H3C Access Controllers
Application Audit and Management Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring application audit and management 1

Network configuration· 1

Restrictions and guidelines· 1

Procedures· 2

Configuring the AC· 2

Configuring the switch· 4

Verifying the configuration· 5

Configuration files· 5

Related documentation· 7

 

Introduction

The following information provides examples for configuring application audit and management.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of application audit and management.

Example: Configuring application audit and management

Network configuration

As shown in Figure 1, the switch assigns IP addresses to the AP and the client. The AP and the AC establish a CAPWAP tunnel through VLAN 100, and the client accesses the wireless network through VLAN 200. The working hours of the company are 8:00:00 through 18:00:00 from Monday to Friday.

Configure an application audit and management policy on the AC to meet the following requirements:

·     Permit login from all QQ accounts during working hours.

·     Generate audit logs.

Figure 1 Network diagram

 

Restrictions and guidelines

Use the actual serial ID of an AP to uniquely identify that AP.

Procedures

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to VLAN-interface 100.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 192.1.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to VLAN-interface 200.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 192.2.1.1 24

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, remove it from VLAN 1, assign it to VLAN 100 and VLAN 200, and set its PVID to VLAN 100.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] port trunk pvid vlan 100

[AC-GigabitEthernet1/0/1] quit

2.     Configure wireless services:

# Create service template 1 and enter service template view.

[AC] wlan service-template 1

# Set the SSID to service.

[AC-wlan-st-1] ssid service

# Configure the PSK AKM mode and the 12345678 plaintext key.

[AC-wlan-st-1] akm mode psk

[AC-wlan-st-1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and RSN as the security IE.

[AC-wlan-st-1] cipher-suite ccmp

[AC-wlan-st-1] security-ie rsn

# Configure the AC to forward client data traffic. If the AC forwards client data traffic by default, skip this step.

[AC-wlan-st-1] client forwarding-location ac

# Assign clients coming online through the service template to VLAN 200.

[AC-wlan-st-1] vlan 200

# Enable the service template..

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

3.     Configure the AP:

 

NOTE: In a large network, use AP groups to configure APs as a best practice.

 

# Create an AP named ap1, with model WA6320.

[AC] wlan ap ap1 model WA6320

# Set the serial ID to 219801A28N819CE0002T.

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Create an AP group named group1, and create an AP grouping rule by AP names to add AP ap1 to the AP group.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Enter radio view of radio 1, and  bind service template 1 to the radio.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template 1

# Enable radio 1.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit

# Enter radio view of radio 2, and  bind service template 1 to the radio.

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template 1

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit

4.     Configure a time range named work to cover 8:00:00 through 18:00:00 from Monday to Friday.

<AC> system-view

[AC] time-range work 08:00 to 18:00 working-day

5.     Create an IPv4 address object group named audit, and configure an IPv4 address object with the IPv4 address of 192.2.1.0 and mask length of 24..

[AC] object-group ip address audit

[AC-obj-grp-ip-audit] network subnet 192.2.1.0 24

[AC-obj-grp-ip-audit] quit

6.     Configure an application audit and management policy:

# Enter application audit and management view.

[AC] uapp-control

# Create an audit policy named audit-qq and enter its view.

[AC-uapp-control] policy name audit-qq audit

# Specify IPv4 address object group audit as a match criterion for audit policy audit-qq.

[AC-uapp-control-policy-audit-qq] source-address ipv4 audit

# Specify time range work for audit policy audit-qq.

[Device-uapp-control-policy-audit-qq] time-range work

# Configure an audit rule to permit login from all QQ accounts and generate audit logs.

[AC-uapp-control-policy-audit-qq] rule 1 app QQ behavior Login bhcontent any keyword equal any action permit audit-logging

[AC-uapp-control-policy-audit-qq] quit

[AC-uapp-control] quit

# Activate the configuration.

[AC] inspect activate

Configuring the switch

1.     Configure interfaces on the switch:

# Create VLANs 100 and 200, create VLAN-interface 100 and VLAN-interface 200, and assign IP addresses to VLAN-interface 100 and VLAN-interface 200. The switch will use VLAN 100 to forward the traffic on CAPWAP tunnels between the AC and APs, and use VLAN 200 to forward client traffic.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ip address 192.1.1.2 24

[Switch-Vlan-interface100] quit

[Switch] vlan 200

[Switch-vlan200] quit

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 192.2.1.2 24

[Switch-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, remove it from VLAN 1, assign it to VLAN 100 and VLAN 200, and set its PVID to VLAN 100.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 as a trunk port, remove it from VLAN 1, assign it to VLAN 100, and set its PVID to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100

[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

2.     Configure DHCP:

# Enable DHCP.

[Switch] dhcp enable

# Create a DHCP address pool named vlan100 to assign IP addresses and other configuration parameters to clients on subnet 192.1.1.0/24.

[Switch] dhcp server ip-pool vlan100

[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0

# Exclude IP addresses 192.1.1.1 and 192.1.1.2 from dynamic allocation.

[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2

# Specify a gateway.

[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1

[Switch-dhcp-pool-vlan100] quit

# Create a DHCP address pool named vlan200 to assign IP addresses and other configuration parameters to clients on subnet 192.2.1.0/24.

[Switch] dhcp server ip-pool vlan200

[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0

# Exclude IP addresses 192.2.1.1 and 192.2.1.2 from dynamic allocation.

[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2

# Specify a gateway and a DNS server.

[Switch-dhcp-pool-vlan200] dns-list 192.2.1.2

[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.2

[Switch-dhcp-pool-vlan200] quit

Verifying the configuration

# Verify that the device permits the login requests and generates audit log messages when QQ accounts attempt to access the Internet. (Details not shown.)

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

object-group ip address audit

 0 network subnet 192.2.1.0 255.255.255.0

#

wlan service-template 1

 ssid service

 vlan 200

 akm mode psk

 preshared-key pass-phrase cipher $c$3$29gn1DalRVhkcyZ1CKwevH+xb6Lxopy3eq/H

 cipher-suite ccmp

 security-ie rsn

 service-template enable

#

interface Vlan-interface100

 ip address 192.1.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 100 200

 port trunk pvid vlan 100

#

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

wlan ap-group group1

vlan 1

ap ap1

ap-model WA6320

 radio 1

  radio enable

  service-template 1

 radio 2

  radio enable

  service-template 1

 gigabitethernet 1

#

 time-range work 08:00 to 18:00 working-day

#

wlan ap ap1 model WAP722S-HI

 serial-id 219801A2F98205P00031

 radio 1

  radio enable

  service-template 1

 radio 2

  radio enable

  service-template 1

#

uapp-control

 policy name audit-qq audit

  time-range work

  source-address ipv4 audit

  rule 1 app QQ behavior Login bhcontent any keyword equal any action permit audit-logging

·     Switch:

#

 dhcp enable

#

vlan 100

#

vlan 200

#

dhcp server ip-pool vlan100

 gateway-list 192.1.1.1

 network 192.1.1.0 mask 255.255.255.0

 forbidden-ip 192.1.1.1 192.1.1.2

#

dhcp server ip-pool vlan200

 gateway-list 192.2.1.2

 network 192.2.1.0 mask 255.255.255.0

 dns-list 192.2.1.2

 forbidden-ip 192.2.1.1 192.2.1.2

#

interface Vlan-interface100

 ip address 192.1.1.2 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.2 255.255.255.0

#

interface GigabitEthernet1/0/1

port link-type trunk

undo port trunk permit vlan 1

 port trunk permit vlan 100 200

 port trunk pvid vlan 100

#

interface GigabitEthernet1/0/2

port link-type trunk

undo port trunk permit vlan 1

 port trunk permit vlan 100

 port trunk pvid vlan 100

poe enable

#

Related documentation

·     Application Audit and Management Command Reference in H3C Access Controllers Command References

·     Application Audit and Management Configuration Guide in H3C Access Controllers Configuration Guides

·     Security Policy Command Reference in H3C Access Controllers Command References

·     Security Policy Configuration Guide in H3C Access Controllers Configuration Guides