GE0/4	20.1.22.2/24	LAN interface in VPN1 Horizontal route synchronization
Spoke1-2	GE0/0	20.1.2.3/24	LAN2			LAN interface in VPN1 VRRP (backup): 20.1.2.1
	GE0/1	30.1.2.2/24	Spoke1-1	GE0/1	30.1.2.1/24	Horizontal link
	GE0/2	11.1.6.2/24	Hub1-2	GE3/4/2	11.1.6.1/24	L2VPN
	GE0/4	20.1.21.2/24	Spoke1-1	GE0/4	20.1.21.1/24	LAN interface in VPN1 Horizontal route synchronization

 

 

Use a branch site as an AP to manage an AC

Configuration workflow

Figure 5 Configuration workflow

 

1.     Configure basic settings.

Install Unified Platform, SeerEngine-SDWAN, WSM, and EIA.

2.     Ensure network connectivity.

¡     Incorporate routers in the HQ and at the branches and deploy WAN service.

¡     Create a management loopback interface on the devices in the HQ and at the branches and specify a management interface, bind the interface to a VPN, and advertise routes in BGP.

3.     Configure wireless service settings.

Use WSM to manage the routers and deploy Wi-Fi settings.

Configure the SDWAN controller

1.     Incorporate devices and deploy WAN services. For more information, see AD-WAN 6.5 Branch Solution WAN Service Configuration Guide.

¡     Configure the system and tenants

¡     Plan device onboarding

¡     Plan branch networks

¡     Manually deploy configuration and check status

¡     Deploy the WAN service

2.     Create a loopback interface on the devices in the HQ and at the branches, bind the interface to a VPN, and then advertise routes in the VPN.

#

interface LoopBack10                      //Create a loopback interface

 ip binding vpn-instance vpn1          //Bind the interface to a VPN

 ip address 61.1.1.1 255.255.255.255

#

bgp 200

 peer 71.1.1.1 as-number 200

 peer 71.1.1.1 connect-interface LoopBack0

 peer 71.1.1.1 bfd multi-hop

 #

 address-family ipv4 unicast

 #

 address-family ipv4 tnl-encap-ext

  peer 71.1.1.1 enable

  peer 71.1.1.2 enable

 #

 address-family l2vpn evpn

  peer 71.1.1.1 enable

  peer 71.1.1.1 advertise-community

  peer 71.1.1.1 next-hop-local

  peer 71.1.1.1 advertise encap-type sdwan

  peer 71.1.1.2 enable

  peer 71.1.1.2 advertise-community

  peer 71.1.1.2 advertise encap-type sdwan

 #

 ip vpn-instance vpn1

  #

  address-family ipv4 unicast

   balance 32

   preference 255 5 255

   import-route ospf 3 route-policy lan

   network 61.1.1.1 255.255.255.255                 //Configure BGP to advertise the network.

Manage wireless services

1.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > Configuration page. Clear the Ignore Router Wireless Functions option.

Figure 6 Ignoring router wireless functions

 

2.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Fat APs page to view the fat AP list. In the current software version, the controller can only incorporate fat APs but cannot deploy configuration to the fat APs.

Figure 7 Fat AP list

 

3.     WSM does not support fat AP configuration deployment. You must add configuration manually. Navigate to the Automation > Configuration Deployment > Configuration Templates page. Click Add and then select Manually Add.

Figure 8 Configuration library

 

Figure 9 Manual deployment

 

4.     Click  in the Actions column for a configuration segment. Select the devices to be deployed and complete the task by following the wizard.

Figure 10 Deploying configuration to devices

 

Figure 11 Configuring device deployment

 

Configure user authentication

Configure the EIA server

To authenticate users, configure the following items on the EIA server:

·     Access policy.

·     Access service.

·     Access user.

·     Portal service.

·     Access device.

Add an access policy

This example adds an access policy that does not contain any user-defined access control settings.

1.     Navigate to the Automation > User > Access Service > Access Policy page.

Figure 12 Access policy configuration page

 

2.     Click Add. On the page that opens, configure the access policy as needed. For the purpose of this example, enter the access policy name, and use the default settings for other parameters.

Figure 13 Adding an access policy

 

Figure 14 Configuring the access policy

 

¡     Basic Information: Enter a name for the access policy and use the default user group setting (Ungrouped).

¡     Authorization Information: Typically, use the default values.

Pay attention to the configuration of the following parameters:

-     Allocate IP: Select whether to allocate IP addresses to users. Select No for campus networks.

-     Offline Check Period (Hours): Configure this parameter to prevent a switch from logging off dumb endpoints such as printers that do not send packets actively when the switch does not detect any packets from the endpoints within the offline detection period. The default offline detection period for MAC authentication on the switch is 5 minutes. The switch will log off an endpoint if it does not detect any packets from the endpoint within the offline detection period. Configure the offline check period together with ARP snooping to ensure that endpoints that pass the authentication will not be logged off. This parameter is an integer with a range of 0 to 596523. When it is set to 0, the endpoint never goes offline. When it is set to empty, the offline check period is 5 minutes.

Methods for handling inconsistent endpoint information:

-     Log Conflict and Continue Authentication: When users use the same MAC address but different endpoints to come online, record logs and allow users to pass the authentication and come online.

-     Reject Authentication: When users use the same MAC address but different endpoints to come online, deny the users' online requests.

-     Deploy Blackhole MAC: It is used to prevent a counterfeiting MAC address. When users use the same MAC address but different endpoints to come online, prohibit the users' online requests and issue the MAC address to the silent MAC address list of MAC authentication.

¡     Authentication Binding Information:

Pay attention to the following parameters:

-     Bind User IP: Select this option to bind an online endpoint to its static IP address. If you select it, the endpoint device will record the bound static IP address to the user detailed information after the device comes online.

-     Bind Dynamically Assigned IP: Select this option when the endpoint obtains IP address via the DHCP server. Select this option to bind the MAC address, DHCP-assigned IP address, and account information of an endpoint when the endpoint comes online for the first time. Then, the endpoint can obtain the same IP address every time it comes online.

¡     User Client Configuration: Use the default settings.

3.     Click Confirm. Verify that the access policy has been added to the access policy list.

Figure 15 Verifying that the access policy has been added

 

Add an access service

An access service is a collection of policies for user authentication and authorization. This example adds a simple access service that does not contain any access control settings.

To add an access service:

1.     Navigate to the Automation > User > Access Service page.

Figure 16 Access service management page

 

2.     Click Add. On the page that opens, enter the service name and service suffix, specify the default access policy, and use the default settings for other parameters. Make sure the Transparent Authentication is selected. In this example, service suffix portal is used.

Figure 17 Adding the access service

 

Access service parameters

¡     Service Name: Specify a service name. A service name uniquely identifies an access service in EIA. In this example, portal_Service is used.

¡     Service Suffix: Specify a service suffix. The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 5. In this example, service suffix portal is used.

¡     Default Access Policy: Specify an access policy as the default access policy. In this example, portal_Policy is used.

¡     Security Group: Specify a security group.

¡     Sub Security Group: Specify a security subgroup.

¡     Default Proprietary Attribute Assignment Policy: Specify the default proprietary attribute assignment policy. If a user using an access service does not match an access location group when accessing the network, EIA deploys proprietary attributes to the access device according to the specified default proprietary attribute assignment policy.

¡     Default Max. Devices for Single Account: Specify the maximum number of endpoints that can be bound to the access user when the user's access scenario matches none of the access scenarios in the service assigned to the user. This field is available only when the EIP component is deployed. EIA checks the maximum number of bound endpoint devices for a single account in the following order:

-     Matched access scenario—Checks the number of bound endpoint devices against the maximum number limit specified in the scenario. If the number reaches the limit, EIA denies the user authentication.

-     Scenarios in all services—Checks the number of bound endpoint devices in scenarios of all services assigned to the account. If the number reaches the value of Max. Devices for Single Account specified in user endpoint settings on the Automation > User > Service Parameters > Access Parameters > System Settings page, EIA denies the user authentication.

¡     Default Max. Number of Online Endpoints: Specify the maximum number of endpoints that can be simultaneously used for network access by the access user when the user's access scenario matches none of the access scenarios in the service assigned to the user.

¡     Daily Max. Online Duration: Specify the total duration in a day that an account can access the network by using the service. When the limit is reached, the account is forced offline and cannot access the network this day. The value is an integer in the range of 0 to 1440 minutes. A value of 0 means not limited.

¡     Description: Enter a brief description for the service.

Table 5 Configuration matrix

Authentication Username	Authentication Domain	Device's RADIUS Scheme Command	Service Suffix
X@Y	Y	user-name-format with-domain	Y
		user-name-format without-domain	No suffix.
X	[Default Domain]	user-name-format with-domain	[Default Domain]
		user-name-format without-domain	No suffix.

 

3.     Click Confirm. Verify that the access service has been added to the access service list.

Figure 18 Verifying that the access service has been added

 

Add access users

You can manually add access users or import users on the Guide > Campus Wizard > User Onboarding Plan > 802.1X/MAC Authentication page. After access users are configured, all settings required on the authentication server are completed. You can perform user authentication after device onboarding.

Figure 19 Configuring access users

 

Manually add users

1.     Click Add and then configure the following parameters on the page that opens:

¡     Basic Information: Specify the User Name and Identity Number. For other parameters, you can use the default values.

¡     Access Information: Enter the account name and password. For other parameters, you can use the default values.

-     Max. Idle Time: By default, it is empty, which indicates the session never times out.

-     Max. Concurrent Logins: The default value is 1. The maximum value is 255. This parameter specifies the number of endpoints that use the same account for login.

¡     Access Service: Each access user must be bound to an access service. After passing authentication, a user can access the network resources in the security group in the access service.

¡     Binding Information: This configuration item is optional. By default, all fields are empty. You can use the default setting.

You can manually enter binding information. If you enter multiple values in a field, use carriage returns to separate the values.

The system can also fill in binding information automatically based on the access service and access policy configuration.

2.     Click OK. On the Access User tab, you can view the successfully created users.

Figure 20 Viewing access user information

 

Import users in bulk

1.     On the Access User tab, click Batch Import, and then click the Account Import File Template link to download a template. You can use the TAB key or other separators such as commas (,) to separate columns.

Figure 21 Account import file template

 

In this example, the columns are separated by commas (,), as shown in the figure below.

Figure 22 Editing template information

 

2.     Click Upload, select a file, select a separator, and select Normal for Imported User State, as shown in the figure below.

Figure 23 Uploading a file

 

3.     Click Next.

a.     In the Basic Information area, set user information and identity number.

Figure 24 Configuring basic user information

 

b.     Select a user group as required. The default value is Ungrouped.

c.     In the Access Information area, set the Account Name and Password. The password can be selected from the file or you can directly enter the password. If you directly enter the password, all users use the same password.

Figure 25 Configuring user access information

 

d.     Select an access service in the Access Service area, which is a required operation.

Figure 26 Selecting an access service

 

4.     Click OK to import users in bulk.

Figure 27 Successful import

 

5.     After users are successfully imported, you can view the imported users on the Access User page.

Configure the portal service

Perform the following tasks to configure the portal service:

·     Configuring a portal server.

·     Configuring a portal IP group.

·     Configuring a portal device.

Configure a portal server

1.     Navigate to the Automation > User > Service Parameters > Portal Service page.

Figure 28 Portal server configuration page

 

2.     In the Advanced Information area, click Add next to Service Type List. On the page that opens, add a service type.

Figure 29 Adding a service type

 

Service type parameters

¡     Service Type ID: The device determines the authentication mode according to the ID of the selected service type. You can make appropriate setting here according to the configuration of the platform services and devices. Make sure the service type ID is the same as the service suffix of the added access service. In this example, portal is used.

¡     Service Type: A service type ID is used by the device. Users might not understand what a service type ID means. You must enter a service type that is understandable to users for the service type ID. Service types will be displayed on the portal login page for users to select. This field can neither be null nor be identical with any existing service type. You can configure a maximum of 64 service types.

3.     Click Confirm. Verify that the service type has been added to the service type list.

Figure 30 Verifying that the service type has been added

 

4.     Click Confirm to complete portal server configuration.

Configure a portal IP group

1.     Navigate to the Automation > User > Service Parameters > Portal Service > Portal IP Group page.

Figure 31 Portal IP group configuration page

 

2.     Click Add. On the page that opens, add an IP group.

Figure 32 Adding an IP group

 

3.     Enter the IP group name, start IP, and end IP. In this example, IP group name portal_Address is used. The system performs authentication on all endpoints in the address segment.

4.     Click Confirm. Verify that the IP group has been added to the IP group list.

Figure 33 Verifying that the IP group has been added

 

Configure a portal device

1.     Navigate to the Automation > User > Service Parameters > Portal Service > Portal Device page.

Figure 34 Portal device configuration page

 

2.     Click Add. On the page that opens, add a portal device.

Figure 35 Adding a portal device

 

Portal device parameters

¡     Device Name: Name of the portal access device. In this example, zhangsan-Switch is used.

¡     Public IP: Public IP address of the access device.

¡     Key/Confirm Key: Enter the key for authentication and enter the key again for confirmation. The key must be identical with the configuration on the device. In this example, movie is used.

¡     Access method: Select the authentication mode used by the device. In this example, Directly Connected is used.

¡     Use the default settings for other parameters.

3.     Click Confirm. Verify that the portal device has been added to the portal device list.

Figure 36 Verifying that the portal device has been added

 

4.     Click the Port Group icon  in the Operation column for the device.

Figure 37 Port group configuration page

 

5.     Click Add. Configure the relevant parameters on the page that opens. Make sure Supported is selected from the Transparent Authentication field.

Figure 38 Adding a port group

 

Port group parameters

¡     Port Group Name: Specify the port group name. In this example, port-Port is used.

¡     Authentication Type: Specify the authentication type. In this example, CHAP is used.

¡     IP Group: Specify the IG group. In this example, portal_Address is used.

¡     Default Authentication Page: Specify the default authentication page.

¡     Use the default settings for other parameters.

6.     Click Confirm. Verify that the port group has been added to the port group list.

Figure 39 Verifying that the port group has been added

 

Add an access device

You must add an access device to the EIA server before the EIA server can work with the access device for authentication.

To add an access device to the EIA server:

1.     Navigate to the Automation > User > Access Service > Access Device Management page.

Figure 40 Access device configuration page

 

2.     On the Access Device tab, click Add.

Figure 41 Adding the access device

 

3.     Click Add IPv4 Device. In the window that opens, enter the IP address of the access device in the Device IP field, and then click Confirm.

When you specify the IP address of the access device, examine the applicable RADIUS scheme on the access device to identify the IP address to specify.

¡     If the RADIUS scheme contains a NAS IP specified by using the nas-ip command for the access device, specify that IP address on the EIA server.

¡     If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.

Figure 42 Manually adding the access device

 

4.     Configure the following common parameters:

¡     Authentication Port: Specify the RADIUS authentication service port on the EIA server. It must be the same as that specified on the access device. Typically, use the default service port (1812).

¡     Accounting Port: Specify the RADIUS accounting service port on the EIA server. It must be the same as that specified on the access device. Typically, use the default service port 1813.

 

IMPORTANT: You must use the EIA server to provide both authentication and accounting services. You cannot use the EIA server as the authentication server and another server as the accounting server.

 

¡     Shared Key/Confirm Shared Key: Enter a shared key in the Shared Key field. If the system is configured to display keys in ciphertext, you must enter the key again in the Confirm Shared Key field for confirmation.

The shared key is used for secure communication between the server and the access device.

The shared key specified on the EIA server must be the same as that specified on the access device.

You only need to enter the shared key once if you selected Plaintext in the Displays Key in field on the Automation > User > Service Parameters > Access Parameters > System Settings page.

¡     Use the default settings for other parameters.

Figure 43 Configuring common parameters

 

5.     Click Confirm. Verify that the access device has been added to the access device list.

Figure 44 Verifying that the access device has been added

 

Configure the AC

Configure the following settings on the AC:

·     RADIUS server

·     ISP domain

·     Portal authentication server

·     Portal Web server

·     VLAN

·     Wireless service template

Configure RADIUS servers

Specify authentication and accounting servers.

#

radius scheme branch1

 primary authentication Northbound IP

 primary accounting Northbound IP

 key authentication simple ******

 key accounting simple ******

 user-name-format without-domain                  //Specify whether to exclude the ISP domain name from the username sent to the RADIUS server

 nas-ip *.*.*.*                  //AC management IP

#

 

IMPORTANT: Make sure the authentication and accounting key information is the same as that configured when an access device is added on EIA.

 

Configure an ISP domain

Bind the RADIUS servers in the ISP domain for AAA.

#

domain branch1

 authentication default radius-scheme branch1

 authorization default radius-scheme branch1

 accounting default radius-scheme branch1

#

Configure a portal authentication server

Configure a portal authentication server for user and security authentication.

#

portal server branch1

 ip 172.19.234.95 key simple ******

#

 

IMPORTANT: Change the IP address to the northbound IP in the environment. Make sure the key information is the same as that configured for the portal device on EIA.

 

Configure a portal Web server

Configure a portal Web authentication server for user and security authentication.

#

portal web-server branch

 url http://IP:9092/portal

 server-detect interval 100 log trap

 url-parameter userip source-address

 url-parameter usermac source-mac

 url-parameter userurl original-url

#

For the IP address settings and format in the URL, access the Portal Server tab on EIA.

Figure 45 Portal information on EIA

 

Plan VLANs

Plan VLANs based on different scenarios:

#

Vlan 185

#

interface Vlan-interface 185

 ip address 185.185.185.1 255.255.255.0

 dhcp select relay

 dhcp relay server-address *****          //IP address of the DHCP server

 portal enable method direct

 portal domain branch1

 portal bas-ip 185.185.185.1          //This IP is also the IP address specified when a portal device is added on EIA

 portal apply web-server branch1          //Specify an IPv4 portal Web server

#

Configure a wireless service template

Create a wireless service template, bind it to a VLAN, and enable the wireless service template.

#

wlan service-template 1

 ssid ss_branch1

 vlan 185

 service-template enable

#

The previous configuration method is to configure portal authentication in a VLAN. The authentication configuration information can also be configured in a wireless service template.

 

Use an AP that connects to a branch site for AC management

Configuration workflow

Figure 46 Configuration workflow

 

1.     Configure basic settings

Install Unified Platform, SeerEngine-SDWAN, WSM, and EIA.

2.     Ensure network connectivity

¡     Incorporate routers in the HQ and at the branches and deploy WAN service.

¡     Create a management loopback interface on the devices in the HQ and at the branches and specify a management interface, bind the interface to a VPN, and advertise routes in BGP.

¡     Configure a DHCP server on a LAN interface of a device at the branch, and add option 43 to specify an AC by its IP address.

3.     Configure wireless service settings

¡     Use WSM to manage the AC.

¡     Deploy an AP template for the AP to come online.

Configure the SDWAN controller

1.     Incorporate devices and deploy WAN services. For more information, see AD-WAN 6.5 Branch Solution WAN Service Configuration Guide.

¡     Configure the system and tenants

¡     Plan device onboarding

¡     Plan branch networks

¡     Manually deploy configuration and check status

¡     Deploy the WAN service

2.     Deploy a DHCP server.

a.     Log in to the AD-WAN controller.

b.     Navigate to the Automation > Branch Network > Virtual Networks > VPN Management > LAN Network page. Click Add in LAN network details, enable DHCP in the advanced settings area, and deploy Option 43 to specify the AC address.

Figure 47 Enabling DHCP

 

Manage wireless services

1.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > Configuration page. Clear the Ignore Router Wireless Functions option.

Figure 48 Ignoring router wireless functions

 

2.     Navigate to the Automation > Campus Network > Wireless Device > ACs page to view the wireless AC list.

Figure 49 AC list

 

3.     Navigate to the Wireless Device > Related Links > Configuration > AC Settings page. Click AP Configuration.

Figure 50 Configuring an AP

 

Figure 51 Fit AP list

 

4.     Click Add to add an AP template.

Figure 52 Adding an AP

 

5.     After you add the AP, the AP onboards successfully.

Figure 53 AP onboarded successfully

 

6.     Navigate to the Automation > Campus Network > Wireless Device > ACs page. Click the  icon in the Actions column for the AC on the AC list to access the service policy page.

Figure 54 Service policy management

 

 

7.     Click Add to add a service policy.

Figure 55 Adding a service policy

 

8.     Click Bind Service Policy.

Figure 56 Binding a service policy

 

9.     If a radio is in down state, navigate to the Automation > Campus Network > Wireless Device > Related Links > Radios page. Click the  icon in the Actions column for that radio, and then change the radio state to up.

Figure 57 Changing the status of a radio

 

Configure user authentication

Configure the authentication server

See "Configure user authentication."

Configure the AC

See "Configure the AC."

Layer 2 switch and AP automatically come online to incorporate the AC

Configuration workflow

Figure 58 Configuration workflow

 

1.     Configure basic settings.

Install Unified Platform, SeerEngine-WAN controller, and WSM, EIA, and ADA components.

2.     Ensure network connectivity.

¡Incorporate routers in the HQ and at the branches and deploy WAN service.

¡Create a management loopback interface on the devices in the HQ and at the branches and specify a management interface, bind the interface to a VPN, and advertise routes in BGP.

¡Configure the DHCP relay agent on a LAN interface of a device at the branch, and specify the unified northbound address as the DHCP server address.

3.     Configure automation settings.

¡Through the automated deployment feature of the basic network management system, add the Layer 2 switch and AP and automatically deploy them.

¡Add or modify device configuration through the ICC configuration scripts.

4.     Configure wireless service settings.

¡Use WSM to incorporate the AC.

¡Deploy an AP template for the AP to come online.

Configure the SDWAN controller

1.     Incorporate devices, and deploy WAN services. For more information, see AD-WAN Branch 6.5 WAN Service Deployment Guide.

¡Configure the system and tenants

¡Plan device onboarding

¡Plan branch networks

¡Manually deploy configuration and check status

¡Deploy the WAN service

2.     Deploy the DHCP server.

a.     Log in to the AD-WAN controller.

b.     Navigate to the Automation > Branch Network > Virtual Networks > VPN Management > LAN Network page. Click Add in the LAN service network details area.

c.     On the page that opens, enable DHCP in the advanced settings area, and deploy the DHCP relay agent configuration.

Figure 59 Enabling DHCP

 

Configure automated device deployment on Unified Platform

Zero-touch device onboarding

The device is automatically onboarded through zero-touch device onboarding on Unified Platform. The configuration steps are as follows:

1.     Upload the corresponding automated deployment installation package, access the component selection page, select Automation Online from the drop-down menu of Public Components, select the corresponding version of the installation package, and click Next.

2.     On the subsequent pages, directly click Next without configuring any parameters.

3.     Click Deploy on the configuration parameters page to deploy the automation component.

4.     In the address bar of the browser, enter the login address (the default is http://ip_address:30000/central) of Unified Platform. Navigate to the Automation > Configuration Deployment > Automation Online > Plan page.

Figure 60 Automation Online

 

CAUTION: The menu can be seen only in the all-domain scenario. If only the controller of a single scenario is installed, you must click the settings button in the upper right corner and switch the view to the all-domain view in order to see the menu.

 

5.     Access the Plan Unit page, click Add, add a plan unit, and then click Apply.

Figure 61 Adding a plan unit

 

6.     Access the Topo Plan > Device Info page, click Add, add the device list, and then click Apply.

Figure 62 Adding a device list

 

7.     Access the Address Plan page, click Add, add a DHCP address pool, and then click Apply.

Figure 63 Adding a DHCP address pool

 

8.     Access the Template Plan > Protocol Template page, click Add, add a control protocol template, and then click Apply.

Figure 64 Adding a control protocol template

 

9.     Access the Template Plan > Configure Template page, click Add, add a configuration template, and then click Apply.

Figure 65 Adding a configuration template

 

10.     Restart the device with empty configuration.

Figure 66 Restarting the device

 

11.     Navigate to the Automation > Configuration Deployment > Automation Online > Progress > Onboarding Progress page, and the device has successfully come online.

CAUTION: In the current software version, the automation component of Unified Platform cannot deploy the Option field, so the APs in this scenario cannot directly obtain the IP address of the AC.

 

Maintain online devices through ICC

After the device comes online, you can modify and maintain the configuration only through ICC. To do that:

1.     After logging in to Unified Platform, navigate to the Automation > Configuration Deployment > Configuration Templates page. Click Add and then select Manually Add, and add a configuration fragment.

Figure 67 Adding a configuration fragment

 

2.     Manually add a configuration fragment, select the corresponding devices, and enter the configuration content.

Figure 68 Configuration template

 

3.     Select the configuration fragment created, and click the  icon in the Actions column to access the configuration deployment page. Select the devices to be deployed, and complete the operation according to the configuration deployment guide.

Figure 69 Deploying configuration to devices

 

Figure 70 Deploying device configuration (1)

 

Figure 71 Deploying device configuration (2)

 

Figure 72 Deploying device configuration (3)

 

4.     Navigate to the Automation > Configuration Deployment > Deployment Tasks page to view the task progress and device configuration.

Figure 73 Progress

 

Figure 74 Configuring the devices

 

Manage wireless services

1.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > Configuration page. Clear the Ignore Router Wireless Functions option.

Figure 75 Ignoring router wireless functions

 

2.     Navigate to the Automation > Campus Network > Wireless Device > ACs page.

Figure 76 AC list

 

3.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > AC Settings page. Click AP Configuration.

Figure 77 Configuring an AP

 

Figure 78 Fit AP list

 

4.     Click Add to add an AP template.

Figure 79 Adding an AP

 

After you add the AP, the AP onboards successfully.

Figure 80 AP onboarded successfully

 

5.     Navigate to the Automation > Campus Network > Wireless Device > ACs page. Click  in the Actions column for the AC.

Figure 81 Service policy management

 

6.     Click Add to add a service policy.

Figure 82 Adding a service policy

 

7.     Click Bind Service Policy to bind a service policy.

Figure 83 Binding a service policy

 

8.     If a radio is in down state, navigate to the Automation > Campus Network > Wireless Device > Related Links > Radios page. Click  in the Actions column for that radio, and then change the radio state to Up.

Figure 84 Changing the status of a radio

 

Configure user authentication

Configure the authentication server

See "Configure user authentication."

Configure the AC

See "Configure the AC."

 

Use SDWAN as a spine device for automated device management in the campus network

Configuration workflow

Figure 85 Configuration workflow

 

1.     Configure basic settings.

Install Unified Platform, vDHCP Server, SeerEngine-SDWAN, SeerEngine-Campus, EIA, and WSM. Deploy vDHCP Server on Unified Platform for automatically onboarded devices to obtain an IP address.

2.     Ensure network connectivity.

¡     Incorporate routers in the HQ and at the branches and deploy WAN service.

¡     Configure DHCP relay on the LAN side of a device at the branch, and specify the DHCP server as the address of the vDHCP server.

3.     Plan networks.

¡     Create a fabric, and specify an AS number.

¡     Configure the DHCP server and IP address pool used for automatic deployment. Configure a device template, including network model, underlay VLAN range and IP, and NTP server information.

¡     Add devices to the device list, select Yes for WebSocket, and configure device information for device onboarding. The device information includes device serial number, device rule, VTEP IP, management IP, and system name.

4.     Power on the device with the default configuration.

Upon restart with the factor default configuration, the device will automatically enter the automation process in default configuration. If a version upgrade is required, version upgrade will be performed automatically.

5.     Onboard the devices.

¡     After the device enters the automation process, obtains the address of VLAN1, and establishes a WebSocket connection with the controller, the corresponding node information will be displayed on the automation topology page. You must manually specify the uplink interface for the spine/single-leaf device.

¡     You can select devices of the same model and role to form a fabric. This step is optional.

¡     On the automation topology page, select the device node, and then click Auto Deploy. The controller will automatically deploy configuration to the device, and deploy and activate the device.

Configure the AD-WAN controller

1.     Incorporate devices and deploy WAN services. For more information, see AD-WAN 6.5 Branch Solution WAN Service Configuration Guide.

¡     Configure the system and tenants

¡     Plan device onboarding

¡     Plan branch networks

¡     Manually deploy configuration and check status

¡     Deploy the WAN service

2.     Deploy the DHCP server.

a.     Log in to the AD-WAN controller.

b.     Navigate to the Automation > Branch Network > Virtual Networks > VPN Management > LAN Network page. Click Add in the LAN service network details area.

c.     On the page that opens, enable DHCP in the advanced settings area, and deploy the DHCP relay agent configuration.

Figure 86 Enabling DHCP

 

Configure the AD-Campus controller

1.     Navigate to the Automation > Campus Network > Fabrics page. Click  in the Actions column for a fabric.

Figure 87 Switching device 1

 

2.     Click Auto Manage in the upper right corner of the page.

Figure 88 Automated incorporation of devices into controller

 

3.     Select Legacy Automated Deployment, and configure the parameters as required.

Figure 89 Legacy automated deployment

 

¡     Basic Settings: You do not need to enter an RR MAC in the single-leaf scenario. If a spine device exists, you must enter the RR MAC of the spine device.

Figure 90 Basic settings

 

 

¡     IP Pool Settings: Bind a DHCP server and IP address pool to the device.

Figure 91 IP pool settings

 

4.     Deploy a device configuration template.

Figure 92 Device configuration template

 

5.     Add a device list.

a.     Navigate to the Automation > Campus Network > Fabrics page. Click Auto Deployment.

Figure 93 Automated deployment

 

b.     Click Add.

Figure 94 Adding a device list

 

6.     Restart the device with the default configuration.

Manage wireless services

1.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > Configuration page. Clear the Ignore Router Wireless Functions option.

Figure 95 Ignoring router wireless functions

 

2.     Navigate to the Automation > Campus Network > Wireless Device > ACs page.

Figure 96 AC list

 

3.     Navigate to the Automation > Campus Network > Wireless Device > Related Links > Configuration > AC Settings page. Click AP Configuration.

Figure 97 Adding an AP

 

Figure 98 Fit AP list

 

4.     Click Add to add an AP.

Figure 99 Adding an AP

 

After you add the AP, the AP onboards successfully.

Figure 100 AP onboarded successfully

 

5.     Navigate to the Automation > Campus Network > Wireless Device > ACs page. Click  in the Actions column for the AC.

Figure 101 Service policy management

 

 

6.     Click Add to add a service policy.

Figure 102 Adding a service policy

 

7.     Click Bind Service Policy to bind a service policy.

Figure 103 Binding a service policy

 

8.     If a radio is in down state, navigate to the Automation > Campus Network > Wireless Device > Related Links > Radios page. Click  in the Actions column for that radio, and then change the radio state to Up.

Figure 104 Changing the status of a radio

 

Configure MAC portal authentication

CAUTION: Use Google Chrome browser on an endpoint to access the MAC portal authentication page.

 

MAC portal authentication is mainly applicable to users without clients. You cannot directly enter a username or password for authentication. By pushing a MAC portal authentication page to a user when the user requests network access, the user can enter a username and password on the page for authentication.

MAC portal authentication includes the following stages:

·     First stage—When a user's endpoint is connected to a port on the access switch and the port comes up, the endpoint sends packets carrying its MAC address to trigger MAC authentication. The switch identifies the user as the BYOD anonymous user and assigns the user to the BYOD security group. The user endpoint obtains an IP address from the subnets specified for the security group.

·     Second stage—When the user opens a webpage, the access switch redirects it to the MAC portal authentication page. On the page, enter the username and password. After the user logs in successfully, the user is added to its associated user security group. Then, the user endpoint obtains an IP address from the subnets specified for the user security group.

The default lease time for IP addresses in the BYOD security group is 1 minute on the DHCP server, so the lease time of the IP address obtained by the endpoint at the first stage is 1 minute. When the user logs in by entering the username and password on the pushed web page, the user is assigned to its associated user security group. After the IP address obtained at the first stage expires, the endpoint requests another IP address. Then, the access switch obtains an IP address from the subnets specified for the user security group for the endpoint.

Create the BYOD security group

To configure the BYOD security group on SeerEngine-Campus:

1.     Navigate to the Automation > Campus Network > Private Network > Layer 2 Network Domain page, and click Add. On the Add Layer 2 Network Domain page, configure the following settings:

¡     Select vpn-default in the Private Network field.

¡     Select BYOD in the Type field.

The default lease time is 60 seconds for IP addresses in a BYOD address pool. As a best practice, make sure the lease time is not shorter than 30 seconds. You can adjust the lease time as needed.

¡     Select an H3C vDHCP server for the BYOD security group.

Figure 105 Layer 2 network domain configuration page

 

Figure 106 Adding a Layer 2 network domain

 

2.     On the Subnets tab, click Add. On the Add Subnet page, enter the Name, IP Version, CIDR, and Gateway IP, and then click OK.

Figure 107 Adding a subnet

 

3.     After the system returns to the Add Layer 2 Network Domain page, click OK. Then, you can view the new BYOD Layer 2 network domain in the Layer 2 network domain list.

Figure 108 Viewing the created Layer 2 network domain

 

4.     After adding the BYOD Layer 2 network domain, navigate to the Automation > Campus Network > Security Group > User Security Group page, and click Add. On the Add Security Group page, configure the following settings:

¡     Select BYOD in the Type field.

¡     Select vpn-default in the Private Network field.

5.     In the Layer 2 Network Domain Information area, click Add to add the BYOD Layer 2 network domain added before. Click OK and you can view the BYOD security group in the security group list.

Figure 109 Adding a security group

 

Figure 110 Viewing the added security group

 

Configure ACL 3001

1.     Navigate to the Automation > Campus Network > Network Devices > General Policy Groups page.

Figure 111 Network device configuration page

 

2.     Click Policy Template.

Figure 112 General policy group configuration page

 

Figure 113 Policy template configuration page

 

3.     Click the  icon in the Actions column for the target device policy template. On the page that opens, add the IP address of the EIA server in the Free IPs area, and then click OK. When the device policy template is applied to a device group, ACL 3001 is deployed to the devices in the device group. When you add, modify, or delete free IPs on the controller, the controller deploys the changes to the devices.

Figure 114 Configuring auth-free IPs

 

On the access device, execute the display acl all command to verify that the ACL policy is deployed as configured in the device group policy.

#

<Leaf1> display acl all

Advanced IPv4 ACL 3001, 2 rules,

SDN_ACL_AUTH

ACL's step is 5, start ID is 0

 rule 0 permit udp destination-port eq dns

 rule 1 permit ip destination 100.1.0.100 0

#

Enable MAC portal authentication

1.     To enable MAC portal authentication for EIA, navigate to the Automation > User > Service Parameters > Access Parameters > System Settings page, and click the  icon corresponding to the template named User Endpoint Settings. In the User Endpoint Settings area, select Enabled in the MAC Portal Authentication field to open the MAC Portal Fast Configuration page. If MAC portal authentication has been enabled, first disable it and then re-enable it. In addition, enable Transparent Authentication.

Figure 115 Enabling MAC portal authentication

 

2.     On the MAC Portal Fast Configuration page, click OK.

The system automatically creates a set of settings as follows:

Figure 116 MAC portal fast configuration

 

The system automatically creates an access policy.

Figure 117 Automatically created access policy

 

The system automatically creates an access service and associates an access policy and a security group with the access service.

Figure 118 Automatic association

 

The system automatically creates a BYOD user.

Figure 119 Automatically created BYOD user

 

Initiate MAC portal authentication

1.     When the port connected to an endpoint is up, MAC authentication is triggered. The BYOD authentication is performed first. Use the anonymous account byodanonymous to log in. Verify that the user is assigned to the BYOD security group and the endpoint obtains an IP address from the subnets specified for the BYOD security group.

Figure 120 Viewing online users

 

On the access switch that acts as the authenticator, execute the display mac-authentication connection command to view the online MAC authentication user information.

<Leaf1> display mac-authentication connection

Total connections: 1

Slot ID: 1

User MAC address: 000c-29e3-7e20

Access interface: Bridge-Aggregation1024

Username: 000c29e37e20

User access state: Successful

Authentication domain: isp

IPv4 address: 50.0.0.2

IPv4 address source: IP Source Guard

Initial VLAN: 111

Authorization untagged VLAN: N/A

Authorization tagged VLAN: N/A

Authorization VSI: vsi5

Authorization ACL number/name: 3001

Authorization user profile: N/A

Authorization CAR: N/A

Authorization URL: http://100.1.0.100:30004/byod/index.html?usermac=%m&userip=

%c&userurl=%o&original=%o

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: Default

Session timeout period: 86400 sec

Online from: 2020/10/20 11:38:07

Online duration: 0h 19m 53s

Port-down keep online: Disabled (offline)

2.     On the user's PC, open the Web browser and enter any IP address such as 1.1.1.1. The PC automatically opens the following BYOD URL redirection page.

Figure 121 Redirection page

 

3.     Enter the account name and password of the user, and then click Log In. The user can come online after successful authentication.

4.     View the user online information on the EIA. Verify that the user has accessed its associated access service and the user endpoint has obtained an IP address from the subnets associated with the access service.

Figure 122 Viewing online user information

 

On the access device, execute the display mac-authentication connection user-name 000c29e37e20 command to view the MAC authentication user information.

<Leaf1> display mac-authentication connection user-name 000c29e37e20

Total connections: 2

Slot ID: 1

User MAC address: 000c-29e3-7e20

Access interface: Bridge-Aggregation1024

Username: 000c29e37e20

User access state: Successful

Authentication domain: isp

IPv4 address: 20.0.0.2

IPv4 address source: IP Source Guard

Initial VLAN: 111

Authorization untagged VLAN: N/A

Authorization tagged VLAN: N/A

Authorization VSI: vsi3

Authorization ACL number/name: N/A

Authorization user profile: N/A

Authorization CAR: N/A

Authorization URL: N/A

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: Default

Session timeout period: 86400 sec

Online from: 2020/10/20 12:05:16

Online duration: 0h 1m 6s

Port-down keep online: Disabled (offline)

Configure global topology settings

Add devices in the WAN scenario

Add configuration to devices

Add the following SNMP settings to the devices in the HQ and at the branches.

#

snmp-agent

snmp-agent community write private

snmp-agent community read public

snmp-agent sys-info version all

snmp-agent target-host trap address udp-domain 192.168.40.232 params securityname public v2c

#

Add a physical device

1.     Log in to Unified Platform.

¡     Enter http://ip_address:30000/central in the address bar. ip_address represents the northbound VIP of the Matrix cluster. 30000 is the port number.

¡     Enter the username and password of the operator. The default username is admin, and the default password is Pwd@12345.

Figure 123 Logging in to Unified Platform

 

2.     Navigate to the Monitor > Monitor List > Network Monitors page. Click Add.

Figure 124 Adding a device

 

Parameters:

¡     IP Address: Enter an IPv4 address in dotted decimal notation or an IPv6 address in colon-separated hexadecimal notation.

¡     Device Label: Enter the display name of the device in the system. If you do not enter a label, the system obtains the system name of the device automatically and uses it as the device label.

¡     Device Login Type: Select the type of protocol used for logging in to the device at the CLI. Options include Telnet and SSH. You can choose to not select any device login type.

¡     Enable the device to send SNMP traps to the system: For the device to send traps to the system, select this option.

¡     Support Ping Operation: For the system to ping the device before adding it, select this option. If the ping operation fails or the device does not support the ping operation, the device cannot be added to the system. For the system to add the device directly, do not select this option.

¡     Add the device regardless of the ping result: For the system to add the device regardless of the ping result, select this option.

3.     Click Select Template in the SNMP Settings area to select an SNMP template. Select an SNMP template that contains the same settings as those on the device.

Figure 125 Configuring SNMP parameters

 

Figure 126 Selecting an SNMP template

 

4.     In the Resource Group Settings area, click Select. In the dialog box that opens, select a resource group, and then click OK.

Figure 127 Resource group

 

Figure 128 Selecting a resource group

 

5.     Click OK.

Figure 129 Device incorporated

 

Custom topology

Navigate to the Monitor > Topology > Custom Topology page. Click the name of a topology to view the topology.

Figure 130 Custom topology

 

Figure 131 Network topology