Series	Models	AP management compatibility
F5000 series	F5000-AI-160-G、F5000-AI-130-G、F5000-AI-120-G、F5000-AI-110-G、F5000-AI-55-G、F5000-AI-25-G、F5000-AI-15-G、F5000-CN160-G、F5000-E-G、F5000-E-G2、F5000-S-G2、F5000-M-G2、F5000-A-G2、F5000-CN160、F5000-CN-G55、F5080、F5030	No
F5000 series	F5000-AI160	Yes
F1000 series	F1000-AK9130、F1000-AI-35、F1000-AI-25、F1000-AI-10、F1000-AI-03-E、F1000-AI-90-G、F1000-AI-80-G、F1000-AI-75-G、F1000-AI-65-G、F1000-AI-55-G、F1000-AI-35-G、F1000-AI-25-G、F1000-AI-05-G、F1000-AI-03-G、F1000-AI-05-GS、F1000-AK1380-G、F1000-AK1300-G、F1000-AK1220-G、F1000-AK1180-G、F1000-AK1080-G、F1000-AK1050-G	No
F1000 series	F1000-AI-90、F1000-AI-60、F1000-AI-55、F1000-AI-15	Yes

About AP management

Managing a large number of APs is both time consuming and costly. The fit AP+AC network architecture enables an AC to implement centralized AP management and maintenance.

NOTE:

The term "AC" in this document refers to firewalls that can function as ACs.

‌

Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC. CAPWAP uses UDP and supports both IPv4 and IPv6.

As shown in Figure 1, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets.

Figure 1 CAPWAP tunnel

‌

AC discovery

After starting up with zero configurations, an AP automatically creates VLAN-interface 1 and enables the DHCP client, DHCPv6 client, and DNS features on the interface. Then it obtains its own IP address from the DHCP server and discovers ACs by using the following methods:

· Static IP address.

If AC IP addresses have been manually configured for the AP, the AP sends a unicast discovery request to each AC IP address to discover ACs.

· DHCP options.

The AP obtains AC IPv4 addresses from Option 138, Option 43, and IPv6 addresses from Option 52 sent from the DHCP server. It uses these addresses in descending order.

· DNS.

a. The AP obtains the domain name suffix from the DHCP server.

b. The AP adds the suffix to the host name.

c. The DNS server translates the domain name into IP addresses.

For more information about DNS, see Layer 3—IP Services Configuration Guide.

· Broadcast.

The AP broadcasts discovery requests to IP address 255.255.255.255 to discover ACs.

· IPv4 multicast:

The AP sends multicast discovery requests to IPv4 address 224.0.1.140 to discover ACs.

· IPv6 multicast.

The AP sends multicast discovery requests to IPv6 address FF0E::18C to discover ACs.

The methods of static IP address, DHCPv4 options, broadcast/IPv4 multicast, IPv4 DNS, IPv6 multicast, DHCPv6 option, and IPv6 DNS are used in descending order.

The AP does not stop AC discovery until it establishes a CAPWAP tunnel with one of the discovered ACs.

DHCP options

Option 43

Option 43 can be configured only in hexadecimal format, case insensitive. It contains the PXE server address sub-option and ACS parameter sub-option.

· PXE server address sub-option.

¡ If you specify one AC IPv4 address, for example, 2.2.2.2, you must specify option 43 hex 800700000102020202 in DHCP address pool view of the DHCP server.

- 80—Fixed value, 1 byte long.

- 07—Length of the subsequent fields. In this example, the subsequent fields are 7 byte long.

- 0000—Fixed value.

- 01—Number of AC IPv4 addresses. In this example, one IPv4 address is specified.

- 02020202—AC IPv4 address in hexadecimal format. You can specify a maximum of 16 IPv4 addresses, and spaces are not allowed between the IPv4 addresses.

¡ If you specify two AC IPv4 addresses, for example, 6.6.6.2 and 6.6.6.3, you must specify option 43 hex 800b0000020606060206060603 in DHCP address pool view of the DHCP server.

· ACS parameter sub-option.

¡ If you specify one AC IPv4 address, for example, 2.2.2.2, you must specify option 43 hex 010402020202 in DHCP address pool view of the DHCP server.

- 01—Fixed value, 1 byte long.

- 04—Length of the subsequent fields. In this example, the subsequent fields are 4 byte long.

- 02020202—AC IPv4 address in hexadecimal format. You can specify a maximum of 16 IPv4 addresses, and spaces are not allowed between the IPv4 addresses.

¡ If you specify two AC IPv4 addresses, for example, 6.6.6.2 and 6.6.6.3, you must specify option 43 hex 01080606060206060603 in DHCP address pool view of the DHCP server.

Option 138

Option 138 can be configured in hexadecimal and IP formats. In hexadecimal format, Option 138 contains the PXE server address sub-option and ACS parameter sub-option. The fields for the sub-options in hexadecimal format are the same as those for Option 43.

· If you specify one AC IPv4 address, for example, 192.168.0.100, you must specify option 138 ip-address 192.168.0.100 in DHCP address pool view of the DHCP server.

You can specify a maximum of 8 IPv4 addresses, and you must separate them with spaces.

· If you specify two AC IPv4 addresses, for example, 6.6.6.2 and 6.6.6.3, you must specify option 138 ip-address 6.6.6.2 6.6.6.3 in DHCP address pool view of the DHCP server.

Option 52

Option 52 can be configured only in hexadecimal format, case insensitive.

· If you specify one AC IPv6 address, for example, 3138:101::62, you must specify option 52 hex 31380101000000000000000000000062 in DHCP address pool view of the DHCP server.

The IPv6 address must contain 32 bytes. You can specify a maximum of 8 IPv6 addresses, and you must separate them with spaces.

· If you specify two AC IPv6 addresses, for example, 3138:101::62 and 3138:101::72, you must specify option 52 hex 3138010100000000000000000000006231380101000000000000000000000072 in DHCP address pool view of the DHCP server.

CAPWAP tunnel establishment

Figure 2 Establishing a CAPWAP tunnel

‌

As shown in Figure 2, the AP and an AC establish a CAPWAP tunnel by using the following procedure:

1. The AP sends a discovery request to each AC to discover ACs.

2. Upon receiving a discovery request, an AC determines whether to send a discovery response by performing the following steps:

a. Identifies whether the discovery request is a unicast packet.

- Unicast packet—The AC proceeds to step b.

- Broadcast or multicast packet—The AC proceeds to step b if it is disabled with the feature of responding only to unicast discovery requests. If this feature is enabled, the AC does not send a discovery response.

b. Identifies whether it has manual AP configuration for the AP model specified in the discovery request.

- If manual AP configuration exists, the AC sends a discovery response to the AP. The discovery response contains information about whether the AC has the manual configuration for the AP, the AP connection priority, and the AC's load status.

- If no manual AP configuration exists, the AC proceeds to step c.

c. Identifies whether auto AP is enabled.

- If auto AP is enabled, the AC sends a discovery response to the AP. The discovery response contains the enabling status of auto AP, AP connection priority, and AC's load information.

- If auto AP is disabled, the AP does not send a discovery response.

3. Upon receiving the discovery responses, the AP selects the optimal AC in descending order.

¡ AC that saves information about the AP.

¡ AC where the auto AP feature is enabled.

¡ AC with higher AP connection priority.

¡ AC with the lighter load.

¡ AC that is the earliest to respond.

4. The AP sends a join request to the optimal AC.

5. After receiving the join request, the AC examines the information in the request to determine whether to provide access services to the AP and sends a join response.

6. The AP examines the result code in the response upon receiving the join response:

¡ If the result code represents failure, the AP does not establish a CAPWAP tunnel with the AC.

¡ If the result code represents success, the AP establishes a CAPWAP tunnel with the AC.

APDB

The Access Point Information Database (APDB) on an AC stores the following AP information:

· AP models.

· Hardware version and software version mappings.

· Information about radios supported by AP models:

¡ Number of radios.

¡ Radio type.

¡ Valid region code.

¡ Valid antenna type.

¡ Maximum transmission power.

The AC can establish a CAPWAP tunnel with an AP only when the APDB contains the corresponding AP model information.

You can use the system script and user scripts to manage data in the APDB. The system script is released with the AC software version, and it is automatically loaded each time the AC starts. If you need to add new AP models, upgrade the AC software version (see Fundamentals Configuration Guide) or create a user script and load it on the AC (see "Configuring a description for the AC").

Protocols and standards

· RFC 5415, Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification

· RFC 5416, Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Binding for IEEE 802.11

· RFC 5417, Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller DHCP Option

Restrictions and guidelines: AP management configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

As a best practice, configure APs in AP group view for large scale network deployment.

AP management tasks at a glance

To configure AP management, perform the following tasks:

1. ‍Configuring CAPWAP tunnel establishment

Choose one of the tasks of creating a manual AP and managing auto APs.

¡ Creating a manual AP

¡ Managing auto APs

¡ (Optional.) Setting the discovery-response timeout timer

¡ (Optional.) Setting the AP connection priority for the AC

¡ (Optional.) Enabling the AC to respond only to unicast discovery requests

¡ (Optional.) Configuring AC rediscovery

¡ (Optional.) Enabling an AP to prefer discovering ACs by IPv6 address

2. (Optional.) Configuring an AP group

3. (Optional.) Upgrading APs' software

4. (Optional.) Configuring remote configuration synchronization

5. (Optional.) Configuring a CAPWAP tunnel

¡ Configuring CAPWAP tunnel encryption

¡ Configuring CAPWAP tunnel latency detection

¡ Setting the control tunnel keepalive timer for an AP

¡ Setting the data tunnel keepalive interval for an AP

¡ Setting the maximum fragment size for CAPWAP packets

¡ Setting the TCP MSS for CAPWAP tunnels

6. (Optional.) Configuring AC request retransmission

7. (Optional.) Preprovisioning APs

8. (Optional.) Configuring SNMP notifications

9. (Optional.) Maintaining APs

¡ Resetting APs

¡ Renaming a manual AP

¡ Managing the file system of an AP

¡ Setting the statistics report interval

¡ Setting the statistics fast report interval

¡ Setting a LED lighting mode

¡ Configuring gateway information reporting

¡ Enabling APs to use ICMP echo requests to check reachability to the AC upon a CAPWAP control tunnel disconnection

10. (Optional.) Configuring advanced features for AP management

¡ Configuring remote AP

¡ Associating an AP with a configuration profile

¡ Configuring the AP tag

11. (Optional.) Maintaining ACs

¡ Configuring a description for the AC

¡ Enabling time zone synchronization

¡ Loading an APDB user script

¡ Enabling service anomaly detection

¡ Disabling the WLAN function

Configuring CAPWAP tunnel establishment

Prerequisites for configuring CAPWAP tunnel establishment

Before you manage APs, complete the following tasks:

· Create a DHCP address pool on the DHCP server to assign IP addresses to APs.

· If DHCP options are used for AC discovery, configure Option 138, Option 43, or Option 52 in the specified DHCP address pool on the DHCP server.

· If DNS is used for AC discovery, configure the IP address of the DNS server and the AC domain name suffix in the specified DHCP address pool on the DHCP server. Then configure the mapping between the domain name and the AC IP address on the DNS server.

· Make sure the APs and the AC can reach each other.

For more information about DHCP and DNS, see Layer 3—IP Services Configuration Guide.

Creating a manual AP

About this task

You can create a manual AP on the AC based on the AP model, serial ID, and MAC address of the AP you are using. An AP prefers to establish a CAPWAP tunnel with an AC that saves the manual AP configuration.

Procedure

12. Enter system view.

system-view

13. Create a manual AP and enter its view.

wlan ap ap-name [ model model-name ]

You must specify the model name when you create an AP.

14. Specify the serial ID or the MAC address for the AP.

¡ Specify the serial ID for the AP.

serial-id serial-id

¡ Specify the MAC address for the AP.

mac-address mac-address

By default, neither the serial ID nor the MAC address is specified for an AP.

15. (Optional.) Configure a description for the AP.

description text

By default, an AP does not have a description.

Managing auto APs

About this task

The auto AP feature enables APs to connect to an AC without manual AP configuration. This feature simplifies configuration when you deploy a large number of APs in a WLAN.

For security purposes, you can use the following methods to authenticate auto APs:

· Local authentication.

The AC authenticates an auto AP by serial ID or MAC address. When an auto AP initiates a connection request, the AC uses an ACL specified by the wlan ap-authentication acl command to match the auto AP. Assume that the AC authenticates the auto AP by serial ID.

¡ If the serial ID matches a permit rule, the auto AP passes the authentication and associates with the AC.

¡ If the serial ID matches a deny rule, the auto AP fails the authentication and cannot associate with the AC.

¡ If the serial ID does not match a rule, the auto AP is determined as an unauthenticated auto AP. An unauthenticated auto AP can associate with the AC but cannot provide wireless services.

· Remote authentication.

Remote authentication is used for authenticating unauthenticated auto APs. The AC uses the serial ID or MAC address of an unauthenticated auto AP as the username and password and sends them to the authentication server for authentication. If the authentication succeeds, the AC accepts the AP. If it does not succeed, the AC rejects the AP.

· Manual authentication.

Manual authentication is used for authenticating unauthenticated auto APs.

The AC determines whether to accept an unauthenticated auto AP depending on the manual authentication configuration.

Restrictions and guidelines

To prevent illegal APs from associating with the AC, disable the auto AP feature after all required APs are associated with the AC.

You must convert auto APs to manual APs after they come online because of the following reasons:

· Auto APs can re-associate with the AC upon an AC reboot or CAPWAP tunnel termination only when they are converted to manual APs.

· You can individually configure auto APs only when they are converted to manual APs.

Tasks at a glance

To configure auto APs, perform the following tasks:

16. Enabling the auto AP feature

17. (Optional.) Converting auto APs to manual APs

18. (Optional.) Configuring auto AP authentication

Choose one of the following tasks:

¡ Configuring auto AP local authentication

¡ Configuring auto AP remote authentication

¡ Manually authenticating unauthenticated auto APs

19. (Optional.) Disabling unauthenticated auto APs from associating with the AC

20. (Optional.) Restarting unauthenticated auto APs

Prerequisites

Before you configure remote authentication for auto APs, specify an authentication domain and AAA scheme on the AC and create user accounts on the RADIUS server. For information about authentication domain and AAA scheme configuration, see AAA in Security Configuration Guide.

Enabling the auto AP feature

21. Enter system view.

system-view

22. Enable the auto AP feature.

wlan auto-ap enable

By default, the auto AP feature is disabled.

Converting auto APs to manual APs

23. Enter system view.

system-view

24. Convert auto APs to manual APs. Choose the options to configure as needed:

¡ Convert online auto APs to manual APs.

wlan auto-ap persistent { all | name auto-ap-name [ new-ap-name ] }

¡ Enable the auto AP conversion feature.

wlan auto-persistent enable

By default, the auto AP conversion feature is disabled.

The wlan auto-persistent enable command does not take effect on auto APs that are already online.

Configuring auto AP local authentication

25. Enter system view.

system-view

26. Specify an authentication method.

wlan ap-authentication method { mac-address | serial-id }

By default, the AC authenticates auto APs by MAC address.

27. Create a WLAN AP ACL.

acl wlan ap { acl-number | name acl-name }

For more information about this command, see ACL and QoS Command Reference.

28. Return to system view.

quit

29. Specify an ACL for authenticating auto APs.

wlan ap-authentication acl acl-number

By default, no ACL is specified for authenticating auto APs.

30. Create ACL rules for the WLAN AP ACL. Choose the options to configure as needed:

¡ Execute the following commands in sequence to manually create a rule:

acl wlan ap { acl-number | name acl-name }

rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ]

quit

¡ Import an auto AP authentication file to generate ACL rules.

wlan ap-authentication import file-name

Use either method or both methods according to actual network requirements.

31. Enable auto AP authentication.

wlan ap-authentication enable

By default, auto AP authentication is disabled.

Configuring auto AP remote authentication

32. Enter system view.

system-view

33. Specify an authentication domain for unauthenticated auto APs.

wlan ap-authentication domain domain-name

By default, no authentication domain is specified for unauthenticated auto APs.

Manually authenticating unauthenticated auto APs

34. Enter system view.

system-view

35. Manually authenticate unauthenticated auto APs.

wlan ap-authentication { accept | reject } ap-unauthenticated { all | name ap-name }

By default, manual authentication is not configured for unauthenticated auto APs.

Disabling unauthenticated auto APs from associating with the AC

36. Enter system view.

system-view

37. Disable unauthenticated auto APs from associating with the AC.

undo wlan ap-authentication permit-unauthenticated

By default, unauthenticated auto APs can associate with the AC but cannot provide wireless services.

This feature reduces waste of system resources.

Restarting unauthenticated auto APs

To restart unauthenticated auto APs, execute the following command in user view:

reset wlan ap unauthenticated

The auto APs will be reauthenticated after being restarted.

Setting the discovery-response timeout timer

About this task

The discovery-response timeout timer specifies the timeout time for an AP to wait for another discovery response. Whenever an AP receives a discovery response packet, the discovery-response timeout timer is created or refreshed. When the timeout timer expires, the AP sends a join request to the optimal AC.

Restrictions and guidelines

If the network condition is poor, set a larger discovery-response timeout timer.

Procedure

38. Enter system view.

system-view

39. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

40. Set the discovery-response timeout timer.

discovery-response wait-time seconds

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the discovery-response timeout timer is 2 seconds.

Setting the AP connection priority for the AC

41. Enter system view.

system-view

42. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

43. Set the AP connection priority for the AC.

priority priority

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the AP connection priority is 4.

Enabling the AC to respond only to unicast discovery requests

About this task

An AP can send unicast, multicast, and broadcast discovery requests to discover ACs. This feature enables an AC to respond only to unicast discovery requests.

Procedure

44. Enter system view.

system-view

45. Enable the AC to respond only to unicast discovery requests.

wlan capwap discovery-policy unicast

By default, the AC can respond to unicast, multicast, and broadcast discovery requests.

Configuring AC rediscovery

About this task

An AC enabled with AC rediscovery will add the CAPWAP Control IP Address message element to the discovery responses sent to APs. Upon receiving such a discovery response, an AP establishes a CAPWAP tunnel by using the following procedure:

46. Examines whether a discovery request has been sent to each IP address specified in the CAPWAP Control IP Address message element.

47. Performs either of the following operations:

¡ Sends a join request to the specified IP address representing the optimal AC for CAPWAP establishment if discovery requests have been sent.

¡ Sends a discovery request to each specified IP address to initiate a new AC discovery process if no discovery requests have been sent.

An AC disabled with AC rediscovery does not add the CAPWAP Control IP Address message element in discovery responses sent to APs. APs that receive the discovery responses will send join requests to the source IP address of the discovery responses to establish CAPWAP tunnels with the AC.

AC rediscovery applies to CMCC wireless networks where the CAPWAP Control IP Address message element is required in discovery responses from the AC.

Procedure

48. Enter system view.

system-view

49. Enter AP view, AP group view, or global configuration view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

¡ Enter global configuration view.

wlan global-configuration

50. Configure AC rediscovery.

control-address { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, AC rediscovery is disabled.

51. Specify the IP address to be added in the CAPWAP Control IP Address message element.

control-address { ip ipv4-address | ipv6 ipv6-address }

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, the IP address in the element is one of the following:

- On a non-AC hierarchical network—AC's IP address.

- On an AC hierarchical network—IP address of the lightest loaded local AC for a central AC and IP address of the local AC for a local AC.

You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

Enabling an AP to prefer discovering ACs by IPv6 address

About this task

This feature enables an AP to discover ACs by using the static IP addresses, IPv6 multicast, DHCPv6 option, IPv6 DNS, DHCPv4 options, broadcast/IPv4 multicast, and IPv4 DNS successively. If the AP connects to an AC successfully with a discovered IP address, it stops AC discovery.

Procedure

52. Enter system view.

system-view

53. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

54. Enter AP or AP group provision view.

provision

55. Enable an AP to prefer discovering ACs by IPv6 address.

ac discovery policy ipv6

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, an AP prefers to discover ACs by IPv4 address.

Configuring an AP group

About this task

This feature enables you to configure multiple APs in bulk to reduce configuration workload.

APs in an AP group use the configuration of the group. By default, all physical APs belong to system-defined AP group default-group and all virtual APs belong to virtual AP group default-vitualapgroup. The system-defined AP group cannot be deleted.

You can configure AP grouping rules by AP name, serial ID, MAC address, and IP address to add APs to the specified AP group. Priorities of these grouping rules are in descending order. If an AP does not match any grouping rules, it is added to the default AP group.

Restrictions and guidelines

An AP can be added to only one AP group.

You cannot delete an AP group that contains an AP. An AP group that has grouping rules but does not contain any APs can be deleted.

When you configure an AP grouping rule, follow these restrictions and guidelines:

· You cannot create the same grouping rule for different AP groups. If you do so, the most recent configuration takes effect.

· You cannot create grouping rules for the default AP group.

· AP grouping rules by IPv4 or IPv6 addresses for an AP group or for different AP groups cannot overlap with each other.

· An AP group supports a maximum of 32 AP grouping rules by IPv4 or IPv6 addresses.

Procedure

56. Enter system view.

system-view

57. Create an AP group and enter its view.

¡ Create a physical AP group.

wlan ap-group group-name

By default, a default AP group named default-group exists.

¡ Create a virtual AP group.

wlan virtual-ap-group group-name

By default, a default virtual AP group named default-vitualapgroup exists.

58. (Optional.) Configure a description for the AP group.

description text

By default, an AP group does not have a description.

59. Create an AP grouping rule. Choose the options to configure as needed:

¡ Create an AP grouping rule by AP names.

ap ap-name-list

¡ Create an AP grouping rule by serial IDs.

serial-id serial-id

¡ Create an AP grouping rule by MAC addresses.

mac-address mac-address

¡ Create an AP grouping rule by IPv4 addresses.

if-match ip ip-address { mask-length | mask }

¡ Create an AP grouping rule by IPv6 addresses.

if-match ipv6 { ipv6-address prefix-length | ipv6-address/prefix-length }

60. Return to system view.

quit

61. (Optional.) Create an AP regrouping rule.

wlan re-group { ap ap-name | ap-group old-group-name | mac-address mac-address | serial-id serial-id } group-name

Upgrading APs' software

Configuring software upgrade

About this task

With software upgrade enabled, the AC examines the AP software version while establishing a CAPWAP tunnel with an AP. If this feature is disabled, the AC does not examine the software version of the AP and directly establishes a CAPWAP tunnel with the AP.

Software upgrade for an AP proceeds as follows:

62. The AP reports the software version and AP model information to the AC.

63. The AC examines the received AP software version.

¡ If a match is found, the AC establishes a CAPWAP tunnel with the AP.

¡ If no match is found, the AC sends a message that notifies the AP of the AP software version inconsistency.

64. Upon receiving the inconsistency message, the AP requests a software version from the AC.

65. The AC assigns the software version to the AP after receiving the request.

66. The AP upgrades the software version, restarts, and establishes a CAPWAP tunnel with the AC

Procedure

67. Enter system view.

system-view

68. Enter AP view, AP group view, or global configuration view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

¡ Enter global configuration view.

wlan global-configuration

69. Configure software upgrade.

firmware-upgrade { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no software upgrade configuration exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, the software upgrade feature is enabled.

Configuring the mapping between a software version and a hardware version of an AP model

About this task

Perform this task to configure the mapping between a software version and a hardware version of an AP model for software upgrade. When AP software upgrade is enabled, the AC checks whether the software version of an AP matches the hardware version in the corresponding mapping. If they match, no upgrade will be performed. If they do not match, the AP upgrades its software version.

For fit APs, perform this task only when the AP software version for an AP model stored in the APDB is inconsistent with the software version you expect for the AP model. To display the AP software version for each AP model in the APDB, use the display wlan ap-model command.

For cloud-managed APs and fat APs, perform this task only when software upgrade is required for such as AP. You must save the target AP image to the apimage directory on the AC, and make sure the version number of the image is consistent with the version number specified in the command.

Restrictions and guidelines

To avoid CAPWAP tunnel establishment failure, use this feature under the guidance of H3C Support.

Procedure

70. Enter system view.

system-view

71. Configure the mapping between a software version and a hardware version of an AP model.

wlan apdb [ fatap | oasisap ] model-name hardware-version software-version

By default:

¡ For a fat AP, no mapping between a software version and a hardware version is specified for an AP model.

¡ For a cloud-managed AP, no mapping between a software version and a hardware version is specified for an AP model.

¡ For a fit AP, the software version for a hardware version of an AP model is the software version that is stored in APDB user scripts.

If the fatap and oasisap keywords are not specified, the command configures the mapping for the fit AP model.

Specifying the preferred location for the AC to obtain an AP image file

About this task

The AC assigns an AP image file to an AP if the AP requests a software version during CAPWAP tunnel establishment. You can specify the preferred location as the AC's RAM or local folder for the AC to obtain an AP image file. If the AC cannot obtain an AP image file from the preferred location, it obtains an AP image file from the other location. If no AP image file exists, the AC fails to obtain an image file and cannot assign a software version to the AP.

Restrictions and guidelines

The AC can assign only .ipe AP image files to APs.

If you specify the local folder, make sure the AC uses a CF or flash card as the default file system and the AP image file is stored in the root directory of the file system on the AC.

Procedure

72. Enter system view.

system-view

73. Specify the preferred location for the AC to obtain an AP image file.

wlan image-load filepath { local | ram }

By default, the AC prefers the AP image file stored in the RAM when assigning a software version to an AP.

Deploying an image file to online APs

About this task

This feature enables you to upgrade the image of all the online APs. For the upgrade to take effect, reboot the APs after upgrade.

Procedure

74. Enter system view.

system-view

75. Deploy an image file to all the online APs.

wlan ap-image-deploy { all | ap-group group-name | name ap-name }

Configuring remote configuration synchronization

NOTE:

Support for this feature depends on the AP model.

‌

About remote configuration synchronization

To update APs' configuration file or configure features that require a configuration file, you can use the map-configuration command to deploy a configuration file to APs. However, you must write related commands to the configuration file before deployment. This is time-consuming and is not applicable to a network with a large number of APs to deploy.

This feature enables the AC to directly synchronize AP settings such as VLAN, link aggregation, and port isolation changes to online APs.

Tasks at a glance

To configure remote configuration synchronization, perform the following tasks:

76. Shutting down or bringing up Ethernet interfaces on a fit AP

77. Creating a Layer 2 aggregate interface

78. Assigning an interface to a Layer 2 aggregation group

79. Configuring port isolation

80. Configuring basic VLAN settings

81. Assigning a port to a VLAN

¡ Assigning an access port to a VLAN

¡ Assigning a trunk port to VLANs

¡ Assigning a hybrid port to VLANs

¡ Setting the trusted packet priority type

¡ Setting the port priority

82. Synchronizing settings to online APs

Shutting down or bringing up Ethernet interfaces on a fit AP

About this task

To avoid unauthorized access to a fit AP from an unused interface on the AP, you can perform this task to shut down unused Ethernet interfaces on the AP.

Restrictions and guidelines

This command does not take effect on the uplink interface of a fit AP that connects the AP to the AC.

Do not shut down an interface when it is being removed from an aggregation group.

The interface-management shutdown command does not take effect on member interfaces of an aggregation group.

Procedure

83. Enter system view.

system-view

84. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

85. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

86. Bring up or shut down the interface on the fit AP.

interface-management { bringup | shutdown }

By default, in an AP's Ethernet interface view, the AP uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, the interface is up.

Creating a Layer 2 aggregate interface

Restrictions and guidelines

When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 aggregation group with the same number. The aggregation group operates in static aggregation mode by default.

Aggregation mode change might cause Selected member ports to become Unselected. When you change the aggregation mode, make sure you understand the impact of the change on services.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in AP view takes precedence over the configuration in an AP group's AP model view.

Procedure

87. Enter system view.

system-view

88. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

89. Create a Layer 2 aggregate interface and enter its view.

bridge-aggregation interface-number

90. Set the aggregation mode of an aggregation group and set the LACP state.

link-aggregation mode { dynamic | static }

By default:

¡ In an AP's Layer 2 aggregate interface view, the AP uses the configuration in an AP group's Layer 2 aggregate interface view.

¡ In an AP group's Layer 2 aggregate interface view, an aggregation group operates in static aggregation mode.

Assigning an interface to a Layer 2 aggregation group

Restrictions and guidelines

A Layer 2 Ethernet interface can be assigned only to a Layer 2 aggregation group and an Ethernet interface can belong to only one aggregation group.

After joining an aggregation group, an interface inherits the settings configured for the group.

Before you perform this task, make sure the specified aggregation group already exists and the AP supports Layer 2 aggregate interfaces.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in an AP's Ethernet interface view takes precedence over the configuration in an AP group's Ethernet interface view.

Procedure

91. Enter system view.

system-view

92. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

93. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

94. Assign an interface to an aggregation group.

port link-aggregation group group-id

¡ By default, in an AP's Ethernet interface view, the AP uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, an interface does not belong to an aggregation group.

Configuring port isolation

Restrictions and guidelines

The configuration in Ethernet interface view applies only to the interface.

The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in an AP's Ethernet interface view takes precedence over the configuration in an AP group's Ethernet interface view.

Procedure

95. Enter system view.

system-view

96. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

97. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

98. Configure port isolation.

port-isolate { enable | disable }

¡ By default, in an AP's Ethernet interface view, a port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, port isolation is enabled.

Configuring basic VLAN settings

Restrictions and guidelines

You cannot create or delete VLAN 1 (the default VLAN) or reserved VLANs.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

Procedure

99. Enter system view.

system-view

100. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

101. (Optional.) Create a VLAN and enter its view, or create a list of VLANs.

vlan { vlan-id1 [ to vlan-id2 ] | all }

By default, only VLAN 1 (the system default VLAN) exists.

102. Enter VLAN view.

vlan vlan-id

To configure a VLAN after you create a list of VLANs, you must perform this step.

103. (Optional.) Assign a name to the VLAN.

name text

By default:

¡ In an AP's VLAN view, a VLAN uses the configuration in an AP group's VLAN view.

¡ In an AP group's VLAN view, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.

104. Configure the description of the VLAN.

description text

By default:

¡ In an AP's VLAN view, a VLAN uses the configuration in an AP group's VLAN view.

¡ In an AP group's VLAN view, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.

Assigning an access port to a VLAN

Restrictions and guidelines

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in an AP's Ethernet interface view takes precedence over the configuration in an AP group's Ethernet interface view.

Procedure

105. Enter system view.

system-view

106. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

107. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

Use either command depending on AP models and network requirements.

108. Set the link type to access.

port link-type access

By default, in an AP's Ethernet interface view, a port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, all ports are access ports.

109. Assign the access port to a VLAN.

port access vlan vlan-id

By default, in an AP's Ethernet interface view, an access port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, an access port belongs to VLAN 1.

Make sure the VLAN has been created.

Assigning a trunk port to VLANs

Restrictions and guidelines

A trunk port can allow multiple VLANs. If you execute this command multiple times on a trunk port, the trunk port allows all the specified VLANs.

On a trunk port, packets from only the PVID can pass through untagged.

To prevent unauthorized VLAN users from accessing restricted resources through the port, use the port trunk permit vlan all command with caution.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in an AP's Ethernet interface view takes precedence over the configuration in an AP group's Ethernet interface view.

Procedure

110. Enter system view.

system-view

111. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

112. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

Use either command depending on AP models and network requirements.

113. Set the link type to trunk.

port link-type trunk

By default, in an AP's Ethernet interface view, a port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, all ports are access ports.

114. Assign the trunk port to the specified VLANs.

port trunk permit vlan { vlan-id-list | all }

By default, in an AP's Ethernet interface view, a trunk port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, a trunk port permits only VLAN 1.

115. (Optional.) Set the PVID for the trunk port.

port trunk pvid vlan vlan-id

By default, in an AP's Ethernet interface view, a trunk port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, the PVID of a trunk port is VLAN 1.

Assigning a hybrid port to VLANs

Restrictions and guidelines

You can use a nonexistent VLAN as the PVID of a hybrid port. When you delete the PVID of a hybrid port by using the undo vlan command, the PVID setting of the port does not change.

For correct packet transmission, set the same PVID for a hybrid port on an AP and the hybrid port on the switch connected to the AP.

To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.

The configuration will be synchronized to all online APs after remote configuration synchronization is activated.

The configuration in an AP's Ethernet interface view takes precedence over the configuration in an AP group's Ethernet interface view.

Procedure

116. Enter system view.

system-view

117. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

118. Enter Ethernet interface view.

¡ Enter Eth interface view:

ethernet interface-number

¡ Enter GigabitEthernet interface view:

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view:

smartrate-ethernet interface-number

¡ Enter 10-GE interface view:

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

Use either command depending on AP models and network requirements.

119. Set the link type to hybrid.

port link-type hybrid

By default, in an AP's Ethernet interface view, a port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, all ports are access ports.

120. Assign the hybrid port to the specified VLANs.

port hybrid vlan vlan-id-list { tagged | untagged }

By default, in an AP's Ethernet interface view, a hybrid port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, a hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.

121. (Optional.) Set the PVID for the hybrid port.

port hybrid pvid vlan vlan-id

By default, in an AP's Ethernet interface view, a hybrid port uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.

Setting the trusted packet priority type

About this task

With a priority type and a port priority value specified for an interface, an AP assigns the priority of the specified type to all packets received on the interface.

The system supports the following trusted packet priority types:

· dot11e—Uses the 802.1e priority carried in packets for priority mapping.

· dscp—Uses the DSCP priority carried in packets for priority mapping.

Procedure

122. Enter system view.

system-view

123. Enter AP view or AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group's AP model view.

wlan ap-group group-name

ap-model ap-model

124. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

125. Set the trusted packet priority type.

qos trust { dot1p | dscp }

By default, in an AP's Ethernet interface view, the AP uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, no trusted packet priority type is set.

Setting the port priority

About this task

With a priority type and a port priority value specified for an interface, an AP assigns the priority of the specified type to all packets received on the interface.

Procedure

126. Enter system view.

system-view

127. Enter AP view or AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group's AP model view.

wlan ap-group group-name

ap-model ap-model

128. Enter Ethernet interface view.

¡ Enter Eth interface view.

ethernet interface-number

¡ Enter GigabitEthernet interface view.

gigabitethernet interface-number

¡ Enter 2.5G Ethernet interface view.

smartrate-ethernet interface-number

¡ Enter 10-GE interface view.

ten-gigabitethernet interface-number

¡ Enter Layer 2 aggregate interface view.

bridge-aggregation interface-number

129. Set the port priority.

qos priority priority-value

By default, in an AP's Ethernet interface view, the AP uses the configuration in an AP group's Ethernet interface view. In an AP group's Ethernet interface view, the port priority is 0.

Synchronizing settings to online APs

About this task

This feature enables the AC to directly synchronize AP settings such as VLAN, link aggregation, and port isolation changes to online APs.

Restrictions and guidelines

CAUTION:

The remote configuration synchronization feature clears all VLAN, link aggregation, and port settings (except for port isolation settings) on online APs and issues the settings on the AC to the APs. Please use it with caution.

‌

This feature takes effect only when both remote configuration assignment and remote configuration synchronization are configured. If only remote configuration assignment is configured, the AC assigns only VLAN settings to the specified AP or AP group.

With remote configuration assignment enabled, APs request VLAN, link aggregation, and port settings from the AC automatically after coming online.

Remote configuration synchronization takes effect only when remote configuration assignment is enabled.

As a best practice, do not use both remote configuration synchronization and the map-configuration command on the AC. If you must use both of them on the AC, make sure the VLAN, link aggregation, and port isolation settings in the configuration file to be deployed do not conflict with the settings on the AC.

Procedure

130. Enter system view.

system-view

131. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

132. Enable remote configuration assignment to assign VLAN settings to the AP.

remote-configuration enable

By default:

In AP view, an AP uses the configuration in AP group view.

In AP group view, remote configuration assignment is disabled.

133. Enable remote configuration synchronization.

remote-configuration synchronize

By default:

In AP view, an AP uses the configuration in AP group view.

In AP group view, remote configuration synchronization is disabled.

Configuring a CAPWAP tunnel

Configuring CAPWAP tunnel encryption

About this task

CAPWAP tunnel encryption uses the Datagram Transport Layer Security (DTLS) protocol to encrypt control and data packets transmitted over a CAPWAP tunnel.

When CAPWAP control tunnel encryption is enabled for an AP, the AC and the AP communicate as follows:

134. The AC sends a discovery response with the encryption flag to the AC.

135. The AP performs a DTLS handshake with the AC and then establishes a CAPWAP tunnel with the AC.

136. The AC and the AP encrypt control packets transmitted in the CAPWAP control tunnel after the DTLS handshake.

When CAPWAP data tunnel encryption is enabled for an AP, the AP exchanges encryption information including keys with the AC through the CAPWAP control tunnel upon receiving the first keepalive packet from the AC. After the exchange, the AC and the AP encrypt data packets transmitted in the CAPWAP data tunnel. Keepalive packets are not encrypted.

Restrictions and guidelines

After you enable CAPWAP control tunnel encryption, APs go offline and then come online again from the AC to re-establish CAPWAP tunnels.

CAPWAP control tunnel encryption requires a certificate. You can use the built-in certificate or specify a certificate for the AC. For the specified certificate to take effect, specify the certificate before enabling CAPWAP control tunnel encryption.

CAPWAP control tunnel encryption supports AP certificate verification to allow only APs with a matching certificate to come online. To use AP certificate verification, you must generate AP certificates, upload them to the AC, and execute the download file command to download the certificates to the corresponding APs. With the verification feature enabled, an AP can come online only when a certificate that uses the AP's MAC address as its CN exists on the AC.

Prerequisites

To use a non-built-in certificate, save the certificate, key, and CA certificate to the file system of the AC. These files can be in the .pem or .cer format.

Procedure

137. Enter system view.

system-view

138. Specify the certificate used for CAPWAP tunnel encryption.

wlan capwap encryption certificate cer-name key key-name ca ca-name

By default, the system uses the built-in certificate for CAPWAP tunnel encryption.

139. (Optional.) Enable AP certificate verification.

wlan ap-certificate verification

By default, AP certificate verification is disabled.

140. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

141. Configure CAPWAP control tunnel encryption.

tunnel encryption { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, CAPWAP control tunnel encryption is disabled.

142. Configure CAPWAP data tunnel encryption.

data-tunnel encryption { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, CAPWAP data tunnel encryption is disabled.

Configuring CAPWAP tunnel latency detection

About this task

This feature enables an AC to detect the transmission latency of CAPWAP control frames or data frames from an AP to the AC and back.

This feature takes effect only on the master AC after a CAPWAP tunnel is established.

When an AP goes offline, CAPWAP tunnel latency detection automatically stops. To restart CAPWAP tunnel latency detection when the AP comes online, execute the tunnel latency-detect start command again.

To display CAPWAP tunnel latency information, use the display wlan tunnel latency ap name command.

Restrictions and guidelines

Inside APs do not support this feature.

Procedure

143. Enter system view.

system-view

144. Enter AP view.

wlan ap ap-name

145. Configure CAPWAP tunnel latency detection.

tunnel latency-detect { start | stop }

By default, CAPWAP tunnel latency detection is not started.

Setting the control tunnel keepalive timer for an AP

About this task

An AP sends echo requests to the AC at the specified echo interval to identify whether the CAPWAP control tunnel is operating correctly. The AC responds by sending echo responses. If the AP does not receive any echo responses before the keepalive timer expires, the AP terminates the connection. If the AC does not receive any echo requests before the keepalive timer expires, the AC terminates the connection.

The keepalive time is the echo interval multiplied by the maximum number of echo request transmission attempts specified by using the echo-count command.

· For an AC, the keepalive time will be one of the following value:

¡ If the calculated value is smaller than 120 seconds, the keepalive time is 120 seconds.

¡ If the calculated value is bigger than 120 seconds, the keepalive time is the actual calculated value.

· For an AP, the keepalive time is the actual calculated value.

The configuration in AP view takes precedence over the configuration in AP group view.

Restrictions and guidelines

Setting the echo interval to 0 seconds disables an AP from sending echo requests. This setting is for test use only. For correct AC and AP communication, do not set the echo interval to 0 seconds.

Procedure

146. Enter system view.

system-view

147. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

148. Set the interval for the AP to send echo requests.

echo-interval interval

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the echo interval is 10 seconds.

149. Set the maximum number of echo request transmission attempts.

echo-count count

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the maximum number of echo request transmission attempts is 3.

Setting the data tunnel keepalive interval for an AP

About this task

An AP sends data channel keepalive packets to the AC at the specified keepalive intervals after a CAPWAP tunnel is established between the AP and the AC.

Procedure

150. Enter system view.

system-view

151. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

152. Set the data tunnel keepalive interval.

keepalive-interval interval

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the data tunnel keepalive interval is 10 seconds.

Setting the maximum fragment size for CAPWAP packets

About this task

Perform this task to prevent intermediate devices from dropping packets between AC and AP if the AP connects to the AC across the Internet.

Any maximum fragment size modification takes effect immediately on online APs.

Procedure

153. Enter system view.

system-view

154. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

155. Set the maximum fragment size for CAPWAP control or data packets.

fragment-size { control control-size | data data-size }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the maximum fragment size for CAPWAP control packets and data packets is 1450 bytes and 1500 bytes, respectively.

Setting the TCP MSS for CAPWAP tunnels

About this task

Perform this task to set the value of the Maximum Segment Size (MSS) option in SYN packets transmitted over a CAPWAP tunnel.

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than or equal to the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment based on the receiver's MSS.

Procedure

156. Enter system view.

system-view

157. Set the TCP MSS for CAPWAP tunnels.

wlan tcp mss value

The default setting is 1460 bytes.

Specifying a region code

About this task

A region code determines characteristics such as available frequencies, available channels, and transmit power level. Set a valid region code before configuring an AP.

To prevent regulation violation caused by region code modification, lock the region code.

Procedure

158. Enter system view.

system-view

159. Enter AP view, AP group view, global configuration view, AP provision view, or AP group provision view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

¡ Enter global configuration view.

wlan global-configuration

¡ Execute the following commands in sequence to enter AP provision view:

wlan ap ap-name

provision

¡ Execute the following commands in sequence to enter AP group provision view:

wlan ap-group group-name

provision

160. Specify a region code.

region-code code

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no region code exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, the region code is CN.

¡ In AP provision view, an AP uses the configuration in AP group provision view.

¡ In AP group provision view, no region code is specified.

161. (Optional.) Lock the region code.

region-code-lock enable

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no region code exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, the region code is not locked.

162. Return to system view.

quit

163. Enter service template view.

wlan service-template service-template-name

164. (Optional.) Include or exclude region codes in beacon frames and probe responses and specify the installation environment type.

region-code-ie { disable | enable { any | indoor | outdoor } }

By default, beacon frames and probe responses contain region codes and the installation environment type is any.

Procedure‌

165. Enter system view.

system-view

166. Enter global configuration view.

wlan global-configuration

167. Specify a region code.

region-code code

By default, the region code is CN.

168. (Optional.) Lock the region code.

region-code-lock enable

By default, the region code is not locked.

169. Return to system view.

quit

170. Enter service template view.

wlan service-template service-template-name

171. (Optional.) Include or exclude region codes in beacon frames and probe responses and specify the installation environment type.

region-code-ie { disable | enable { any | indoor | outdoor } }

By default, beacon frames and probe responses contain region codes and the installation environment type is any.

Configuring AC request retransmission

About this task

The AC retransmits a request to an AP at the retransmission interval until the maximum number of request retransmission attempts is reached or a response is received.

Procedure

172. Enter system view.

system-view

173. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

174. Set the maximum number of request retransmission attempts.

retransmit-count value

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the maximum number of request retransmission attempts is 3.

175. Set the interval at which an AC request is retransmitted.

retransmit-interval interval

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the retransmission interval is 5 seconds.

Preprovisioning APs

About AP preprovisioning

AP preprovisioning allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state through CAPWAP tunnels in a batch. These settings will be saved in preprovisioned configuration file wlan_ap_prvs.xml on the APs. This reduces the workload in large WLAN networks.

Restrictions and guidelines

The save wlan ap-provision command has the same effect as the reset wlan ap provision command if no preprovisioned settings exist.

Tasks at a glance

To configure AP preprovisioning, perform the following tasks:

176. Configuring preprovisioned settings

Choose one of the following tasks:

¡ Configuring preprovisioned settings for an AP

¡ Configuring network settings for an AP group

177. Assigning preprovisioned settings to APs

178. (Optional.) Configuring auto loading of preprovisioned settings

Configuring preprovisioned settings for an AP

179. Enter system view.

system-view

180. Enter AP view.

wlan ap ap-name

181. Enable AP preprovisioning and enter AP provision view.

provision

By default, an AP uses the configuration in AP group provision view. If no configuration exists in AP group provision view, the AP uses the configuration in global provision view.

182. Specify an AC for the AP.

ac { host-name host-name | ip ipv4-address }

By default, an AP uses the configuration in AP group provision view. If no configuration exists in AP group provision view, the AP uses the configuration in global provision view.

183. Specify an IPv4 address for the management VLAN interface.

ip address ipv4-address { mask | mask-length }

By default, no IPv4 address is specified for the management VLAN interface.

184. Specify an IPv6 address for the management VLAN interface.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

By default, no IPv6 address is specified for the management VLAN interface.

185. Set the gateway IP address.

gateway { ip ipv4-address | ipv6 ipv6-address }

By default, no gateway IP address is specified for an AP.

186. Specify a DNS server.

dns server { ip ipv4-address | ipv6 ipv6-address }

By default, an AP uses the configuration in AP group provision view. If no configuration exists in AP group provision view, the AP uses the configuration in global provision view.

187. Set a DNS domain name suffix.

dns domain domain-name

By default, an AP uses the configuration in AP group provision view. If no configuration exists in AP group provision view, the AP uses the configuration in global provision view.

Configuring network settings for an AP group

188. Enter system view.

system-view

189. Enter AP group view.

wlan ap-group group-name

190. Enable AP preprovisioning and enter AP group provision view.

provision

By default, an AP uses the configuration in global provision view.

191. Specify an AC.

ac { host-name host-name | ip ipv4-address }

By default, an AP uses the configuration in global provision view.

192. Specify a DNS server.

dns server { ip ipv4-address | ipv6 ipv6-address }

By default, an AP uses the configuration in global provision view.

193. Set a domain name suffix for the DNS server.

dns domain domain-name

By default, an AP uses the configuration in global provision view.

Configuring global network settings

194. Enter system view.

system-view

195. Enter global configuration view.

wlan global-configuration

196. Enable AP preprovisioning and enter global provision view.

provision

By default, AP preprovisioning is disabled.

197. Specify an AC.

ac { host-name host-name | ip ipv4-address }

By default, no AC is specified for an AP.

198. Specify a DNS server.

dns server { ip ipv4-address | ipv6 ipv6-address }

By default, no DNS server is specified for an AP.

199. Set a domain name suffix for the DNS server.

dns domain domain-name

By default, no domain name suffix is set for a DNS server.

Assigning preprovisioned settings to APs

About this task

Perform this task to enable the AC to assign preprovisioned settings to an AP with which the AC has established a CAPWAP tunnel. The preprovisioned settings will be saved to configuration file wlan_ap_prvs.xml on the AP, and the settings will overwrite the network settings originally saved in the configuration file.

You can use the following methods to assign preprovisioned settings to an AP:

· Manual configuration—You save the preprovisioned settings to configuration file wlan_ap_prvs.xml on the AP after it comes online. The settings take effect immediately.

· Auto assignment of preprovisioned settings—The preprovisioned settings are assigned to an AP when it is coming online. The AP will establish a CAPWAP tunnel with the AC specified in the preprovisioned settings. For information about optimal AC selection , see "CAPWAP tunnel establishment."

Restrictions and guidelines

Manually assigned preprovisioned settings immediately take effect on an online AP. Modifying the AC address configuration in the configuration file of the AP will trigger a new optimal AC selection process. The AP will terminate the original CAPWAP tunnel and establish a CAPWAP tunnel with the new AC.

Saving the network settings to the configuration file on an AP

To save the network settings to preprovisioned configuration file wlan_ap_prvs.xml on the specified AP or all APs, execute the following command in any view:

save wlan ap provision { all | name ap-name }

Configuring auto assignment of preprovisioned settings

200. Enter system view.

system-view

201. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

202. Configure auto assignment of preprovisioned settings for the AP.

provision auto-update { disable | enable }

By default:

In PA view, an AP uses the configuration in AP group view.

In AP group view, auto assignment of preprovisioned settings is disabled.

Configuring SNMP notifications

Enabling SNMP notifications

About this task

To report critical WLAN events to an NMS, enable SNMP notifications. For WLAN event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

203. Enter system view.

system-view

204. Enable SNMP notifications.

¡ Enable SNMP notifications for AP management.

snmp-agent trap enable wlan ap

By default, SNMP notifications for AP management are disabled.

¡ Enable SNMP notifications for CAPWAP.

snmp-agent trap enable wlan capwap

By default, SNMP notifications for CAPWAP are disabled.

Setting the online AP quantity threshold for triggering an SNMP trap

About this task

With SNMP notifications and this command configured, the AC sends overload traps to the SNMP module when the number of online APs to the number of APs allowed by the license exceeds the specified threshold. If the threshold is exceeded, the AC sends an SNMP recover trap every time an AP comes online. When the number drops below the threshold, the AC sends recover traps to the SNMP module.

Restrictions and guidelines

If you set the threshold to 100, the AC will not send overload traps, because the number of online APs will not exceed the number of APs allowed by the license.

Procedure

205. Enter system view.

system-view

206. Set the online AP quantity threshold for triggering an SNMP trap.

wlan trap ap-number threshold percent

By default, the online AP quantity threshold for triggering an SNMP trap is 100. The AC does not send traps.

Maintaining APs

Resetting APs

To reset all APs or the specified AP, execute the following command in user view:

reset wlan ap { all | ap-group group-name | model model-name | name ap-name | native }

Renaming a manual AP

207. Enter system view.

system-view

208. Rename a manual AP.

wlan rename-ap ap-name new-ap-name

Managing the file system of an AP

About this task

You can perform the following tasks on an AC to manage files for an AP after the AP establishes a CAPWAP tunnel with the AC:

· View file information for the AP.

· Delete a file from the AP.

· Download an image file from the AC to the AP.

Restrictions and guidelines

This feature takes effect only on master ACs.

In an AC hierarchy, you must upload the image file to the storage media of the associated local AC before executing the download file command on the central AC.

Procedure

209. Display information about files or file folders on an AP.

display wlan ap name ap-name files

210. Enter system view.

system-view

211. Enter AP view.

wlan ap ap-name

212. Manage files on the AP.

¡ Delete a file from the AP.

delete file filename

¡ Download an image file to the AP.

download file file-name

Setting the statistics report interval

About this task

Perform this task to change the interval for an AP to report its statistics. You can use the statistics to monitor the operating status of radios on the AP.

Procedure

213. Enter system view.

system-view

214. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

¡ Enter global configuration view.

wlan global-configuration

215. Set the statistics report interval.

statistics-interval interval

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, the statistics report interval is 50 seconds.

Setting the statistics fast report interval

About this task

This task enables an AP to fast report specific statistics to the AC. APs can fast report only channel usage statistics to the AC.

Setting the interval to 0 disables an AP from fast reporting statistics to the AC.

Procedure

216. Enter system view.

system-view

217. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

218. Set the interval at which an AP fast reports statistics to the AC.

statistics-interval fast-report fast-report-interval

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the fast report interval is 0 seconds. An AP does not fast report statistics to the AC.

Configuring auto loading of preprovisioned settings

About this task

Auto loading of preprovisioned settings ensures successful CAPWAP tunnel establishment between AP and AC. An AP uses the following procedure to discover an AC when you enable this feature:

219. Uses the preprovisioned settings to discover an AC that has the AP's manual or auto AP configuration.

220. Reboots and uses other methods to discover ACs if AC discovery fails.

221. Reboots and uses the preprovisioned settings again to discover ACs if the AP still fails to discover the target AC.

This AC discovery process will be repeated until the AP discovers the target AC to establish a CAPWAP tunnel.

Procedure

222. Enter system view.

system-view

223. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

224. Configure auto loading of preprovisioned settings for the AP.

provision auto-recovery { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, auto loading of preprovisioned settings is enabled.

Setting a LED lighting mode

About this task

You can configure LEDs on an AP to flash in the following modes:

· quiet—Turn off the LEDs.

· awake—Make the LEDs flash once every minute. Support for this mode depends on the AP model.

· always-on—Make the LEDs steady on. Support for this mode depends on the AP model.

· normal—How LEDs flash in this mode varies by AP model. This mode can identify the running status of an AP.

Restrictions and guidelines

If you set the LED lighting mode to awake or always-on in AP group view, the setting takes effect only on member APs that support the specified LED lighting mode.

Procedure

225. Enter system view.

system-view

226. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

227. Set a LED lighting mode.

led-mode { always-on | awake | normal | quiet }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the LED lighting mode is normal.

Configuring gateway information reporting

About this task

When you perform dynamic-static IP address conversion for APs from IMC, the system converts IP addresses of APs obtained through DHCP to static IP addresses. However, the default gateway and AC addresses are not retained for the APs. If such an AP goes offline, it cannot come online again.

To solve this issue, enable gateway information reporting to enable APs to report their gateway information to the AC.

Procedure

228. Enter system view.

system-view

229. Enter global configuration view.

wlan global-configuration

230. Configure gateway information reporting.

gateway information report { disable | enable }

By default, gateway information reporting is disabled.

Enabling APs to use ICMP echo requests to check reachability to the AC upon a CAPWAP control tunnel disconnection

About this task

With this feature enabled, an AP sends an ICMP echo request to the AC to check reachability to the AC when the CAPWAP control tunnel between them goes down. The check result is saved as a TXT file named ap-diag on the AP. The file contains information about whether the CAPWAP control tunnel disconnection is caused by link failure betweeen the AC and the AP.

Disable this feature to reduce the load of an AC if that AC must send a large number of ICMP echo replies to APs. After you disable this feature, the ap-diag file will be deleted.

Procedure

231. Enter system view.

system-view

232. Enable APs to use ICMP echo requests to check reachability to the AC upon a CAPWAP control tunnel disconnection

wlan tunnel-down echo-check enable

By default, APs are disabled from using ICMP echo requests to check reachability to the AC upon a CAPWAP control tunnel disconnection.

Configuring advanced features for AP management

Configuring remote AP

About this task

Remote AP enables an AP to automatically perform the following operations when the CAPWAP tunnel to the AC is disconnected:

· Forward client traffic.

· Provide client access services if local authentication is enabled and association is enabled at the AP.

Remote AP is applicable to telecommuting, small branches, and SOHO solutions.

Restrictions and guidelines

Remote AP takes effect only on APs that operate in local forwarding mode.

When the tunnel between the AC and AP is recovered, clients that use the AC as the authenticator need reauthentication. Clients that use the AP as the authenticator remain online.

Procedure

233. Enter system view.

system-view

234. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

235. Configure remote AP.

hybrid-remote-ap { disable | enable }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, remote AP is disabled.

Associating an AP with a configuration profile

About this task

Perform this task to associate a configuration profile configured on the AC with an AP. The configuration profile contains commands that can be deployed to the AP. When APs come online on the AC, the AC can deploy the configuration profile to all the APs associated with the profile.

After you execute the undo configuration-profile command, the AC will restore the settings in the configuration profile deployed to an AP to the factory default settings. For more information about configuration profiles, see configuration file management in Fundamentals Configuration Guide.

Table 1 lists the modules to which the commands that can be configured in service template view belong. For more information, see the command reference for the corresponding module.

Table 1 Modules to which the commands that can be configured in service template view belong

Documentation	Module
Fundamentals	Login Management
Fundamentals	Configuration File Management
Interface	Ethernet Interface
Layer 2—LAN Switching	Port Isolation
Layer 2—LAN Switching	VLAN
Layer 3—IP Services	DHCP
	NAT
	IP Addressing
Layer 3—IP Routing	Static Routing
ACL and QoS	ACL
ACL and QoS	QoS
Security	AAA

‌

Procedure

236. Enter system view.

system-view

237. Enter AP view or an AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

238. Associate a configuration profile with the AP.

configuration-profile profile-name

By default, an AP is not associated with any configuration profile.

Configuring the AP tag

About this task

An AP tag is a collection of AP parameter attributes. Based on the business characteristics of each application scenario, the device provides predefined AP tags for you to reference according to the actual network application scenarios. After you specify a tag, the AP can inherit the AP parameters defined in the AP tag without the need for manual configuration.

Currently, the following predefined AP tags are available:

· meeting—Meeting room tag. This tag sets the bandwidth of 5GHz radios to 80 MHz.

· high-density—High-density tag.

· vip—VIP tag, which represents an AP in the monitor group. In monitor group view, you can use the ap ap-name command to add an AP to the AP monitor group. The monitor group allows the APs in it to collect and report data to the AC regarding client quantity, radio traffic, radio channel usage, and AP abnormal information.

· unstable—Unstable AP tag. When an AP with an unstable tag goes offline, it will not trigger automatic power adjustment for neighboring APs. This tag is assigned to APs automatically and does not support manual configuration.

Restrictions and guidelines

If an AP tag is configured in both AP view and AP group view, the configuration in AP view takes precedence over the configuration in AP group view.

Procedure

239. Enter system view.

system-view

240. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

241. Configure the AP tag.

ap-tag tag

By default:

¡ In AP view, the configuration in AP group view is used.

¡ In AP group view, no AP tag is configured.

Maintaining ACs

Configuring a description for the AC

242. Enter system view.

system-view

243. Configure a description for the AC.

wlan description text

By default, an AC does not have a description.

Enabling time zone synchronization

About this task

This feature enables APs to synchronize time and time zone information from the AC at association and at specific intervals after association.

Procedure

244. Enter system view.

system-view

245. Enable time zone synchronization.

wlan timezone-sync enable

By default, time zone synchronization is enabled.

Loading an APDB user script

About this task

This task allows you to add new AP models to the APDB without upgrading AC software.

Restrictions and guidelines

Make sure the user script is valid. Invalid scripts can cause loading failure.

The AP models in the user script must be different from the AP models in the system script.

If you load multiple user scripts on the AC, the most recently loaded user script overwrites the old user scripts.

To reload a user script when the following conditions exist, you must delete the related AP models or use the wlan apdb command to restore the original software version:

· A manual AP or an online auto AP whose model is listed in the old user script exists.

· APs of an AP model listed in the old user script have been added to an AP group.

· The old user script includes an AP model whose software version was already configured.

For more information about the wlan apdb command, see WLAN Command Reference.

To prevent AP model configuration lost after an AC reboot, you must reload a user script when you rename, or delete the user script in the file system.

When you replace a user script, the AP model configuration in the old user script will be lost upon an AC reboot if the new user script does not contain AP model configuration of the old script. In this case, you must reload the new user script.

Procedure

246. Enter system view.

system-view

247. Load an APDB user script.

wlan apdb file user.apdb

By default, no user script is loaded on the AC.

Enabling service anomaly detection

About this task

This feature enables an AC to check service status and start a reboot timer (10 minutes) upon detecting that no APs are associated with the AC. When the reboot timer expires, the AC restarts. If an AP comes online before the timer expires, the AC deletes the timer.

With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature.

Procedure

248. Enter system view.

system-view

249. Enable service anomaly detection.

wlan detect-anomaly enable

By default, service anomaly detection is disabled.

CAUTION:

With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature.

Disabling the WLAN function

About this task

This feature disables the device from providing WLAN services and releases ports used by CAPWAP and LWAPP tunnels.

Procedure

250. Enter system view.

system-view

251. Disable the WLAN function.

undo wlan enable

By default, the WLAN function is enabled.

CAUTION:

Disabling the WLAN function logs off all online APs. Please use this feature with caution.

Configuring an AP monitor group

About AP monitor groups

APs in an AP monitor group can report client quantity, radio traffic, channel usage, and AP anomalies to the AC.

Restrictions and guidelines

You can add a maximum of 32 APs to an AP monitor group.

Procedure

252. Enter system view.

system-view

253. Create an AP monitor group and enter its view.

wlan vip-ap-group

254. Add an AP to the AP monitor group.

ap ap-name

By default, no APs exist in an AP monitor group.

255. (Optional.) Set the interval at which the AP reports statistics to the AC.

report-interval interval

By default, an AP reports statistics to the AC at intervals of 50 seconds.

Switching the AP operating mode

About this task

Perform this task to switch an AP to the specified operating mode. After the AP restarts, the new operating mode takes effect. After the mode switch, the AP uses the factory settings or the settings saved from the last switch to that mode according to the AP model.

For a cloud-managed AP, an AC can perform simple operations, such as version update, but cannot configure wireless settings for the AP. When a cloud-managed AP is associated with an AC, the AC starts a 10-minute timer. If the cloud-managed AP configuration is not saved or the AP is switched to cloud mode before the timer expires, the cloud-managed AP automatically switches to fit mode and restarts for the fit mode to take effect.

Restrictions and guidelines

For APs that have a separate image file for each operating mode, before switching the AP to a specific operating mode, make sure the corresponding image file is extracted to the root directory of the device storage medium. Make sure the name of the image file is not modified.

Procedure

256. Enter system view.

system-view

257. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

258. Switch the AP operating mode.

ap-mode { cloud |fit }

Display and maintenance commands for AP management

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about all APs or the specified AP.	display wlan ap { all \| name ap-name } [ verbose [ filter { field }&<1-5> ] ]
Display address information for all APs or the specified AP.	display wlan ap { all \| name ap-name } address
Display the configuration status of the band navigation feature for all APs.	display wlan ap all feature band-navigation
Display configuration status of CAPWAP features.	display wlan ap all feature capwap
Display AP tags.	display wlan ap { all \| name ap-name } ap-tag { all \| tag }
Display AP connection records on the AC.	display wlan ap { all \| name ap-name } connection-record
Display AP descriptions on the AC.	display wlan ap { all \| name ap-name } description
Display GPS information for all APs or the specified AP.	display wlan ap { all \| name ap-name } gps
Display AP group information for all APs or the specified AP.	display wlan ap { all \| name ap-name } group
Display Ethernet interface statistics for all online APs or a specified online AP.	display wlan ap { all \| name ap-name } interface [ verbose ]
Display AP online duration.	display wlan ap { all \| name ap-name } online-time
Display AP region code information.	display wlan ap { all \| name ap-name } region-code
Display the reboot logs of the specified AP.	display wlan ap name ap-name reboot-log
Display running configuration for all APs or the specified AP.	display wlan ap { all \| ap ap-name } running-configuration [ verbose ]
Display AP diagnostic information saved on the AC.	display wlan ap name ap-name diagnostic-information
Display tunnel latency information for the specified CAPWAP tunnel.	display wlan ap name ap-name tunnel latency
Display association failure records for APs.	display wlan ap statistics association-failure-record
Display information about AP image downloading.	display wlan ap statistics image-download [ failed \| in-progress \| succeeded ]
Display online AP quantity records.	display wlan ap statistics online-record [ datetime date time [ count count ] ]
Display CAPWAP tunnel down records.	display wlan ap statistics tunnel-down-record
Display information about distribution of attached APs for ACs.	display wlan ap-distribution { all \| local-ac-name local-ac-name \| slot slot-number }
Display the attachment location of an AP.	display wlan ap-distribution ap-name ap-name
Display information about all AP groups or the specified AP group.	display wlan ap-group [ brief \| name group-name ]
Display AP model information.	display wlan ap-model { all \| name model-name }
Display the WLAN device role.	display wlan device role
Display the number of installed WLAN licenses.	display wlan license
Clear AP connection records on the AC.	reset wlan ap { all \| name ap-name } connection-record
Delete configuration file wlan_ap_prvs.xml from all APs or the specified AP.	reset wlan ap provision { all \| name ap-name }
Clear the reboot logs of all APs or the specified AP.	reset wlan ap reboot-log { all \| name ap-name }
Clear reason statistics for AP association failures.	reset wlan ap statistics association-failure-record
Clear AP image downloading statistics.	reset wlan ap statistics image-download [ failed \| in-progress \| succeeded ]
Clear AP online quantity statistics.	reset wlan ap statistics online-record
Clear the reason statistics for CAPWAP tunnel down events.	reset wlan ap statistics tunnel-down-record
Clear tunnel latency information for all CAPWAP tunnels or the specified CAPWAP tunnel.	reset wlan tunnel latency ap { all \| name ap-name }

‌

AP management configuration examples

Example: Establishing a CAPWAP tunnel through DHCP

Network configuration

As shown in Figure 3, configure the AP to obtain its IP address and AC IP address from the DHCP server through DHCP Option 43. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 3 Network diagram

‌

Procedure

259. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 01010103 (1.1.1.3) represent the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 hex 800700000101010103

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

260. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 1.1.1.3/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 1.1.1.3 24

[AC-Vlan-interface1] quit

# Create an AP named ap1 with model WA6320, and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

¡ Obtains its IP address 1.1.1.2 from the DHCP server.

¡ Obtains the IP address of the AC through Option 43.

¡ Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can see the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA6320

Region code : CN

Region code lock : Disable

Serial ID : 219801A28N819CE0002T

MAC address : 0AFB-423B-893C

IP address : 1.1.1.2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CWPCAP data-tunnel status : Down

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Ctrl-tunnel encryption : Disabled

Ctrl-tunnel encryption state : Not encrypted

Data-tunnel encryption : Disabled

Data-tunnel encryption state : Not encrypted

LED mode : Normal

Remote configuration : Enabled

EnergySaving Level :0

…

Example: Establishing a CAPWAP tunnel through DHCPv6

Network configuration

As shown in Figure 4, configure the AP to obtain its IP address and AC IP address from the DHCPv6 server through DHCP Option 52. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 4 Network diagram

‌

Procedure

261. Configure the DHCPv6 server:

# Assign an IPv6 address to GigabitEthernet 1/0/1.

<DHCPv6 Server> system-view

[DHCPv6 Server] interface gigabitethernet 1/0/1

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 address 1::1/64

# Disable RA message advertising suppression.

[DHCPv6 Server-GigabitEthernet1/0/1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 service on GigabitEthernet 1/0/1.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 dhcp select server

[DHCPv6 Server-GigabitEthernet1/0/1] quit

# Create a DHCPv6 address pool, and specify an IPv6 subnet for dynamic allocation in the DHCPv6 address pool.

[DHCPv6 Server] ipv6 dhcp pool 1

[DHCPv6 Server-dhcp6-pool-1] network 1::0/64

# Configure Option 52 that specifies an AC address 1::3 in DHCPv6 address pool 1.

[DHCPv6 Server-dhcp-pool-1] option 52 hex 00010000000000000000000000000003

[DHCPv6 Server-dhcp-pool-1] quit

[DHCPv6 Server] quit

262. Configure the AC:

# Set the IP address of VLAN-interface 1 to 1::3/64.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ipv6 address 1::3 64

# Create an AP named ap1 with model WA6320, and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

¡ Obtains its IPv6 address 1::2 from the DHCP server.

¡ Obtains the IPv6 address of the AC through Option 52.

¡ Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can view the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA6320

Region code : CN

Region code lock : Disable

Serial ID : 219801A28N819CE0002T

MAC address : 0AFB-423B-893C

IP address : 1::2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CWPCAP data-tunnel status : Down

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Ctrl-tunnel encryption : Disabled

Ctrl-tunnel encryption state : Not encrypted

Data-tunnel encryption : Disabled

Data-tunnel encryption state : Not encrypted

LED mode : Normal

Remote configuration : Enabled

EnergySaving Level :0

…

Example: Establishing a CAPWAP tunnel through DNS

Network configuration

As shown in Figure 5, configure the AP to obtain the IP address of the AC through DNS to establish a CAPWAP tunnel with the AC.

Figure 5 Network diagram

‌

Procedure

263. Configure the DHCP server:

# Enable the DHCP service, configure DHCP address pool 1, and set the domain name suffix of the AC to abc.

<DHCP server> system-view

[DHCP server] dhcp enable

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

[DHCP server-dhcp-pool-1] domain-name abc

[DHCP server-dhcp-pool-1] dns-list 1.1.1.4

[DHCP server-dhcp-pool-1] gateway-list 1.1.1.2

[DHCP server-dhcp-pool-1] quit

[DHCP server] quit

264. Configure a mapping between domain name h3c.abc and IP address 2.1.1.1/24. For more information, see Layer 3—IP Services Configuration Guide. (Details not shown.)

265. Configure the AC:

# Set the IP address of VLAN-interface 1 to 2.1.1.1/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.1 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop address 2.1.1.2.

[AC] ip route-static 0.0.0.0 0 2.1.1.2

# Create an AP named ap1 with model WA6320, and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Start up the AP.

[AC-wlan-ap-ap1] quit

The AP performs the following operations:

¡ Obtains its IP address 1.1.1.1, the domain name suffix of the AC, and the IP address of the DNS server from the DHCP server.

¡ Adds the domain name suffix to the hostname.

¡ Informs the DNS client to translate the domain name into an IP address.

¡ Uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can see the following information:

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

· The AP obtains the IP address of the AC through DNS.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA6320

Region code : CN

Region code lock : Disable

Serial ID : 219801A28N819CE0002T

MAC address : 0AFB-423B-893C

IP address : 1.1.1.2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CWPCAP data-tunnel status : Down

Discovery type : DNS

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Ctrl-tunnel encryption : Disabled

Ctrl-tunnel encryption state : Not encrypted

Data-tunnel encryption : Disabled

Data-tunnel encryption state : Not encrypted

LED mode : Normal

Remote configuration : Enabled

EnergySaving Level :0

…

Example: Configuring the auto AP feature

Network configuration

As shown in Figure 6, enable the auto AP feature on the AC. The AP obtains the AC IP address through DHCP Option 43 and establishes a CAPWAP tunnel with the AC.

Figure 6 Network diagram

‌

Procedure

266. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 02010102 (2.1.1.2) represent the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 ip-address hex 800700000102010102

[DHCP Server-dhcp-pool-1] gateway-list 1.1.1.3

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

267. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 2.1.1.2/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.2 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop address 2.1.1.1.

[AC] ip route-static 0.0.0.0 0 2.1.1.1

# Enable auto AP.

[AC] wlan auto-ap enable

Verifying the configuration

# Verify that the AP has established a CAPWAP tunnel with the AC.

[AC] display wlan ap name 0011-2200-0101 verbose

AP name : 0011-2200-0101

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA6320

Region code : CN

Region code lock : Disable

Serial ID : 219801A28N819CE0002T

MAC address : 0011-2200-0101

IP address : 1.1.1.2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CWPCAP data-tunnel status : Down

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Ctrl-tunnel encryption : Disabled

Ctrl-tunnel encryption state : Not encrypted

Data-tunnel encryption : Disabled

Data-tunnel encryption state : Not encrypted

LED mode : Normal

Remote configuration : Enabled

EnergySaving Level :0

…

Example: Configuring AP groups

Network configuration

As shown in Figure 7, configure AP groups and add AP 1 to AP group group1, and AP 2, AP 3, and AP 4 to AP group group2.

Figure 7 Network diagram

‌

Procedure

268. Configure APs to obtain their IP addresses and the AC IP address from the DHCP server. (Details not shown.)

269. Configure manual APs. (Details not shown.)

270. Configure AP groups:

# Create an AP group named group1.

<AC> system-view

[AC] wlan ap-group group1

# Add AP 1 to AP group group1.

[AC-wlan-ap-group-group1] ap ap1

[AC-wlan-ap-group-group1] quit

# Create an AP group named group2.

[AC] wlan ap-group group2

# Add AP 2, AP 3, and AP 4 to AP group group2.

[AC-wlan-ap-group-group2] ap ap2 ap3 ap4

[AC-wlan-ap-group-group2] quit

[AC] quit

Verifying the configuration

# Verify that AP 1 is in AP group group1, and AP 2, AP 3, and AP 4 are in AP group group2.

[AC-wlan-ap-group-group2] display wlan ap-group

Total number of AP groups: 3

AP group name : default-group

Description : Not configured

AP model : Not configured

APs : Not configured

AP group name : group1

Description : Not configured

AP model : WA6320

AP grouping rules:

AP name : ap1

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap1 (AP name)

AP group name : group2

Description : Not configured

AP model : WA6320

AP grouping rules:

AP name : ap2, ap3, ap4

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap2 (AP name), ap3 (AP name), ap4 (AP name)

Example: Configuring virtual APs

Network configuration

As shown in Figure 8, in the centralized forwarding architecture, the AC is attached to the Layer 3 switch through out-of-path deployment, and acts as a DHCP server to assign IP addresses to the AP and clients. The Layer 2 switch supplies power to the AP through PoE, and the AP establishes two CAPWAP tunnels with AC 1 and AC 2, respectively.

· Configure the internal network as follows:

¡ Configure L3 switch 1 to act as a DHCP server to assign IP addresses to the physical AP and clients.

¡ Configure the physical AP to obtain an IP address from DHCP server 10 and assign the physical AP to VLAN 10.

¡ Configure the external user to access the WLAN through VLAN 30 and configure MAC address authentication, 802.1X authentication, and portal authentication.

¡ Enable cooperative roaming.

¡ Configure AC 1 and AC 3 to form dual-link 1+1 backup for the AP.

¡ Configure an IMC server to act as the portal authentication server, portal Web server, and RADIUS server.

· Configure the external network as follows:

¡ Configure L3 Switch 2 to act as a DHCP server to assign IP addresses to virtual APs and external clients.

¡ Configure virtual APs to obtain IP address through DHCP server 20 and assign virtual APs to VLAN 20.

¡ Configure external clients to access the WLAN through VLAN 40 and configure MAC address authentication, 802.1X authentication, and portal authentication.

¡ Configure an external IMC network to act as the portal authentication server, portal Web server, and RADIUS server.

Figure 8 Network diagram

Device	Interface	IP address	Device	Interface	IP address
L3 Switch 1	Vlan-int 10	173.12.1.2/16	L3 Switch 2	Vlan-int 20	173.22.1.2/16
	Vlan-int 30	112.30.0.1/16		Vlan-int 40	112.40.0.3/16
AC 1	Vlan-int 10	173.12.1.3/16	AC 2	Vlan-int 20	173.22.1.3/16
	Vlan-int 30	112.30.0.2/16		Vlan-int 40	112.40.0.2/16
AC 3	Vlan-int 10	173.12.1.7/16
	Vlan-int 30	112.30.0.3/16

Restrictions and guidelines

· When the AP starts without loading any configuration, the AP's dual uplink ports default to access ports with PVID set to 1. It sends packets through VLAN-interface 1, and the outgoing packets do not carry a VLAN tag. To prevent loop formation during this stage, execute the undo port trunk permit vlan vlan-pvid command on the physical port that connects the external network switch to the AP, which prohibits packets from the port's default VLAN from passing through. Do not set the management VLAN and service VLAN of virtual APs as the port's default VLAN.

· Configure the interface connecting the AP to the external network switch to prohibit both VLAN 1 packets and the traffic of internal network VLANs. This ensures that loops do not occur on the AP's dual uplink ports. This restriction applies to networks where virtual APs and physical APs use different management VLANs.

Configuring the external network

Configuring Layer 3 switch 1

271. Configure interfaces on Layer 3 switch 1:

# Create VLAN 10 and VLAN 30, and assign IP addresses to the VLAN interfaces. VLAN 10 will be used to forward CAPWAP traffic between the AC and the physical AP, and VLAN 30 is the internal client access VLAN.

<L3 switch1>system-view

[L3 switch1] vlan 10

[L3 switch1-vlan10] quit

[L3 switch1] interface vlan-interface 10

[L3 switch1-Vlan-interface10] ip address 173.12.1.2 255.255.0.0

[L3 switch1-Vlan-interface10] quit

[L3 switch1] vlan 30

[L3 switch1-vlan30] quit

[L3 switch1] interface vlan-interface 30

[L3 switch1-Vlan-interface30] ip address 112.30.0.1 255.255.0.0

[L3 switch1-Vlan-interface30] quit

# Create VLAN 50 for IMC server connection and assign an IP address to VLAN-interface 50.

[L3 switch1] vlan 50

[L3 switch1-vlan50] quit

[L3 switch1] interface vlan-interface 50

[L3 switch1-Vlan-interface50] ip address 173.18.4.99 255.255.255.0

[L3 switch1-Vlan-interface50] quit

# Add the interface that connects Layer 3 switch 1 to the IMC server to VLAN 50. (Details not shown.)

# Configure GigabitEthernet 1/0/1 that connects Layer 3 switch 1 to AC 1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10 and VLAN 30.

[L3 switch1] interface gigabitethernet 1/0/1

[L3 switch1-GigabitEthernet1/0/1] port link-type trunk

[L3 switch1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[L3 switch1-GigabitEthernet1/0/1] port trunk permit vlan 10 30

[L3 switch1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/4 that connects Layer 3 switch 1 to AC 3 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10 and VLAN 30.

[L3 switch1] interface gigabitethernet 1/0/4

[L3 switch1-GigabitEthernet1/0/4] port link-type trunk

[L3 switch1-GigabitEthernet1/0/4] undo port trunk permit vlan 1

[L3 switch1-GigabitEthernet1/0/4] port trunk permit vlan 10 30

[L3 switch1-GigabitEthernet1/0/4] quit

# Configure GigabitEthernet 1/0/2 that connects Layer 3 switch 1 to Layer 2 switch 1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10.

[L3 switch1] interface gigabitethernet 1/0/2

[L3 switch1-GigabitEthernet1/0/2] port link-type trunk

[L3 switch1-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[L3 switch1-GigabitEthernet1/0/2] port trunk permit vlan 10

[L3 switch1-GigabitEthernet1/0/2] quit

# Configure the uplink ports on Layer 3 switch 1 and static routes. (Details not shown.)

272. Configure the DHCP server:

# Enable the DHCP server feature.

[L3 switch1] dhcp enable

# Configure DHCP address pool 10 to allocate addresses in subnet 173.12.0.0/16 to APs, and specify the gateway address as 173.12.1.2.

[L3 switch1] dhcp server ip-pool 10

[L3 switch1-dhcp-pool-10] network 173.12.0.0 mask 255.255.0.0

[L3 switch1-dhcp-pool-10] gateway-list 173.12.1.2

# Configure DHCP address pool 30 to allocate addresses in subnet 112.30.0.0/16 to clients. Specify the address of the DNS server as the gateway address. In this example, the gateway address is 112.30.0.1.

[L3 switch1] dhcp server ip-pool 30

[L3 switch1-dhcp-pool-30] network 112.30.0.0 mask 255.255.0.0

[L3 switch1-dhcp-pool-30] gateway-list 112.30.0.1

[L3 switch1-dhcp-pool-30] dns-list 112.30.0.1

[L3 switch1-dhcp-pool-30] quit

Configuring Layer 2 switch 1

# Create VLAN 10. VLAN 10 will be used as the management VLAN for physical AP access.

<L2 switch1> system-view

[L2 switch1] vlan 10

[L2 switch1-vlan10] quit

# Configure GigabitEthernet 1/0/1 that connects Layer 2 switch 1 to Layer 3 switch 1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10.

[L2 switch1] interface gigabitEthernet 1/0/1

[L2 switch1-GigabitEthernet1/0/1] port link-type trunk

[L2 switch1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[L2 switch1-GigabitEthernet1/0/1] port trunk permit vlan 10

[L2 switch1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects Layer 2 switch 1 to the AP as a trunk port, remove the port from VLAN 1, set the PVID to 10, assign the port to VLAN 10, and enable PoE.

[L2 switch1] interface gigabitEthernet 1/0/2

[L2 switch1-GigabitEthernet1/0/2] port link-type trunk

[L2 switch1-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[L2 switch1-GigabitEthernet1/0/2] port trunk pvid vlan 10

[L2 switch1-GigabitEthernet1/0/2] port trunk permit vlan 10

[L2 switch1-GigabitEthernet1/0/2] poe enable

[L2 switch1-GigabitEthernet1/0/2] quit

Configuring AC 1

273. Configure interfaces on the internal network AC:

# Create VLAN 10 and VLAN-interface 10, and assign an IP address for the interface. The physical AP will obtain the IP address to establish a CAPWAP tunnel with the AC.

<AC1> system-view

[AC1] vlan 10

[AC1-vlan10] quit

[AC1] interface vlan-interface 10

[AC1-Vlan-interface10] ip address 173.12.1.3 255.255.0.0

[AC1-Vlan-interface10] quit

# Create VLAN 30 and VLAN-interface 30, and assign an IP address for the interface. Internal network clients will use the service VLAN to access the WLAN.

[AC1] vlan 30

[AC1-vlan30] quit

[AC1] interface vlan-interface 30

[AC1-Vlan-interface30] ip address 112.30.0.2 255.255.0.0

[AC1-Vlan-interface30] quit

# Configure GigabitEthernet 1/0/1 that connects AC 1 in the internal network to Layer 3 switch 1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10 and VLAN 30.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-type trunk

[AC1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC1-GigabitEthernet1/0/1] port trunk permit vlan 10 30

[AC1-GigabitEthernet1/0/1] quit

# Configure a static route for the AC to reach the IMC server.

[AC1] ip route-static 173.18.4.100 32 173.12.1.2

274. Configuring the AP and deploy configurations to the AP:

# Create AP ap1 and specify the AP model as WA6322.

[AC1] wlan ap ap1 model WA6322

# Specify the AP serial number as 219801A23U8204P000C3.

[AC1-wlan-ap-ap1] serial-id 219801A23U8204P000C3

# Enable remote configuration.

[AC1-wlan-ap-ap1] remote-configuration enable

# Create VLAN 20. VLAN 20 will be used as the management VLAN for the virtual AP.

[AC1-wlan-ap-ap1] vlan 20

[AC11-wlan-ap-ap1-vlan20] quit

# Configure GigabitEthernet 2 that connects the AP to Layer 2 switch 2 in the external network as a trunk port. Remove the port from VLAN 1 and assign the port to VLAN 20.

[AC1-wlan-ap-ap1] gigabitethernet 2

[AC1-wlan-ap-ap1-gigabitethernet-2] port link-type trunk

[AC1-wlan-ap-ap1-gigabitethernet-2] undo port trunk permit vlan 1

[AC1-wlan-ap-ap1-gigabitethernet-2] port trunk permit vlan 20

[AC1-wlan-ap-ap1-gigabitethernet-2] quit

# Synchronize VLAN and interface configurations in AP view to the AP.

[AC1-wlan-ap-ap1] remote-configuration synchronize

275. Enable virtual AP globally.

[AC1] wlan virtual-ap enable

276. Create a virtual AP:

# Create a virtual AP, and specify the IP address of the AC in the external network and the management VLAN.

[AC1] wlan ap ap1

[AC1-wlan-ap-ap1] virtual-ap ac-address ip 173.22.1.3 management-vlan 20

[AC1-wlan-ap-ap1] quit

277. Configure dual-link backup:

# Enter AP view of AP ap1 and set the AP connection priority to 7.

[AC1] wlan ap ap1

[AC1-wlan-ap-ap1] priority 7

# Specify AC 3 in the internal network as the backup AC.

[AC1-wlan-ap-ap1] backup-ac ip 173.12.1.7

# Enable master CAPWAP tunnel preemption.

[AC1-wlan-ap-ap1] wlan tunnel-preempt enable

[AC1-wlan-ap-ap1] quit

278. Configure the RADIUS scheme.

# Create RADIUS scheme office and enter its view.

[AC1] radius scheme office

# Specify the primary authentication server, primary accounting server, and authentication and accounting key.

[AC1-radius-office] primary authentication 173.18.4.100

[AC1-radius-office] primary accounting 173.18.4.100

[AC1-radius-office] key authentication simple 12345678

[AC1-radius-office] key accounting simple 12345678

# Configure the device to exclude domain names in usernames sent to the RADIUS server.

[AC1-radius-office] user-name-format without-domain

# Specify the source IP address of RADIUS packets as 173.12.1.3.

[AC1-radius-office] nas-ip 173.12.1.3

[AC1-radius-office] quit

# Enable RADIUS session control.

[AC1] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC1] radius dynamic-author server

# Specify a session-control client with IP address 173.18.4.100 and shared key 12345678 in plaintext form.

[AC1-radius-da-server] client ip 173.18.4.100 key simple 12345678

[AC1-radius-da-server] quit

279. Configure the authentication domain:

# Create an ISP domain named office1 and enter its view.

[AC1] domain office1

# Perform RADIUS authentication, authorization, and accounting for LAN users based on scheme office.

[AC1-isp-office1] authentication lan-access radius-scheme office

[AC1-isp-office1] authorization lan-access radius-scheme office

[AC1-isp-office1] accounting lan-access radius-scheme office

Set the idle timeout for users in the ISP domain office1 to 15 minutes and the minimum traffic to 1024 bytes.

[AC1-isp-office1] authorization-attribute idle-cut 15 1024

[AC1-isp-office1] quit

# Create an ISP domain named office2 and enter its view.

[AC1] domain office2

# Perform RADIUS authentication, authorization, and accounting for portal users based on scheme office.

[AC1-isp-office2] authentication portal radius-scheme office

[AC1-isp-office2] authorization portal radius-scheme office

[AC1-isp-office2] accounting portal radius-scheme office

# Set the idle timeout for users in the ISP domain office2 to 15 minutes and the minimum traffic to 1024 bytes.

[AC1-isp-office2] authorization-attribute idle-cut 15 1024

[AC1-isp-office2] quit

280. Configure MAC authentication:

# Configure a shared account for MAC authentication users, and set the username to h3cmac and password to plaintext string of 12345678.

[AC1] mac-authentication user-name-format fixed account h3cmac password simple 12345678

# Create wireless service template 1 and set the SSID to int-mac.

[AC1] wlan service-template 1

[AC1-wlan-st-1] ssid int-mac

# Specify VLAN 30 for the service template.

[AC1-wlan-st-1] vlan 30

# Set the authentication mode to mac and specify ISP domain office1 as the authentication domain.

[AC1-wlan-st-1] client-security authentication-mode mac

[AC1-wlan-st-1] mac-authentication domain office1

# Enable BTM.

[AC1-wlan-st-1] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC1-wlan-st-1] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC1-wlan-st-1] sacp roam-optimize traffic-hold enable advanced

# Enable the wireless service template.

[AC1-wlan-st-1] service-template enable

[AC1-wlan-st-1] quit

281. Configure 802.1X authentication.

# Configure 802.1X authentication to use the EAP relay method.

[AC1] dot1x authentication-method eap

# Create wireless service template 2 and set the SSID to int-1x.

[AC1] wlan service-template 2

[AC1-wlan-st-2] ssid int-1x

# Specify VLAN 30 for the service template.

[AC1-wlan-st-2] vlan 30

# Specify the AKM mode as 802.1X, cipher suite as CCMP, and security IE as RSN.

[AC1-wlan-st-2] akm mode dot1x

[AC1-wlan-st-2] cipher-suite ccmp

[AC1-wlan-st-2] security-ie rsn

# Set the authentication mode to dot1x and specify ISP domain office1 as the authentication domain.

[AC1-wlan-st-2] client-security authentication-mode dot1x

[AC1-wlan-st-2] dot1x domain office1

# Enable BTM.

[AC1-wlan-st-2] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC1-wlan-st-2] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC1-wlan-st-2] sacp roam-optimize traffic-hold enable advanced

# Enable the wireless service template.

[AC1-wlan-st-2] service-template enable

[AC1-wlan-st-2] quit

282. Configure portal authentication:

# Specify the name of the portal authentication server as newpt and the server address as 173.18.4.100. Set the destination UDP port number to 50100 for the device to send unsolicited portal packets to the portal authentication server.

[AC1] portal server newpt

[AC1-portal-server-newpt] ip 173.18.4.100 key simple 12345678

[AC1-portal-server-newpt] port 50100

[AC1-portal-server-newpt] quit

# Specify the URL of the portal Web server as http://173.18.4.100:8080/portal.

[AC1] portal web-server wbportal

[AC1-portal-websvr-wbportal] url http://173.18.4.100:8080/portal

[AC1-portal-websvr-wbportal] quit

# Configure an IPv4-based portal-free rule numbered 0 and specify the destination IP address as 173.18.4.100 to permit traffic to the portal Web server.

[AC1] portal free-rule 0 destination ip 173.18.4.100 24

# Configure two destination-based portal authentication-free rules to allow traffic to the DNS server.

[AC1] portal free-rule 1 destination ip any udp 53

[AC1] portal free-rule 2 destination ip any tcp 53

# Disable the Rule ARP entry feature for portal clients.

[AC1] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC1] portal host-check enable

# Create wireless service template 3 and set the SSID to int-portal.

[AC1] wlan service-template 3

[AC1-wlan-st-3] ssid int-portal

# Specify VLAN 30 for the service template.

[AC1-wlan-st-3] vlan 30

# Enable direct portal authentication on wireless service template 3.

[AC1-wlan-st-3] portal enable method direct

# Configure portal users to use authentication domain office2.

[AC1-wlan-st-3] portal domain office2

# Apply portal Web server wbportal to wireless service template 3.

[AC1-wlan-st-3] portal apply web-server wbportal

# Specify the value of the BAS-IP attribute in portal packets sent to the portal authentication server as 173.12.1.3.

[AC1-wlan-st-3] portal bas-ip 173.12.1.3

# Enable BTM.

[AC1-wlan-st-3] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC1-wlan-st-3] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC1-wlan-st-3] sacp roam-optimize traffic-hold enable advanced

# Enable wireless service template 3.

[AC1–wlan-st-3] service-template enable

[AC1-wlan-st-3] quit

283. Bind wireless service templates and configure cooperative roaming:

# Enter radio view of radio 1 on AP ap1.

[AC1] wlan ap ap1

[AC1-wlan-ap-ap1] radio 1

# Enable radio resource measurement.

[AC-wlan-ap-ap1-radio-1] resource-measure enable

# Enable client anti-sticky, set the RSSI threshold to 30, and set the detection interval to 10 seconds.

NOTE:

Adjust the RSSI threshold and detection interval based on the actual situation.

[AC1-wlan-ap-ap1-radio-1] sacp anti-sticky enable rssi 30 interval 10

# Enable BSS candidate obtaining and set the interval for obtaining BSS candidate information to 10 seconds.

[AC1-wlan-ap-ap1-radio-1] sacp roam-optimize bss-candidate-list enable interval 10

# Bind wireless service templates 1, 2, and 3 to radio 1 on AP ap1.

[AC1-wlan-ap-ap1-radio-1] radio enable

[AC1-wlan-ap-ap1-radio-1] service-template 1

[AC1-wlan-ap-ap1-radio-1] service-template 2

[AC1-wlan-ap-ap1-radio-1] service-template 3

[AC1-wlan-ap-ap1-radio-1] quit

[AC1-wlan-ap-ap1] quit

Configuring AC 3

284. Configure interfaces on the internal network AC:

# Create VLAN 10 and VLAN-interface 102, and configure an IP address for the interface. The physical AP will obtain the IP address to establish a CAPWAP tunnel with the backup AC.

<AC3> system-view

[AC3] vlan 10

[AC3-vlan10] quit

[AC3] interface vlan-interface 10

[AC3-Vlan-interface10] ip address 173.12.1.7 255.255.0.0

[AC3-Vlan-interface10] quit

# Create VLAN 30 and VLAN-interface 102, and configure an IP address for the interface. Internal network clients will use the service VLAN to access the WLAN.

[AC3] vlan 30

[AC3-vlan30] quit

[AC3] interface vlan-interface 30

[AC3-Vlan-interface30] ip address 112.30.0.3 255.255.0.0

[AC3-Vlan-interface30] quit

# Configure GigabitEthernet 1/0/1 that connects AC 3 in the internal network to Layer 3 switch 1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 10 and VLAN 30.

[AC3] interface gigabitethernet 1/0/1

[AC3-GigabitEthernet1/0/1] port link-type trunk

[AC3-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC3-GigabitEthernet1/0/1] port trunk permit vlan 10 30

[AC3-GigabitEthernet1/0/1] quit

# Configure a static route for the AC to reach the IMC server.

[AC3] ip route-static 173.18.4.100 32 173.12.1.2

285. Configuring the AP and deploy configurations to the AP:

# Create AP ap1 and specify the AP model as WA6322.

[AC3] wlan ap ap1 model WA6322

# Specify the AP serial number as 219801A23U8204P000C3.

[AC3-wlan-ap-ap1] serial-id 219801A23U8204P000C3

# Enable remote configuration.

[AC3-wlan-ap-ap1] remote-configuration enable

# Create VLAN 20. VLAN 20 will be used as the management VLAN for the virtual AP.

[AC3-wlan-ap-ap1] vlan 20

[AC31-wlan-ap-ap1-vlan20] quit

# Configure GigabitEthernet 2 that connects the AP to Layer 2 switch 2 in the external network as a trunk port. Remove the port from VLAN 1 and assign the port to VLAN 20.

[AC3-wlan-ap-ap1] gigabitethernet 2

[AC3-wlan-ap-ap1-gigabitethernet-2] port link-type trunk

[AC3-wlan-ap-ap1-gigabitethernet-2] undo port trunk permit vlan 1

[AC3-wlan-ap-ap1-gigabitethernet-2] port trunk permit vlan 20

[AC3-wlan-ap-ap1-gigabitethernet-2]quit

# Synchronize VLAN and interface configurations in AP view to the AP.

[AC3-wlan-ap-ap1] remote-configuration synchronize

286. Enable virtual AP globally.

[AC3] wlan virtual-ap enable

287. Create Virtual AP

# Create a virtual AP, and specify the IP address of the AC in the external network and the management VALN.

[AC3] wlan ap ap1

[AC3-wlan-ap-ap1] virtual-ap ac-address ip 173.22.1.3 management-vlan 20

[AC3-wlan-ap-ap1] quit

288. Configure dual-link backup:

# Specify the AP connection priority as 5 for AP ap1.

[AC3] wlan ap ap1

[AC3-wlan-ap-ap1] priority 5

# Specify AC 1 in the internal network as the backup AC.

[AC3-wlan-ap-ap1] backup-ac ip 173.12.1.3

289. Configure the RADIUS scheme:

# Create RADIUS scheme office and enter its view.

[AC3] radius scheme office

# Specify the primary authentication server, primary accounting server, and authentication and accounting key.

[AC3-radius-office] primary authentication 173.18.4.100

[AC3-radius-office] primary accounting 173.18.4.100

[AC3-radius-office] key authentication simple 12345678

[AC3-radius-office] key accounting simple 12345678

# Configure the device to exclude domain names in usernames sent to the RADIUS server.

[AC3-radius-office] user-name-format without-domain

# Specify the source IP address of RADIUS packets as 173.12.1.7.

[AC3-radius-office] nas-ip 173.12.1.7

[AC3-radius-office] quit

# Enable RADIUS session control.

[AC3] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC3] radius dynamic-author server

# Specify a session-control client with IP address 173.18.4.100 and shared key 12345678 in plaintext form.

[AC3-radius-da-server] client ip 173.18.4.100 key simple 12345678

[AC3-radius-da-server] quit

290. Configure the authentication domain:

# Create an ISP domain named office1 and enter its view.

[AC3] domain office1

# Perform RADIUS authentication, authorization, and accounting for LAN users based on scheme office.

[AC3-isp-office1] authentication lan-access radius-scheme office

[AC3-isp-office1] authorization lan-access radius-scheme office

[AC3-isp-office1] accounting lan-access radius-scheme office

Set the idle timeout for users in the ISP domain office1 to 15 minutes and the minimum traffic to 1024 bytes.

[AC3-isp-office1] authorization-attribute idle-cut 15 1024

[AC3-isp-office1] quit

# Create an ISP domain named office2 and enter its view.

[AC3] domain office2

# Perform RADIUS authentication, authorization, and accounting for portal users based on scheme office.

[AC3-isp-office2] authentication portal radius-scheme office

[AC3-isp-office2] authorization portal radius-scheme office

[AC3-isp-office2] accounting portal radius-scheme office

Set the idle timeout for users in the ISP domain office2 to 15 minutes and the minimum traffic to 1024 bytes.

[AC3-isp-office2] authorization-attribute idle-cut 15 1024

[AC3-isp-office2] quit

291. Configure MAC authentication:

# Configure a shared account for MAC authentication users, and set the username to h3cmac and password to plaintext string of 12345678.

[AC3] mac-authentication user-name-format fixed account h3cmac password simple 12345678

# Create wireless service template 1 and set the SSID to int-mac.

[AC3] wlan service-template 1

[AC3-wlan-st-1] ssid int-mac

# Specify VLAN 30 for the service template.

[AC3-wlan-st-1] vlan 30

# Set the authentication mode to mac and specify ISP domain office1 as the authentication domain.

[AC3-wlan-st-1] client-security authentication-mode mac

[AC3-wlan-st-1] mac-authentication domain office1

# Enable BTM.

[AC3-wlan-st-1] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC3-wlan-st-1] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC3-wlan-st-1] sacp roam-optimize traffic-hold enable advanced

# Enable the wireless service template.

[AC3-wlan-st-1] service-template enable

[AC3-wlan-st-1] quit

292. Configure 802.1X authentication.

# Configure 802.1X authentication to use the EAP relay method.

[AC3] dot1x authentication-method eap

# Create wireless service template 2 and set the SSID to int-1x.

[AC3] wlan service-template 2

[AC3-wlan-st-2] ssid int-1x

# Specify VLAN 30 for the service template.

[AC3-wlan-st-2] vlan 30

# Specify the AKM mode as 802.1X, cipher suite as CCMP, and security IE as RSN.

[AC3-wlan-st-2] akm mode dot1x

[AC3-wlan-st-2] cipher-suite ccmp

[AC3-wlan-st-2] security-ie rsn

# Set the authentication mode to dot1x and specify ISP domain office1 as the authentication domain.

[AC3-wlan-st-2] client-security authentication-mode dot1x

[AC3-wlan-st-2] dot1x domain office1

# Enable BTM.

[AC3-wlan-st-2] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC3-wlan-st-2] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC3-wlan-st-2] sacp roam-optimize traffic-hold enable advanced

# Enable the wireless service template.

[AC3-wlan-st-2] service-template enable

[AC3-wlan-st-2] quit

293. Configure portal authentication

[AC3] portal server newpt

[AC3-portal-server-newpt] ip 173.18.4.100 key simple 12345678

[AC3-portal-server-newpt] port 50100

[AC3-portal-server-newpt] quit

# Specify the URL of the portal Web server as http://173.18.4.100:8080/portall.

[AC3] portal web-server wbportal

[AC3-portal-websvr-wbportal] url http://173.18.4.100:8080/portal

[AC3-portal-websvr-wbportal] quit

# Configure an IPv4-based portal-free rule numbered 0 and specify the destination IP address as 173.18.4.100 to permit traffic to the portal Web server.

[AC3] portal free-rule 0 destination ip 173.18.4.100 24

# Configure two destination-based portal authentication-free rules to allow traffic to the DNS server.

[AC3] portal free-rule 1 destination ip any udp 53

[AC3] portal free-rule 2 destination ip any tcp 53

# Disable the Rule ARP entry feature for portal clients.

[AC3] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC3] portal host-check enable

# Create wireless service template 3 and set the SSID to int-portal.

[AC3] wlan service-template 3

[AC3-wlan-st-3] ssid int-portal

# Specify VLAN 30 for the service template.

[AC3-wlan-st-3] vlan 30

# Enable direct portal authentication on wireless service template 3.

[AC3-wlan-st-3] portal enable method direct

# Configure portal users to use authentication domain office2.

[AC3-wlan-st-3] portal domain office2

# Apply portal Web server wbportal to wireless service template 3.

[AC3-wlan-st-3] portal apply web-server wbportal

# Specify the value of the BAS-IP attribute in portal packets sent to the portal authentication server as 173.12.1.7.

[AC3-wlan-st-3] portal bas-ip 173.12.1.7

# Enable BTM.

[AC3-wlan-st-3] bss transition-management enable

# (Optional.) Enable BTM disassociation. If the disassociation timer expires and a client fails to disassociate with the AP, the AP does not forcibly log off the client.

[AC3-wlan-st-3] bss transition-management disassociation

# (Optional.) Enable advanced data transmission holding during roaming.

[AC3-wlan-st-3] sacp roam-optimize traffic-hold enable advanced

# Enable wireless service template 3.

[AC3–wlan-st-3] service-template enable

[AC3-wlan-st-3] quit

294. Bind wireless service templates and configure cooperative roaming:

# Enter radio view of radio 1 on AP ap1.

[AC3] wlan ap ap1

[AC3-wlan-ap-ap1] radio 1

# Enable radio resource measurement.

[AC3-wlan-ap-ap1-radio-1] resource-measure enable

# Enable client anti-sticky, set the RSSI threshold to 30, and set the detection interval to 10 seconds.

NOTE:

Adjust the RSSI threshold and detection interval based on the actual situation.

[AC3-wlan-ap-ap1-radio-1] sacp anti-sticky enable rssi 30 interval 10

# Enable BSS candidate obtaining and set the interval for obtaining BSS candidate information to 10 seconds.

[AC3-wlan-ap-ap1-radio-1] sacp roam-optimize bss-candidate-list enable interval 10

# Bind wireless service templates 1, 2, and 3 to radio 1 on AP ap1.

[AC3-wlan-ap-ap1-radio-1] radio enable

[AC3-wlan-ap-ap1-radio-1] service-template 1

[AC3-wlan-ap-ap1-radio-1] service-template 2

[AC3-wlan-ap-ap1-radio-1] service-template 3

[AC3-wlan-ap-ap1-radio-1] quit

[AC3-wlan-ap-ap1] quit

Configuring the IMC server in the internal network

NOTE:

This section uses iMC PLAT 7.1(E0303P10) and iMC UAM 7.1(E0303P10) as an example to illustrate basic configuration of the RADIUS server and portal server.

Configuring the RADIUS server

295. Add access devices:

# Add access device AC1.

Log in to the IMC management platform, click the User tab, and select User Access Policy > Access Device Management > Access Device in the left navigation pane. Then, click Add.

¡ In the Access Configuration area, set the shared key to 12345678, which must be the same as the key configured on AC 1 in the internal network.

¡ In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 173.12.1.3 in the Start IP field and then click OK. The address is the NAS-IP address configured for the RADIUS scheme on AC 1.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 9 Adding access device AC1

# Add access device AC3.

Log in to the IMC management platform, click the User tab, and select User Access Policy > Access Device Management > Access Device in the left navigation pane. Then, click Add.

¡ In the Access Configuration area, set the shared key to 12345678, which must be the same as the key configured on AC 3 in the internal network.

¡ In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 173.12.1.7 in the Start IP field and then click OK. The address is the NAS-IP address configured for the RADIUS scheme on AC 3.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 10 Adding access device AC3

296. Add access policies:

Click the User tab. From the navigation tree, select User Access Policy > Access Policy.

# Create a MAC authentication access policy.

Click Add to open the Add Access Policy page and create a MAC authentication access policy.

¡ Specify the policy name as mac.

¡ Retain the default settings in the other fields and then click OK.

Figure 11 Adding a MAC authentication policy

# Create an 802.1X authentication policy.

Click Add to open the Add Access Policy page and create an 802.1X authentication access policy.

¡ Specify the policy name as dot1x.

¡ Select the EAP authentication method, select EAP-PEAP Auth as the certificate type, and select EAP-MSCHAPv2 Auth as the certificate sub-type. The certificate sub-type on the IMC server must be the same as the authentication method configured on the client.

¡ Retain the default settings in the other fields and then click OK.

Figure 12 Adding an 802.1X authentication policy

# Create a portal authentication policy.

Click Add to open the Add Access Policy page and create a portal authentication access policy.

¡ Specify the policy name as portal.

¡ Retain the default settings in the other fields and then click OK.

Figure 13 Adding a portal authentication policy

297. Add access services:

Click the User tab. From the navigation tree, select User Access Policy > Access Service.

# Create a MAC authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as mac.

¡ Select access policy mac as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 14 Adding a MAC authentication access service

# Create an 802.1X authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as dot1x.

¡ Select access policy dot1x as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 15 Adding a 802.1X authentication access service

# Create a portal authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as portal.

¡ Select access policy portal as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 16 Adding a portal authentication access service

298. Add access users:

Click the User tab. From the navigation tree, select Access User > All Access Users.

# Add a MAC authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as h3cmac and password as 12345678.

¡ Select service mac as the access service.

¡ Click OK.

Figure 17 Adding a MAC authentication access user

# Add an 802.1X authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as dot1x and password as 12345678.

¡ Select service dot1x as the access service.

Figure 18 Adding an 802.1X authentication access user

# Add a portal authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as portal and password as 12345678.

¡ Select service portal as the access service.

Figure 19 Adding a portal authentication access user

Configuring the portal server

299. Configure an IP address group:

Click the User tab. From the navigation tree, select User Access Policy > Portal Service > IP Group. Click Add to open the Add IP Group page.

¡ Enter the IP group name.

¡ Enter the start IP address and end IP address of the IP group. Make sure the users' host IP addresses are in the IP group.

¡ Select a service group. This example uses the default group Ungrouped.

¡ Select Normal from the Action list.

Figure 20 Adding an IP address group

300. Add a portal device:

Click the User tab. From the navigation tree, select User Access Policy > Portal Service > Device.

# Add portal device AC1.

Click Add to open the Add Device page.

¡ Specify the device name.

¡ Enter the IP address of the AC's interface connected to the client. In this example, the IP address of AC 1 in the internal network is used, which is 173.12.1.3.

¡ Enter the key, which must be the same as the key configured on the AC. In this example, the key is 12345678.

Figure 21 Adding portal device AC 1

# Add portal device AC3.

Click Add to open the Add Device page.

¡ Specify the device name.

¡ Enter the IP address of the AC's interface connected to the client. In this example, the IP address of AC 3 in the internal network is used, which is 173.12.1.7.

¡ Enter the key, which must be the same as the key configured on the AC. In this example, the key is 12345678.

Figure 22 Adding portal device AC 3

301. Associate portal devices with the IP address group:

Click the Port Group icon in the Operation field for device portal-int and portal-int1, respectively, and then complete the following settings for each device:

Click Add to open the Add Port Group page.

¡ Enter the port group name.

¡ Select CHAP as the authentication type.

¡ Select the IP address group. The IP address used by a user to access the network must be within this IP address group.

¡ Retain the default settings in the other fields.

Figure 23 Device list

Figure 24 Adding a port group for portal device AC 1

113

Figure 25 Adding a port group for portal device AC 3

114

# From the navigation tree, select User Access Policy > Service Parameters. Then, click Validate to make the configuration take effect.

Configuring external network devices

Configuring Layer 3 switch 2

302. Configure interfaces on Layer 3 switch 2:

# Create VLAN 20 and VLAN 40, and assign IP addresses to the VLAN interfaces. VLAN 20 will be used to forward CAPWAP traffic between AC and virtual AP, and VLAN 40 is used for wireless guest access.

<L3 switch2> system-view

[L3 switch2] vlan 20

[L3 switch2-vlan20] quit

[L3 switch2]interface vlan-interface 20

[L3 switch2-Vlan-interface20] ip address 173.22.1.2 255.255.0.0

[L3 switch2-Vlan-interface20] quit

[L3 switch2] vlan 40

[L3 switch2-vlan40] quit

[L3 switch2]interface vlan-interface 40

[L3 switch2-Vlan-interface40] ip address 112.40.0.3 255.255.0.0

[L3 switch2-Vlan-interface40] quit

# Create VLAN 50, and assign an IP address to the VLAN interface. VLAN 50 will be used to connect to the IMC server.

[L3 switch2] vlan 50

[L3 switch2-vlan50] quit

[L3 switch2] interface vlan-interface 50

[L3 switch2-Vlan-interface50] ip address 173.18.5.99 255.255.255.0

[L3 switch2-Vlan-interface50] quit

# Assign the interface that connects Layer 3 switch 2 to the IMC server to VLAN 50. (Details not shown.)

# Configure GigabitEthernet 1/0/5 that connects Layer 3 switch 2 to AC 2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20 and VLAN 40.

[L3 switch2] interface gigabitethernet 1/0/5

[L3 switch2-GigabitEthernet1/0/5] port link-type trunk

[L3 switch2-GigabitEthernet1/0/5] undo port trunk permit vlan 1

[L3 switch2-GigabitEthernet1/0/5] port trunk permit vlan 20 40

[L3 switch2-GigabitEthernet1/0/5] quit

# Configure GigabitEthernet 1/0/11 that connects Layer 3 switch 2 to Layer 2 switch 2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[L3 switch2] interface gigabitethernet 1/0/11

[L3 switch2-GigabitEthernet1/0/11] port link-type trunk

[L3 switch2-GigabitEthernet1/0/11] undo port trunk permit vlan 1

[L3 switch2-GigabitEthernet1/0/11] port trunk permit vlan 20

[L3 switch2-GigabitEthernet1/0/11] quit

# Configure the uplink ports on Layer 3 switch 2 and static routes. (Details not shown.)

303. Configure the DHCP server:

# Enable the DHCP server feature.

[L3 switch2] dhcp enable

# Configure DHCP address pool 20 to allocate addresses in subnet 173.22.0.0/16 to APs, and specify the gateway address as 173.22.1.2.

[L3 switch2] dhcp server ip-pool 20

[L3 switch2-dhcp-pool-20] network 173.22.0.0 mask 255.255.0.0

[L3 switch2-dhcp-pool-20] gateway-list 173.22.1.2

# Configure DHCP address pool 40 to allocate addresses in subnet 112.40.0.0/16 to clients. Specify the address of the DNS server as the gateway address. In this example, the gateway address is 112.40.0.3.

[L3 switch2] dhcp server ip-pool 40

[L3 switch2-dhcp-pool-40] network 112.40.0.0 mask 255.255.0.0

[L3 switch2-dhcp-pool-40] gateway-list 112.40.0.3

[L3 switch2-dhcp-pool-40] dns-list 112.40.0.3

[L3 switch2-dhcp-pool-40] quit

Configuring Layer 2 switch 2

# Create VLAN 20. VLAN 20 will be used as the management VLAN for virtual AP access.

<L2 switch2> system-view

[L2 switch2] vlan 20

[L2 switch2-vlan20] quit

# Configure GigabitEthernet 1/0/1 that connects Layer 2 switch 2 to Layer 3 switch 2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[L2 switch2] interface gigabitEthernet 1/0/1

[L2 switch2-GigabitEthernet1/0/1] port link-type trunk

[L2 switch2-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[L2 switch2-GigabitEthernet1/0/1] port trunk permit vlan 20

[L2 switch2-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects Layer 2 switch 2 to the AP as a trunk port, remove the port from VLAN 1, set the PVID to 20, and enable PoE.

[L2 switch2] interface gigabitEthernet 1/0/2

[L2 switch2-GigabitEthernet1/0/2] port link-type trunk

[L2 switch2-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[L2 switch2-GigabitEthernet1/0/2] port trunk permit vlan 20

[L2 switch2-GigabitEthernet1/0/2] poe enable

[L2 switch2-GigabitEthernet1/0/2] quit

Configuring AC 2

304. Configure interfaces on AC 2:

# Create VLAN 20 and VLAN-interface 102, and configure an IP address for the interface. The virtual AP will obtain the IP address to establish a CAPWAP tunnel with the AC.

<AC2> system-view

[AC2] vlan 20

[AC2-vlan20] quit

[AC2] interface vlan-interface 20

[AC2-Vlan-interface20] ip address 173.22.1.3 255.255.0.0

[AC2-Vlan-interface20] quit

# Create VLAN 40 and VLAN-interface 102, and configure an IP address for the interface. External guests will use the service VLAN to access the WLAN.

[AC2] vlan 40

[AC2-vlan40] quit

[AC2] interface vlan-interface 40

[AC2-Vlan-interface40] ip address 112.40.0.2 255.255.0.0

[AC2-Vlan-interface40] quit

# Configure GigabitEthernet 1/0/1 that connects AC 2 in the external network to Layer 3 switch 2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20 and VLAN 40.

[AC2] interface gigabitethernet 1/0/1

[AC2-GigabitEthernet1/0/1] port link-type trunk

[AC2-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC2-GigabitEthernet1/0/1] port trunk permit vlan 20 40

[AC2-GigabitEthernet1/0/1] quit

# Configure a static route for the AC to reach the IMC server.

[AC2]ip route-static 173.18.5.100 32 173.22.1.2

305. Configure a virtual AP:

# Create virtual AP virtual-ap1 and specify the AP model as WA6322.

[AC2] wlan virtual-ap virtual-ap1 model WA6322

# Specify the serial number of the virtual AP as 219801A23U8204P000C3, which is the serial number of the physical AP.

[AC2-wlan-virtual-ap-virtual-ap1] serial-id 219801A23U8204P000C3

[AC2-wlan-virtual-ap-virtual-ap1] quit

306. Configure the RADIUS scheme.

# Create RADIUS scheme office and enter its view.

[AC2] radius scheme office

# Specify the primary authentication server, primary accounting server, and authentication and accounting key.

[AC2-radius-office] primary authentication 173.18.5.100

[AC2-radius-office] primary accounting 173.18.5.100

[AC2-radius-office] key authentication simple 12345678

[AC2-radius-office] key accounting simple 12345678

# Configure the device to exclude domain names in usernames sent to the RADIUS server.

[AC2-radius-office] user-name-format without-domain

# Specify the source IP address of RADIUS packets as 173.22.1.3.

[AC2-radius-office] nas-ip 173.22.1.3

[AC2-radius-office] quit

# Enable RADIUS session control.

[AC2] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC2] radius dynamic-author server

# Specify a session-control client with IP address 173.18.5.100 and shared key 12345678 in plaintext form.

[AC2-radius-da-server] client ip 173.18.5.100 key simple 12345678

[AC2-radius-da-server] quit

307. Configure the authentication domain.

# Create an ISP domain named office1 and enter its view.

[AC2] domain office1

# Perform RADIUS authentication, authorization, and accounting for LAN users based on scheme office.

[AC2-isp-office1] authentication lan-access radius-scheme office

[AC2-isp-office1] authorization lan-access radius-scheme office

[AC2-isp-office1] accounting lan-access radius-scheme office

Set the idle timeout for users in the ISP domain office1 to 15 minutes and the minimum traffic to 1024 bytes.

[AC2-isp-office1] authorization-attribute idle-cut 15 1024

[AC2-isp-office1] quit

# Create an ISP domain named office2 and enter its view.

[AC2] domain office2

# Perform RADIUS authentication, authorization, and accounting for portal users based on scheme office.

[AC2-isp-office1] authentication portal radius-scheme office

[AC2-isp-office1] authorization portal radius-scheme office

[AC2-isp-office1] accounting portal radius-scheme office

Set the idle timeout for users in the ISP domain office2 to 15 minutes and the minimum traffic to 1024 bytes.

[AC2-isp-office2] authorization-attribute idle-cut 15 1024

[AC2-isp-office2] quit

308. Configure MAC authentication:

# Configure a shared account for MAC authentication users, and set the username to h3cmac and password to plaintext string of 12345678.

[AC2] mac-authentication user-name-format fixed account h3cmac password simple 12345678

# Create wireless service template 1 and set the SSID to out-mac.

[AC2] wlan service-template 1

[AC2-wlan-st-1] ssid out-mac

# Specify VLAN 40 for the service template.

[AC2-wlan-st-1] vlan 40

# Set the authentication mode to mac and specify ISP domain office1 as the authentication domain.

[AC2-wlan-st-1] client-security authentication-mode mac

[AC2-wlan-st-1] mac-authentication domain office1

# Enable the wireless service template.

[AC2-wlan-st-1] service-template enable

[AC2-wlan-st-1] quit

309. Configure 802.1X authentication.

# Configure 802.1X authentication to use the EAP relay method.

[AC2] dot1x authentication-method eap

# Create wireless service template 2 and set the SSID to out-1x.

[AC2] wlan service-template 2

[AC2-wlan-st-2] ssid out-1x

# Specify VLAN 40 for the service template.

[AC2-wlan-st-2] vlan 40

# Specify the AKM mode as 802.1X, cipher suite as CCMP, and security IE as RSN.

[AC2-wlan-st-2] akm mode dot1x

[AC2-wlan-st-2] cipher-suite ccmp

[AC2-wlan-st-2] security-ie rsn

# Set the authentication mode to dot1x and specify ISP domain office1 as the authentication domain.

[AC2-wlan-st-2] client-security authentication-mode dot1x

[AC2-wlan-st-2] dot1x domain office1

# Enable the wireless service template.

[AC2-wlan-st-2] service-template enable

[AC2-wlan-st-2] quit

310. Configure portal authentication

# Specify the , name of the portal authentication server as newpt and the server address as 173.18.5.100. Set the destination UDP port number to 50100 for the device to send unsolicited portal packets to the portal authentication server.

[AC2] portal server newpt

[AC2-portal-server-newpt] ip 173.18.5.100 key simple 12345678

[AC2-portal-server-newpt] port 50100

[AC2-portal-server-newpt] quit

# Specify the URL of the portal Web server as http://173.18.5.100:8080/portal.

[AC2] portal web-server wbportal

[AC2-portal-websvr-wbportal] url http://173.18.5.100:8080/portal

[AC2-portal-websvr-wbportal] quit

# Configure an IPv4-based portal-free rule numbered 0 and specify the destination IP address as 173.18.5.100 to permit traffic to the portal Web server.

[AC2] portal free-rule 0 destination ip 173.18.5.100 24

# Configure two destination-based portal authentication-free rules to allow traffic to the DNS server.

[AC2] portal free-rule 1 destination ip any udp 53

[AC2] portal free-rule 2 destination ip any tcp 53

# Disable the Rule ARP entry feature for portal clients.

[AC2] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC2] portal host-check enable

# Create wireless service template 3 and set the SSID to out-portal.

[AC2] wlan service-template 3

[AC2-wlan-st-3] ssid out-portal

# Specify VLAN 40 for the service template.

[AC2-wlan-st-3] vlan 40

# Enable direct portal authentication on wireless service template 3.

[AC2-wlan-st-3] portal enable method direct

# Configure portal users to use authentication domain office2.

[AC2-wlan-st-3] portal domain office2

# Apply portal Web server wbportal to wireless service template 3.

[AC2-wlan-st-3] portal apply web-server wbportal

# Specify the value of the BAS-IP attribute in portal packets sent to the portal authentication server as 173.22.1.3.

[AC2-wlan-st-3] portal bas-ip 173.22.1.3

# Enable wireless service template 3.

[AC2–wlan-st-3] service-template enable

[AC2-wlan-st-st1] quit

311. Bind the service templates:

# Bind wireless service templates 1, 2, and 3 to radio 1 on virtual AP virtual-ap1.

[AC2] wlan virtual-ap virtual-ap1

[AC2-wlan-virtual-ap-virtual-ap1] radio 1

[AC2-wlan-virtual-ap-virtual-ap1-radio 1] service-template 1

[AC2-wlan-virtual-ap-virtual-ap1-radio 1] service-template 2

[AC2-wlan-virtual-ap-virtual-ap1-radio 1] service-template 3

[AC2-wlan-virtual-ap-virtual-ap1-radio 1] quit

[AC2-wlan-virtual-ap-virtual-ap1] quit

Configure the IMC server in the external network:

NOTE:

This section uses iMC PLAT 7.1(E0303P10) and iMC UAM 7.1(E0303P10) as an example to illustrate basic configuration of the RADIUS server and portal server.

Configuring the RADIUS server

312. Add access devices:

# Add access device AC2.

Log in to the IMC management platform, click the User tab, and select User Access Policy > Access Device Management > Access Device in the left navigation pane. Then, click Add.

¡ In the Access Configuration area, set the shared key to 12345678, which must be the same as the key configured on AC 2 in the external network.

¡ In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 173.22.1.3 in the Start IP field and then click OK. The address is the NAS-IP address configured for the RADIUS scheme on AC 2.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 26 Adding access device AC 2

313. Add access policies:

Click the User tab. From the navigation tree, select User Access Policy > Access Policy.

# Create a MAC authentication access policy.

Click Add to open the Add Access Policy page and create a MAC authentication access policy.

¡ Specify the policy name as mac.

¡ Retain the default settings in the other fields and then click OK.

Figure 27 Adding a MAC authentication policy

# Create an 802.1X authentication policy.

Click Add to open the Add Access Policy page and create an 802.1X authentication access policy.

¡ Specify the policy name as dot1x.

¡ Retain the default settings in the other fields and then click OK.

Figure 28 Adding an 802.1X authentication policy

# Create a portal authentication policy.

Click Add to open the Add Access Policy page and create a portal authentication access policy.

¡ Specify the policy name as portal.

¡ Retain the default settings in the other fields and then click OK.

Figure 29 Adding a portal authentication policy

314. Add access services:

Click the User tab. From the navigation tree, select User Access Policy > Access Service.

# Create a MAC authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as mac.

¡ Select access policy mac as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 30 Adding a MAC authentication access service

# Create an 802.1X authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as dot1x.

¡ Select access policy dot1x as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 31 Adding a 802.1X authentication access service

# Create a portal authentication access service.

Click Add to open the Add Access Service page.

¡ Specify the service name as portal.

¡ Select access policy portal as the default access policy.

¡ Retain the default settings in the other fields.

¡ Click OK.

Figure 32 Adding a portal authentication access service

315. Add access users:

Click the User tab. From the navigation tree, select Access User > All Access Users.

# Add a MAC authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as h3cmac and password as 12345678.

¡ Select service mac as the access service.

¡ Click OK.

Figure 33 Adding a MAC authentication access user

# Add an 802.1X authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as dot1x and password as 12345678.

¡ Select service dot1x as the access service.

Figure 34 Adding an 802.1X authentication access user

# Add a portal authentication access user.

Click Add to open the Add Access User page.

¡ Select a MAC authentication user. If no available user exists, click Add User to add a new user.

¡ Specify the account name as portal and password as 12345678.

¡ Select service portal as the access service.

Figure 35 Adding a portal authentication access user

Configuring the portal server

316. Configure an IP address group:

Click the User tab. From the navigation tree, select User Access Policy > Portal Service > IP Group. Click Add to open the Add IP Group page.

¡ Enter the IP group name.

¡ Enter the start IP address and end IP address of the IP group. Make sure the users' host IP addresses are in the IP group.

¡ Select a service group. This example uses the default group Ungrouped.

¡ Select Normal from the Action list.

Figure 36 Adding an IP address group

317. Add a portal device:

Click the User tab. From the navigation tree, select User Access Policy > Portal Service > Device.

# Add portal device AC 2.

Click Add to open the Add Device page.

¡ Specify the device name.

¡ Enter the IP address of the AC's interface connected to the client. In this example, the IP address of AC 2 in the internal network is used, which is 173.22.1.3.

¡ Enter the key, which must be the same as the key configured on the AC. In this example, the key is 12345678.

Figure 37 Adding portal device AC 2

318. Associate portal devices with the IP address group:

Click the Port Group icon in the Operation field for device portal-out and then complete the following settings:

Click Add to open the Add Port Group page.

¡ Enter the port group name.

¡ Select CHAP as the authentication type.

¡ Select the IP address group. The IP address used by a user to access the network must be within this IP address group.

¡ Retain the default settings in the other fields.

Figure 38 Device list

Figure 39 Configuring a port group for portal device AC 2

116

319. # From the navigation tree, select User Access Policy > Service Parameters. Then, click Validate to make the configuration take effect.

Verifying the configuration

# Execute the display wlan virtual-ap { all | name ap-name } command on AC 2 in the external network to verify the online status of the virtual AP.

# Display information about all virtual APs.

<sysname> display wlan virtual-ap all

Total number of virtual-APs: 1

Total number of connected virtual-APs: 1

Total number of connected common virtual-APs: 1

Total number of connected virtual-WTUs: 0

Maximum supported APs: 3072

Remaining APs: 3071

AP information

State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad

C = Config, DC = DataCheck, R = Run, M = Master, B = Backup

AP name APID State Model Serial ID

ap1 1 R/M WA6322 219801A23U8204P000C3

22-WLAN Configuration Guide

Managing APs‌

Option 43

Option 52

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

Assigning an access port to a VLAN

Restrictions and guidelines

Procedure

Assigning a trunk port to VLANs

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Prerequisites

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

Setting the TCP MSS for CAPWAP tunnels

About this task

Procedure

About this task

Procedure

Procedure‌

About this task

Procedure

Preprovisioning APs

About this task

Procedure

About this task