Login
- Released At: 13-09-2023
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
AD-Campus 6.2 |
|
Wireless Service Configuration Guide |
|
|
|
|
Document version: 5W100-20230221
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This document provides generic technical information, some of which might not be applicable to your products.
The information in this document is subject to change without notice.
Contents
About AD-Campus wireless configuration
Wireless service configuration workflow
(Optional) Loopback configuration for access controller module deployment
Configure the AC device group policy
Configure an 802.1X authentication policy
Configure a MAC authentication policy or MAC-based quick portal authentication policy
Configure the wireless management network
Create a wireless Layer 2 network domain
Configure the access interface
Configure group-based fit AP management
Configure wireless authentication parameters
Configure wireless service policies
Bind radios to wireless service policies
Set the forwarding mode for a wireless service template
Enable URL redirection for WLAN authentication clients
Configure a page pushing policy
View client authentication information
Configure wireless guest access
(Optional) Configure centralized forwarding
Configure wireless fail-permit
Service switchover at fail-permit entering or exiting
Configure wireless N+1 networking
1+1 dual-link backup networking
Configure 1+1 dual-link backup
Configure 1+1 dual-link backup
Configure the AC from the Web interface
Wireless client authentication fails
MAC-based portal authentication page cannot be opened
AC shared by multiple isolation domains do not support IP binding
Routing policy required in service VPN when a large number of APs exist
AP dual-uplink does not support auto aggregation
N+1 network restrictions and guidelines
Operation and maintenance monitoring
Introduction
About AD-Campus wireless configuration
This document is based on the premise that wired authentication has been configured for the AD-Campus network. This document describes only wireless service adding. Compared with wired services, wireless services also require an AC, APs, the WSM component, and related configurations.
The AD-Campus wireless services use the AC+fit AP architecture, where the access controller (AC) manages and maintains all the APs in a unified way. All the AP configurations are saved on the AC and deployed to APs by the AC. The AC exchanges data packets and control packets with APs through Controlling and Provisioning of Wireless Access Point (CAPWAP) tunnels.
The WSM component is used to configure wireless service parameters such as AP template, radio, and wireless service template.
The wireless service group policy can be configured in the same way an IP policy controller is configured.
|
|
CAUTION: · If the environment requires only the SeerAnalyzer component, you can access the System > Deployment page of Unified Platform at deployment to deploy Oasis and SeerAnalyzer at the same time in a visible way. · If the environment requires only the WSM component, you can access the Deployment > Application page of Matrix at deployment to deploy Oasis and WSM one by one. · If the environment requires both the WSM and SeerAnalyzer components, first access the System > Deployment page of Unified Platform to deploy Oasis and SeerAnalyzer. Then, access the Deployment > Application page of Matrix to deploy WSM. Oasis installation is not required when you deploy WSM. |
|
|
NOTE: Figures in this document are for illustration only. |
Network architecture design
Figure 1 Three-tier network architecture
Table 1 IP list
|
Item |
Example |
Description |
|
Northbound service IP address of Unified Platform |
100.1.0.100 |
Unified Platform login address |
|
EIA |
100.1.0.100 |
EIA server address |
|
VLAN 4093 subnet (AC address in VLAN 4093) |
130.3.0.0/24 |
IP address of VLAN-interface 4093 used to communicate with APs |
|
VLAN 4094 subnet (AC incorporation address) |
130.1.0.0/24 |
IP address of VLAN-interface 4094 used for the device to communicate with the controller |
Deployment methods
AD-Campus supports the following AC deployment methods:
· Out-of-path deployment—Connect an independent AC to a spine or leaf device.
· Module deployment—Install an access controller module on a spine or leaf device.
|
|
CAUTION: · In module deployment, configure loopback to interconnect the access controller module with the spine or leaf device because the internal interface on the device does not support VXLAN forwarding. For more information, see "(Optional) Loopback configuration for access controller module deployment." · This document uses out-of-path deployment (independent AC connected to a spine device) as an example. · Configurations on the connected spine/leaf interface differ in out-of-path deployment and module deployment. Other wireless service configurations are the same in either mode. · As a best practice, do not configure AC stacking. |
Wireless service configuration workflow
Figure 2 shows the wireless service configuration workflow. To use wireless services, you must configure the following:
1. Create a wireless service management network for AC and AP communication from SeerEngine-Campus (the controller).
Create a Layer 2 network domain of the wireless type from SeerEngine-Campus for APs to obtain IP addresses and communicate with VLAN-interface 4093 of the AC. For the APs to obtain the AC's IP address through DHCP Option 43, configure the AC IP attribute for the subnet at wireless security group creation.
Then, an AP obtain an IP address and the AC's IP address after coming online, establishes CAPWAP tunnels with the AC through unicast packet exchanging, and finishes registration.
2. Configure AC authentication parameters from SeerEngine-Campus.
AAA policies, MAC authentication, and 802.1X authentication must be configured from SeerEngine-Campus.
Before the configuration, use the IP address of VLAN-interface 4094 on the AC to add the AC to SeerEngine-Campus, and synchronize the AC to WSM.
3. Configure wireless parameters and wireless services from WSM for the APs to provide wireless services.
Manual AP (AP template), radio, and wireless service configuration must be configured from WSM.
Before the configuration, use the IP address of VLAN-interface 4094 on the AC to add the AC to WSM.
4. Create a Layer 2 network domain and a security group for user services from SeerEngine-Campus, and create users from EIA.
At user Layer 2 network domain creation, SeerEngine-Campus automatically assigns a VLAN-VXLAN mapping of which the VLAN is used for wireless clients of the security group. You can also specify the mapping manually.
Local forwarding requires manually specifying the leaf downlink interface for AP connection in the common policy group. After you specify the interface, SeerEngine-Campus configures authentication-free for the VLAN on the leaf downlink interface, and create a service instance to map the VLAN to the corresponding service VSI and group policy.
5. Connect a wireless client to the SSID and perform authentication.
After connecting to the wireless signal, the client uses the AC as the NAS to initiates an authentication process to the EIA since the AC acts as the client authenticator. Once the authentication succeeds, EIA notifies the AC to deploy the authorized VLAN (corresponding VLAN of the security group). Packets of the client will be forwarded in the authorized VLAN.
Then, the AP or AC forwards the client traffic as configured.
¡ If local forwarding is configured, the associated AP forwards client traffic (DHCP packet included) with the VLAN tag to the access switch. When the traffic arrives at the leaf layer, authentication free is performed and the service instance maps the traffic directly to the service VSI and group policy. Then, DHCP address obtaining and service communication is performed.
¡ If centralized forwarding is configured, the associated AP forwards client traffic through the CAPWAP tunnel and VXLAN 4093 to the AC. The AC de-encapsulates traffic and forwards the traffic with the VLAN tag to the spine or leaf layer. In centralized forwarding mode, SeerEngine-Campus creates a service instance for the user authorized VLAN on the interface that connects the spine or leaf to the AC, and forwards user traffic to the corresponding VSI and group policy.
Figure 2 Wireless service configuration flowchart
(Optional) Loopback configuration for access controller module deployment
|
|
NOTE: This section is applicable only to access controller module deployment. Skip this section if independent AC deployment is used. |
About loopback configuration
To achieve loopback and VXLAN forwarding, configure the following:
· Configure QinQ on the internal connection port (XGE4/5/0/1 in this example) on the device plane to which the access controller module is attached.
· Use optical fibers and transceiver modules to create an external loop with two interfaces on a VXLAN-capable interface module. Make sure both interfaces are disabled with STP.
¡ Configure QinQ on one external loopback interface (XGE4/3/0/8 in this example) to establish a QinQ tunnel with the internal connection port.
¡ Guide traffic from the access controller module to the other external loopback interface (XGE4/3/0/7 in this example).
Figure 3 Loopback network diagram
Restrictions and guidelines
You can permit only QinQ VLAN on the two interfaces configured with loopback, and execute the undo port trunk permit vlan qinq-vlan-id command on the other interfaces on the device.
If the access controller module is installed on a leaf device, disable DHCP snooping for QinQ VLAN.
Procedure
1. Configure the access controller module.
# Enable LLDP.
lldp global enable
#
# Enable STP.
undo stp vlan 2 to 4094 enable
stp mode pvst
stp global enable
#
# Configure the internal connection port on the module as a trunk port, and configure the port to permit traffic from all VLANs. The port will be used to communicate with other devices and the director.
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan all
#
# If centralized forwarding is used, specify the VLANs for the security group after the security group is created.
vlan 3501 to 3503
#
2. Configure the spine device on which the access controller module is installed. XGE4/5/0/1 is the internal connection port on the device plane that connects to XGE1/0/1 (the internal connection port on the access controller module). In actual deployment, you can aggregate multiple internal connection ports into an aggregate interface.
# Specify VLAN 4091 as the outer VLAN in QinQ.
vlan 4091
#
# Configure the internal connection port on the spine device as a trunk port, set the PVID to 4091, and enable QinQ.
interface Ten-GigabitEthernet4/5/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
port trunk pvid vlan 4091
qinq enable
# Enable QinQ on external loop back interface XGE4/3/0/8 and disable STP.
interface Ten-GigabitEthernet4/3/0/8
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4091
port trunk pvid vlan 4091
qinq enable
undo stp enable
#
# Configure a service instance on external loop back interface XGE4/3/0/7 and disable STP.
interface Ten-GigabitEthernet4/3/0/7
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1 4091
port trunk permit vlan 4093 to 4094
port trunk pvid vlan 4091
undo stp enable
service-instance 4093
encapsulation s-vid 4093
xconnect vsi vsi4093
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
Configure wireless services
|
|
NOTE: · In AD-Campus 6.2, the wireless management Layer 2 domain and AC device group policy are configured on Unified Platform and deployed to the AC after the AC is incorporated. · The AP incorporation, radio, and wireless service template settings are configured on WSM and deployed to the AC after the AC is incorporated. · The interface parameters in the figures are for illustration only. |
Configure AC incorporation
You must configure AC incorporation on the AC, spine device, Unified Platform, and WSM.
Configure the AC
In this example, the independent AC is connected to a spine device. It communicates with APs through VLAN 4093 and VXLAN 4093, and communicates with SeerEngine-Campus, EIA, and WSM through VLAN 4094.
1. Configure VLAN-interface 4094 for SeerEngine-Campus and WSM to manage the AC.
#
interface Vlan-interface4094
ip address 130.1.0.89 255.255.255.0
#
2. Configure VLAN-interface 4093 for the AC to communicate with APs. APs use the IP address of the VLAN interface to establish CAPWAP tunnels with the AC.
#
interface Vlan-interface4093
ip address 130.3.0.89 255.255.255.0
#
3. Enable LLDP.
#
lldp global enable
#
4. Configure STP to avoid loops.
#
undo stp vlan 2 to 4094 enable
stp mode pvst
stp global enable
#
5. Configure SNMP and NETCONF parameters.
# Configure SNMP.
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent packet max-size 4094
#
# Configure NETCONF.
netconf soap http enable
netconf soap https enable
netconf ssh server enable //This configuration is required.
#
6. Configure local user named h3c and configure Telnet parameters for the AC to connect to SeerEngine-Campus.
#
local-user cui class manage
password simple ADCampus123 ———//Set a long password of 10 to 63 characters. Make sure the password contains characters from a minimum of two categories: digits, uppercase letters, lowercase letters, and special characters. Chinese characters, question marks (?), and spaces are not allowed. The password cannot contain the username or the reversed string of the username.
service-type ftp
service-type ssh telnet terminal http https
authorization-attribute user-role network-admin
#
line vty 0 31
authentication-mode scheme //The scheme mode is required.
user-role network-admin
user-role network-operator
#
7. Specify the port that connects the AC to the spine device as a trunk port, permit traffic from VLANs 2 to 4094, and remove the port from VLAN 1.
#
interface Ten-GigabitEthernet1/0/9
port link-type trunk
undo port trunk permit vlan 1 //Remove the port from VLAN 1.
port trunk permit vlan 2 to 4094
#
8. Edit a configuration file locally and upload the configuration file to the AC. The configuration file will be deployed to APs after the APs come online.
Specify the uplink port of each AP as a trunk port, add the port to all VLANs, and specify the authorized ACL for MAC-based quick portal authentication. This ACL configuration is required if local forwarding is used.
Sample configuration file content is as follows:
interface GigabitEthernet1/0/1 //The AP interface might vary from your device.
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
#
interface GigabitEthernet1/0/2 //The AP interface might vary from your device.
port link-type trunk
port trunk permit vlan all
dhcp snooping trust
#
acl advanced 3001
rule 0 permit udp destination-port eq bootps
rule 1 permit udp destination-port eq bootpc
rule 2 permit udp destination-port eq dns
rule 3 permit udp source-port eq dns
rule 4 permit ip destination 100.1.0.100 0 //Permit the address of the Web server for MAC-based quick portal authentication.
rule 5 permit ip source 100.1.0.100 0 //Permit the address of the Web server for MAC-based quick portal authentication.
rule 10 deny ip
#
dhcp snooping enable
#
user-isolation vlan 3501 to 4000 permit-mac 0000-0000-0001 //Set the VLAN range and MAC address based on the actual network planning. The default VLAN range is 3501-4000, and the default MAC address is 0000-0000-0001. Traffic is relayed through the gateway, so the DHCP MAC address is consistent with the gateway MAC address. You can specify only one address.
user-isolation vlan 3501 to 4000 enable
#
|
|
NOTE: · To view the VLAN pool of the security group, navigate to Automation > Campus Network > Network Devices > VNID Pools > VLANs. · To view the VSI MAC address, navigation to Automation > Campus Network > Private Networks > Layer 2 Network Domain. |
If the application scenario does not match the default scenario of the AD-Campus solution, you can modify the configuration as needed. For example:
# Permit gateway 0123-4567-89ab and Layer 2 client packet exchange, or DHCP server MAC addresses aaaa-aaaa-aaaa and bbbb-bbbb-bbbb.
#
user-isolation vlan 3501 permit-mac 0123-4567-89ab aaaa-aaaa-aaaa bbbb-bbbb-bbbb
user-isolation vlan 3501 enable
# The configuration method is similar for the other Layer 2 network domains.
|
|
IMPORTANT: · In the AP configuration file, configure VLAN-based user isolation to isolate wired-to-wireless broadcast, multicast, and unicast traffic and traffic between wireless clients. However, you must first permit the MAC addresses of the gateway and the DHCP server, and any other MAC addresses that may require Layer 2 access. If the MAC address of the DHCP server or gateway changes, modify the MAC address permitting configuration in time. If backup devices that require Layer 2 access exist, you must also permit the MAC addresses of the backup devices. · Port isolation must be configured on the downlink interfaces on all access switches. |
Deploy the configuration file to APs in the default AP group. The command execution view varies by device model.
# In AP group view:
#
wlan ap-group default-group
map-configuration cfa0:/ad.txt
#
# In an AP group's AP model view:
wlan ap-group default-group
ap-model WA4320i-ACN
map-configuration cfa0:/ad.txt
#
9. Set the idle period before client reauthentication and configure the dynamic blacklist to take effect on the AC. This ensures that wireless clients can come online and obtain an IP address quickly after being logged off by MAC-based quick portal authentication.
#
wlan client reauthentication-period
undo wlan dynamic-blacklist active-on-ap
#
|
|
NOTE: The default idle period before client reauthentication is 10 seconds. If clients cannot be logged off or fail to come online again, adjust the idle period. |
10. Add routes for the AC to communicate with SeerEngine-Campus, WSM, and EIA. Make sure the IP address of VLAN-interface 4094 on the AC can successfully ping the service IP addresses of SeerEngine-Campus, EIA, and WSM.
11. If AC stacking is configured, execute irf mac-address persistent always.
12. If the AC uses alarm notifications to update AP status, execute snmp-agent trap enable wlan capwap.
Configure the spine device
1. Specify the port that connects to the AC as a trunk port, permit VLAN 4094, and remove the port from VLAN 1.
#
interface Ten-GigabitEthernet0/0/15
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1 //Remove the port from VLAN 1.
port trunk permit vlan 4094
#
2. Configure a service instance on the port that connects to the AC, and bind VLAN 4094 and VSI 4094. The instance will be used for management tunnel and control tunnel connection.
#
interface Ten-GigabitEthernet0/0/15
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4094
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
3. If the spine uses DRNI, configure the DR interface between the spine and the AC, and manually configure an aggregate interface on the AC.
Configuration on the spine device is as follows:
#
interface Bridge-Aggregation3
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4093 to 4094
link-aggregation mode dynamic
port drni group 3 allow-single-member
#
service-instance 4093
encapsulation s-vid 4093
xconnect vsi vsi4093
arp detection trust
ipv6 nd detection trust
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
|
|
IMPORTANT: In AD-Campus 6.2, you must configure the VXLAN 4094 service instance manually, but the VXLAN 4093 service instance does not require manual configuration. After the network administrator adds the interface to the AC access interface group from the controller, the system automatically deploys the VXLAN 4093 service instance. For more information, see "Configure interface groups." |
Configure Unified Platform
1. Navigate to Monitor > Monitor List > Network > SNMP Devices page, click Add, and add the AC to Unified Platform.
Figure 4 Adding the AC to Unified Platform
Figure 5 Configuring the AC
2. Select the AC, and then click Sync.
Figure 6 Synchronizing the AC
3. Navigate to Automation > Campus Network > Network Devices > Wireless Device page.
Figure 7 Viewing wireless devices
4. Click the AC label to access the AC details page.
Figure 8 AC details page
5. Click Configuration and then click Modify NETCONF paramaters, configure the following parameters:
¡ Username: Specify the username configured for the controller.
¡ Password: Specify the password configured for the controller.
Figure 9 Modifying NETCONF parameters
6. Click OK.
Configure the AC device group policy
In the current software version, authentication-related configurations, including AAA, 802.1X, and MAC authentication, must be deployed by the controller to the AC.
Add the AC to the fabric
1. Navigate to the Automation > Campus Network > Fabrics > Wireless Devices page, click Add, and add the AC to the fabric.
Figure 10 Viewing wireless devices in the fabric
2. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups page, and verify that the AC is added to the group automatically.
If the AC is not in the group, add the AC manually.
Figure 11 Viewing members in the general policy group
Configure an AAA policy
1. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups page, click Policy Template, and create an AAA policy as shown in the figure below. For more information, see AD-Campus 6.2 Fundamentals Configuration Guide.
Figure 12 Creating an AAA policy
|
|
IMPORTANT: · If an AAA policy has been created at wired authentication configuration, use the policy directly. · In AD-Campus 6.2, wired and wireless authentication can use the same AAA policy template. The controller deploys only applicable commands based on device type. |
2. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups > AC Device Group page, and apply the policy to the AC device group.
Figure 13 Applying the AAA policy
3. Verify that the AAA-related configurations (domain and RADIUS included) have been deployed to the AC.
#
domain campus
authentication lan-Access radius-scheme campus
authorization lan-Access radius-scheme campus
accounting lan-Access radius-scheme campus
#
domain system
#
domain default enable campus
#
radius session-control enable
radius session-control client ip 100.1.0.100 key cipher vkWV7FqgQN/
#
radius scheme campus
primary authentication 100.1.0.100
primary accounting 100.1.0.100
accounting-on enable send 255 interval 15
key authentication cipher $c$3$T1KCtkM5YaDZgEu2/ORW6xEyU0r3lw==
key accounting cipher $c$3$i4zmpwdo6sr07HyDI5Efpe9pOGa1yQ==
timer realtime-accounting 20
user-name-format without-domain
#
radius dynamic-author server
client ip 100.1.0.100 key cipher $c$3$p6J3kiw0nDY7BfIgjGXhSp1DtWJKSg==
#
4. Navigate to Automation > User > Access Service > Access Device Management page, and verify that the AC has been added to EIA.
When deploying AAA commands to the AC, the controller automatically synchronizes information to EIA.
Figure 14 Viewing access devices
Configure an 802.1X authentication policy
|
|
NOTE: You can configure 802.1X authentication, MAC authentication, or both. |
1. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups page, click Policy Template, and create an 802.1X policy as shown in the figure below. For more information, see AD-Campus 6.2 Fundamentals Configuration Guide.
Figure 15 Creating an 802.1X authentication policy
|
|
IMPORTANT: · Wireless 802.1X authentication requires the EAP method. If an EAP authentication policy has been created at wired service configuration, use the policy directly. · In wireless 802.1X authentication, access services cannot be identified by service suffix because the EAP method is used but the EAP relay leaf device does not send ISP domains to EIA. |
2. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups > AC Device Group page, and apply the policy to the AC device group.
Figure 16 Applying the 802.1X policy
3. Verify that the following configurations have been deployed to the AC:
#
dot1x
dot1x authentication-method eap
#
Configure a MAC authentication policy or MAC-based quick portal authentication policy
|
|
NOTE: You can configure 802.1X authentication, MAC authentication, or both. |
1. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups page, click Policy Template, and create a MAC or MAC-based quick portal authentication policy as shown in the figure below. For more information, see AD-Campus 6.2 Fundamentals Configuration Guide.
Figure 17 Creating a MAC authentication policy
2. Navigate to the Automation > Campus Network > Fabrics > General Policy Groups > AC Device Group page, and apply the policy to the AC device group.
Figure 18 Applying the MAC authentication policy
3. Verify that the following configurations about MAC authentication and ACL creation have been deployed to the AC:
#
mac-authentication
acl advanced 3001
description SDN_ACL_AUTH
rule 0 permit udp destination-port eq bootps
rule 1 permit udp destination-port eq bootpc
rule 2 permit udp destination-port eq dns
rule 3 permit udp source-port eq dns
rule 4 permit ip destination 100.1.0.100 0
rule 5 permit ip source 100.1.0.100 0
rule 6 deny ip
#
Install certificates
To use 802.1X authentication, install the corresponding certificate as required. If EAP-TLS bidirectional authentication is not required, use the built-in certificate provided by H3C. If EAP-TLS bidirectional authentication is required, build the CA and request for a certificate yourself.
To use the built-in license, navigate to the Automation > User Services > Service Parameters > Certificate page, and then click Import Built-in Certificate.
Figure 19 Importing built-in certificates
To use a non-built-in certificate, import the certificate by using either of the following methods:
· Click the Root Certificate tab, and then click Import EAP Root Certificate.
· Click the Server Certificate tab, and then click Import EAP Root Certificate.
Figure 20 Importing an EAP root certificate
Configure the wireless management network
Perform this task to create a Layer 2 network domain of the wireless type and configure the DHCP server to assign IP addresses and the AC's IP addresses (address of VLAN-interface 4093) to APs.
The uplink port of an AP is connected to an access port with PVID 4093, and uploaded traffic from APs are tagged 4093 and sent to VSI 4093 service instance. APs obtain IP addresses of VSI 4093 address pool through DHCP Option43, decode the AC's IP address, establish CAPWAP tunnels with the AC through unicast packet exchanging, and then register on the AC.
Create a wireless Layer 2 network domain
1. Navigate to the Automation > Campus Network > Private Networks > Layer 2 Network Domain page and create a Layer 2 network domain:
¡ Private Network: vpn-default.
¡ Type: Wireless.
¡ Subnet: Uses the subnet of VLAN 4093.
Figure 21 Creating a Layer 2 network domain
¡ Wireless AC: Specify the AC's IP address as 130.3.0.89.
Figure 22 Specifying an AC
2. Configure VPN, VSI, and VSI interface settings. The settings are the same with the settings for the user service security group of the common type. For more information, see the configuration for wired services.
3. Configure DHCP. Different from wired services, wireless services require deployment of the Option43 field to indicate the AC's IP address. You must also add the IP address of VLAN-interface 4093 to the excluded address list.
To view Option43 field settings, navigate to the Automation > Campus Network > Network Parameters > DHCP > DHCP Server Info > Address Pool Details page.
Figure 23 Address pool information
|
|
IMPORTANT: In multi-isolation domain scenarios, you must create a wireless Layer 2 network domain for each isolation domain,, and specify the IP address of the corresponding AC in the isolation domain. |
Configure interface groups
In AD-Campus 6.2, the system does not deploy static AC service instances out of the leaf downlink ports. You can manually add the leaf downlink ports connecting APs and the port connecting the AC to the corresponding interface groups. The controller will deploy the corresponding static AC service instance to interface groups based on the configured wireless forwarding mode.
To configure interface groups:
1. Navigate to Automation > Campus Network > Isolation Domain, create or edit an isolation domain, and specify the forwarding mode on the Advanced Settings tab.
Figure 24 Specifying the forwarding mode
|
|
NOTE: · You can configure the forwarding mode for a wireless service template only on the AC locally. This step only specifies the location to which the service instance will be deployed. · In AD-Campus 6.2, you can only set the forwarding mode for a wireless service template from the CLI. For more information, see "Set the forwarding mode for a wireless service template." · In local forwarding, the system deploys only the 4093 service instance to the port connecting the AC to spine, and the 4093 and user business service instances to the port connecting APs to leaf. · In centralized forwarding, the system deploys only the 4093 and user business service instances to the port connecting the AC to spine, and the 4093 service instance to the port connecting APs to leaf. |
2. Configure the AP interface group for the AP-oriented leaf downlink interface (aggregate interface BAGG1 of the leaf at the left in the network diagram). Navigate to Automation > Campus Network > Network Devices > General Policy Groups, and add the interface to the AP Non-Direct Access Interface Group for Leafs group.
Figure 25 Adding the leaf interface to an interface group
After you add the interface to the interface group, the controller deploys static service instance and VLAN authentication free configuration to the interface based on the wireless forwarding mode. For example:
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 101 to 3000 3504 to 3511 4090 4093 to 4094
mac-based ac
mac-authentication
mac-authentication domain campus
mac-authentication critical vsi vsi5 url-user-logoff
port-security free-vlan 1 3504 to 3511 4090 4093 to 4094 //VLAN authentication free.
#
service-instance 3511 //Wireless service static service instance.
encapsulation s-vid 3511 //Match the authorized VLAN.
xconnect vsi vsi6 microsegment 3511 //Associate service VSI and group policy.
arp detection trust
ipv6 nd detection trust
#
service-instance 4093 //Used for the wireless management network.
encapsulation s-vid 4093
xconnect vsi vsi4093
arp detection trust
ipv6 nd detection trust
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
As shown in the configuration above, in local forwarding mode, the system deploys VLAN 4093, service instance for the service business VLAN, and port authentication-free configuration to the leaf downlink interface. Static service instance configuration is not deployed to leaf downlink interfaces not added to the interface group.
3. Configure the AC interface group for connecting the AC. Navigate to Automation > Campus Network > Network Device > General Policy Groups, and add the interface that connects to the AC to the AC Access Interface Group. The interface is XGE0/0/15 in this example.
Figure 26 Adding the AC interface to the AC interface group
After you add the interface to the interface group, the controller deploys static service instance to the interface based on the wireless forwarding mode. For example:
#
interface XGE0/0/15
port link-mode bridge
description to_AC
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4093 to 4094
#
service-instance 4093 //Used for the wireless service management network.
encapsulation s-vid 4093
xconnect vsi vsi4093
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
As shown in the configuration above, in local forwarding mode, the system deploys VLAN 4093 service instance to the interface. The service instance for the user business service VLAN is not deployed.
4. Configure the AP direct-access interface group for leafs.
|
|
NOTE: · This step is applicable only to WTs directly connected to leaf. Skip this step in common AP scenarios. · In this step, the AP interface group refers to the leaf interface that directly connects to the WT. · Different from other interface groups, the system deploys PVID 4093 and untagged 4093 service instance to the interface group. |
Navigate to Automation > Campus Network > Network Devices > General Policy Groups, and add the interface to the AP Direct-Access Interface Group for Leafs.
Figure 27 Adding the interface to the AP direct-access interface group for leafs
After you add the interface to the interface group, the controller deploys the static service instance and VLAN authentication-free configuration to the interface based on the wireless forwarding mode. For example:
#
interface Bridge-Aggregation998
port link-type trunk
port trunk permit vlan 1 3501 to 3508 4093
port trunk pvid vlan 4093
port-security free-vlan 3501 to 3508 4093
#
service-instance 3501
encapsulation s-vid 3501
xconnect vsi vsi4
arp detection trust
#
service-instance 4093
encapsulation untagged
xconnect vsi vsi4093
arp detection trust
#
Configure AP association
After setting up the wireless management network, you must connect APs to the corresponding PoE-capable device (access or leaf device). An AP can automatically obtains an IP address and the AC's IP address after being powered on, and registers with the AC through the wireless management network.
|
|
NOTE: AP dual-uplink does not support automatic aggregation. |
Configure the access interface
No manual configuration is required for access switches that can come online through automated deployment. If a PoE-capable switch comes online, the system automatically deploys poe enable to the downlink interface on the switch. When an AP connects to the access switch, the switch changes the interface PVID to 4093 and permits all VLANs:
#
interface XGE1/0/21
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 4093
poe enable
#
For a manually added access switch, add the following configuration manually:
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 4093
poe enable
#
Configure APs from WSM
1. Navigate to Automation > Campus Network > Network Device Groups > Wireless Devices > Related Links > Configuration Management, and click AP Configuration.
Figure 28 Configuring APs
2. After an AP comes online and registers successfully, navigate to Monitor > Monitor List > Network > SNMP Devices, select the AC, and click Synchronize. Then, navigate to Automation > Campus Network > Network Devices > Wireless Devices, and verify that the AP state is online.
Figure 29 Verifying the AP state
|
|
NOTE: If AP information is not displayed, navigate to Monitor > Monitor List > Network, select the AC, and click Synchronize. |
View AP information
After an AP comes online, log in to the AC and verify that the AP state is R/M.
Figure 30 Verifying the AP state from the CLI on the AC
Configure group-based fit AP management
After incorporating APs, create a fit AP group and add the incorporated APs to the group.
To configure group-based fit AP management:
1. Navigate to Automation > Campus Network > Network Devices > Wireless Devices > Related Links > Configuration Management.
2. Click Fit AP Group Management.
Figure 31 AC Settings tab
3. Click Add and add a fit AP group.
Figure 32 Adding a fit AP group
Figure 33 Configuring the fit AP group
4. Click the fit APs icon and add APs to the group.
Figure 34 Group list
Figure 35 Adding APs to the group
Configure radios in bulk
After an AP registers successfully, you must change the radio state to up.
To configure radios in bulk:
1. Navigate to Automation > Campus Network > Network Device Groups > Wireless Devices > Related Links > Configuration Management.
2. Click Radio Bulk Config.
3. Set the admin status to Up. Click Add, select the target radios, and then click OK.
Figure 36 Configuring radios in bulk
Configure wireless authentication parameters
Configure wireless service policies
A wireless service template on the AC (or wireless service policy in WSM) defines a set of wireless service attributes, including SSID and authentication method, and must be configured through WSM.
To configure a wireless service policy, navigate to Automation > Campus Network > Network Devices > Wireless Devices > Related Links > Configuration Management, click Service Policy Configuration, and then configure the policy.
Figure 37 Configuring a wireless service policy
Parameter description:
· For 802.1X authentication, select the dot1x AKM mode, the RSN security IE, and the CCMP cipher suite. Specify a wireless internal VLAN that is not in use. The VLAN ID is in the range of 1 to 3500. Make sure the VLAN is not a user service VLAN.
Figure 38 Configuring a service policy (802.1X authentication)
· For MAC and MAC-based quick portal authentication, select the psk AKM mode, the MAC authentication mode, the RSN security IE, and the CCMP cipher suite. Specify a wireless internal VLAN that is not in use. The VLAN ID is in the range of 1 to 3500. Make sure the VLAN is not a user service VLAN.
Figure 39 Configuring a service policy (MAC authentication)
After you configure a service policy through WSM, the system deploys the service template configuration to the AC. In this example, service template 1 uses 802.1X authentication and service template 2 uses MAC or MAC-based portal authentication.
#
wlan service-template 1
ssid cui-dot1x1
vlan 2889
client forwarding-location ap
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
service-template enable
#
wlan service-template 2
ssid cui-mac1
vlan 2888
client forwarding-location ap
akm mode psk
preshared-key pass-phrase cipher $c$3$b98SQ
cipher-suite ccmp
security-ie rsn
client url-redirect enable //Required only for MAC-based portal authentication.
client-security authentication-mode mac
service-template enable
#
|
|
NOTE: WPA+TKIP support a maximum negotiated rate of 54 M because of encryption algorithm limit. As a best practice, use RSN+CCMP. |
Bind radios to wireless service policies
Navigate to Automation > Campus Network > Wireless > AC Configuration > Service Policy Management, select the policy, add radios, and then click Bind Wireless Service to Radio.
Figure 40 Binding service policies to radios
Set the forwarding mode for a wireless service template
By default, centralized forwarding is used for service templates configured on an AC. You must change the forwarding mode to local as follows:
1. Enter service template view, and execute undo service-template enable to disable the template.
2. Execute client forwarding-location ap to enable local forwarding.
3. Execute service-template enable to enable the template.
After modification, the template configuration is as follows:
#
wlan service-template dot1x1
ssid cui-dot1x1
vlan 2989
client forwarding-location ap
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
service-template enable
#
Enable URL redirection for WLAN authentication clients
|
|
NOTE: · Skip this section for 802.1X authentication and MAC authentication. · For MAC-based quick portal authentication, perform this task to enable URL redirection for WLAN authentication clients. |
1. Enter service template view, and execute undo service-template enable to disable the service template.
2. Execute client url-redirect enable to enable URL redirection for WLAN authentication clients.
3. Execute service-template enable to enable the service template.
After modification, the template configuration is as follows:
#
wlan service-template 2
ssid cui-mac1
vlan 2988
client forwarding-location ap
akm mode psk
preshared-key pass-phrase cipher $c$3$b98SQ
cipher-suite ccmp
security-ie rsn
client url-redirect enable
client-security authentication-mode mac
service-template enable
#
Configure a page pushing policy
|
|
NOTE: · Skip this section for 802.1X authentication. · Before configuring page pushing, configure BYOD users. For more information, see AD-Campus 6.2 Fundamentals Configuration Guide. |
For MAC-based portal authentication, you can configure a page pushing policy from EIA to push a dedicated authentication page for wireless users.
To configure a page push policy:
1. Navigate to Automation > User Business > Access Service > Access Condition > WHAT > Endpoint Type Group. Click Add and add an endpoint type group. Select the endpoint type as needed. Typically, the Smartphone type is selected.
Figure 41 Adding an endpoint type group
In this example, the endpoint type group name is test.
Figure 42 Endpoint group list
2. Navigate to Automation > User Business > Access Service > Page Push Policy.
Figure 43 Page push policy list
3. Click Add and configure a page push policy:
¡ Authentication Method: BYOD.
¡ Default Authentication Page: PC-Default PC Account Auth.
Figure 44 Adding a page push policy
4. Add a subpolicy, specify test as the endpoint type group, and select PHONE-Default Phone Account Auth as the Login Page in the Strategy section.
Figure 45 Adding a subpolicy (1)
Figure 46 Adding a subpolicy (2)
5. Click OK.
When a client matching endpoint type group test attempts to come online, the wireless MAC-based portal authentication page opens. In any other authentication circumstances, the PC MAC-based portal authentication page opens.
View client authentication information
After the configuration, clients can come online.
View client authentication information on the AC
[WLAN_AC-probe]dis wlan client
Total number of clients: 1
MAC address User name AP name RID IP address IPv6 address VLAN
5cad-cf6f-694c 5cadcf6... ap1 2 130.3.0.2 3505
[WLAN_AC-probe]dis mac-authentication connection
Total connections: 1
User MAC address : 5cad-cf6f-694c
AP name : ap-1
Radio ID : 2
SSID :cui-mac1
BSSID : 3897-d6de-57b1
Username : 5cadcf6f694c
Authentication domain : campus
Initial VLAN : 2888
Authorization VLAN : 3505 //VLAN authorized to the client after authentication success, which is free of authentication at leaf and mapped to the corresponding Layer 2 network domain VXLAN.
Authorization ACL number : 3001 //ACL authorized to BYOD users. Only packets matching the Acl are permitted.
Authorization user profile : N/A
Termination action : Default
Session timeout period : 86400 s
Online from : 2021/01/04 17:48:08
Online duration : 0h 0m 9s
View client authentication information on the AC
[ap-1-probe]dis system internal wlan kernel client all verbose
Total number of kernel clients : 1
MAC Address : 5cad-cf6f-694c
BSSID : 3897-d6de-57b1
VLAN : 3505 //VLAN authorized to the client.
Ap ID : 1
Radio ID : 2
Wlan ID : 2
AID : 1
Wireless mode : 8
Fwd Local : Yes //Local forwarding mode.
Fwd Mode : 1
BSS Type : 0
Cipher Suite : 255
Crypto Filed Len : 0
WEP unicast key ID : 1
ACL group index : 3001 //Authorized ACL.
Authentication result : 0
Qos Mode : 1
FP Status : No
Drv Context1 : 2212495360
Drv Context2 : 10
Rssi : 7
URL length : 59 //If the URL length is larger than 0, it indicates that a URL for redirection has been deployed.
Configure wireless guest access
EIA can identify guests by endpoint type and SSID to push the corresponding MAC-based portal authentication page to guests for guest registration and login.
Before configuring wireless guest access, configure BYOD users, guest services, and a wireless service policy for guests. For more information, see AD-Campus 6.2 Fundamentals Configuration Guide.
To configure wireless guest access:
1. Configure an SSID group.
Navigate to Automation > User Business > Access Services > Access Conditions > SSID Group. Click Add to add an SSID group, and click Add in the SSID List section to add SSIDs to the group.
Figure 47 Adding an SSID group
2. Configure an endpoint type group.
Navigate to Automation > User Business > Access Services > Access Conditions > WHAT > Endpoint Type Group. Create an endpoint type group of the Smartphone type. For more information, see "Configure a page pushing policy."
Figure 48 Adding an SSID group
3. Configure a page push policy.
a. Navigate to Automation > User Business > Access Services > Page Push Policy. Add a page push policy, and select the authentication type as BYOD.
Figure 49 Adding a page push policy
b. Click the Edit icon for the policy and configure a subpolicy.
- SSID Group: Select the SSID group created at step 1. In this example, the group name is visitor.
- Endpoint Type Group: Select the endpoint type group created at step 2. In this example, the group name is phone.
- Login Page: Select a login page. In this example, PHONE-SMS Auth, Account Auth, QR Code is selected.
c. Click Confirm.
Figure 50 Adding a subpolicy (1)
Figure 51 Adding a subpolicy (2)
4. Create a service template and set the SSID to visitor. For more information, see "Configure wireless authentication parameters."
When a guest uses a smartphone to connect to SSID visitor, the guest MAC-based portal authentication page opens.
(Optional) Configure centralized forwarding
|
|
NOTE: · Skip this section if local forwarding is used. · Service configuration procedures are similar for centralized forwarding and local forwarding. This section describes special configuration required by centralized forwarding. |
1. Select AC Centralized Forwarding Mode as the forwarding mode. For more information about the parameters, see "Configure interface groups."
Figure 52 Specifying the forwarding mode
2. Log in to the AC CLI and enable centralized forwarding. For more information, see "Set the forwarding mode for a wireless service template."
#
client forwarding-location ac
#
3. If the AC is connected to spine through out-of-path deployment, enable DHCP globally on spine.
#
dhcp enable
#
4. If the AC is connected to spine through out-of-path deployment, configure DHCP replay on the service VSI interface of spine. Use the red-colored commands as follows:
#
interface Vsi-interface8
description SDN_VSI_Interface_8
ip binding vpn-instance edu
ip address 209.2.0.1 255.255.0.0
mac-address 0000-0000-0001
local-proxy-arp enable
dhcp select relay proxy
dhcp relay information circuit-id vxlan-port
dhcp relay information enable
dhcp relay server-address 8.0.0.172
dhcp relay server-address 8.0.0.171
dhcp relay source-address interface Vsi-interface4094
dhcp relay request-from-tunnel discard
distributed-gateway local
#
For more information about the parameters, see configuration on VSI interface of leaf.
5. Configure DHCP snooping.
# In global configuration view:
dhcp snooping enable
# On the AC uplink interface:
dhcp snooping trust
Configure wireless fail-permit
Wireless fail-permit allows users to access resources in a specific security group when the EIA server fails or the AC-AP connection is terminated.
Configure the controller
Add a critical Layer 2 network domain
Navigate to Automation > Campus Network > Private Networks > Layer 2 Network Domains, add a Layer 2 network domain, and specify the type as Critical.
Figure 53 Adding a critical Layer 2 network domain
Add a wireless critical security group
Navigate to Automation > Campus Network > Security Groups > User Security Groups, add a security group, and specify the type as Critical.
Figure 54 Adding a critical security group
Configure the AC
Configure 802.1X authentication
You must specify a critical service template for 802.1X authentication.
#
wlan service-template 1 //802.1X authentication service template
ssid UC_GY_1x
vlan 2001 //Specify a random VLAN. The template will not be used during 802.1X fail permit.
client forwarding-location ap //Local forwarding is required for fail-permit upon AP and AC disconnection.
fail-permit enable keep-online //Configure fail-permit and enable keep-online.
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
client-security accounting-start trigger ipv4-ipv6
client-security accounting-update trigger ipv4-ipv6
client ipv6-snooping nd-learning enable
client ipv6-snooping dhcpv6-learning enable
service-template enable
#
wlan service-template 3 //Critical service template that uses authentication free.
ssid UC_GY_critical
vlan 3514 //Specify the same VLAN as the critical security group for users to access the VLAN during fail-permit.
client forwarding-location ap //Local forwarding is required for fail-permit upon AP and AC disconnection.
fail-permit template //Specify the template as the critical template for 802.1X authentication. Only one dedicated critical template is supported. You must execute fail-permit enable keep-online for the authentication service template.
client-security accounting-start trigger ipv4-ipv6
client-security accounting-update trigger ipv4-ipv6
client ipv6-snooping nd-learning enable
client ipv6-snooping dhcpv6-learning enable
service-template enable
#
For fail-permit to take effect, you must bind the critical service template to the corresponding radios.
radius-server test-profile testcritical username zzz interval 1 //RADIUS test profile. The configuration is required. You can specify a random username.
#
radius scheme v4
primary authentication 100.1.0.100 test-profile testcritical //Configure the RADIUS scheme to use the test profile.
primary accounting 100.1.0.100
accounting-on enable send 255 interval 15
key authentication cipher $c$3$rJlnUfyvw+AdKB/eDutHCMCieWNagUW6VrP4VgYe
key accounting cipher $c$3$eU7GEbl43aNqPqP6WdXzGMEno5Pc3Bw7ILkJfpri
timer realtime-accounting 5
user-name-format without-domain
Configure MAC authentication
A dedicated critical service template is not required for MAC authentication.
#
wlan service-template 2 //Service template for MAC-based portal authentication.
ssid UC_GY_mac-portal
vlan 3505 //If no dedicated critical service template is configured, the system uses this template as the critical template. You must specify the VLAN for fail-permit.
client forwarding-location ap //Local forwarding is required for fail-permit upon AP and AC disconnection.
fail-permit enable keep-online //Configure fail-permit and enable keep-online.
akm mode psk
preshared-key pass-phrase cipher $c$3$mkm81XBTH0sEsLyJoog8h5woW9cseBfx+BBABQ==
cipher-suite ccmp
security-ie rsn
client url-redirect enable
client-security authentication-mode mac
client-security accounting-start trigger ipv4-ipv6
client-security accounting-update trigger ipv4-ipv6
client ipv6-snooping nd-learning enable
client ipv6-snooping dhcpv6-learning enable
service-template enable
#
wlan service-template 3 //Dedicated critical service template that uses authentication free.
ssid UC_GY_critical
vlan 3514 //Specify the same VLAN as the critical security group for users to access the VLAN during fail-permit.
client forwarding-location ap //Local forwarding is required for fail-permit upon AP and AC disconnection.
fail-permit template //Specify the template as the critical template for 802.1X authentication. Only one dedicated critical template is supported. You must execute fail-permit enable keep-online for the authentication service template.
client-security accounting-start trigger ipv4-ipv6
client-security accounting-update trigger ipv4-ipv6
client ipv6-snooping nd-learning enable
client ipv6-snooping dhcpv6-learning enable
service-template enable
#
For fail-permit to take effect, you must bind the critical service template to the corresponding radios.
radius-server test-profile testcritical username zzz interval 1 //RADIUS test profile. The configuration is required.
#
radius scheme v4
primary authentication 100.1.0.100 test-profile testcritical //Configure the RADIUS scheme to use the test profile.
primary accounting 100.1.0.100
accounting-on enable send 255 interval 15
key authentication cipher $c$3$rJlnUfyvw+AdKB/eDutHCMCieWNagUW6VrP4VgYe
key accounting cipher $c$3$eU7GEbl43aNqPqP6WdXzGMEno5Pc3Bw7ILkJfpri
timer realtime-accounting 5
user-name-format without-domain
|
|
NOTE: · If fail-permit is not required for AC-AP disconnection conditions, you can configure centralized forwarding. · MAC authentication does not require a dedicated critical template. For 802.1X authentication and combined MAC and 802.1X authentication, you must create a dedicated critical template. · The authentication service template cannot be used for fail-permit if a dedicated critical template is configured. If no dedicated critical template is configured, you can enable fail-permit for the authentication service template and use the authentication service template for fail-permit. |
Service switchover at fail-permit entering or exiting
Figure 55 Fail-permit switchover
Configure wireless N+1 networking
Using a single AC can cause service interruption if the AC fails. To provide high availability, use 1+1 dual-link backup or N+1 networking.
1+1 requires dual-link on each AP and N+1 requires one link on each AP.
Figure 56 Service configuration flowchart
Network diagrams
1+1 dual-link backup networking
As shown in Figure 57, AC 1 acts as the master AC and AC 2 acts as the backup AC. An AP establishes CAPWAP tunnels to both the master and backup ACs.
Figure 57 1+1 dual-link backup
N+1 networking
As shown in Figure 58, three ACs are deployed in the network. AC 1 and AC 2 act as the master AC and AC 3 act as the backup AC. You can deploy a maximum of four master ACs.
Figure 58 N+1 networking
Table 2 IP addresses
|
Item |
Example |
Description |
|
VLAN 4093 |
130.3.0.89 130.3.0.90 130.3.0.91 |
VLAN-interface 4093 act as the AP communication interface |
Configure 1+1 dual-link backup
Make sure the service configuration is consistent on the master and backup ACs. For more information, see "Configure AP association" and "Configure wireless authentication parameters."
Configure 1+1 dual-link backup
Incorporate the ACs and configure the AC device group policy. For information about the basic configurations, see "Configure AC incorporation" and "Configure the AC device group policy." As a best practice, specify the same subnet for the master and backup ACs for management convenience.
Figure 59 Viewing AC configuration
After incorporating the master and backup ACs, create a Layer 2 network domain:
1. Navigate to Automation > Campus Network > Private Networks > Layer 2 Network Domain. Click Add, and configure the following parameters:
¡ Name.
¡ Isolation Domain.
¡ Private Network: vpn-default.
¡ Type: Wireless.
¡ IPv4 Address Lease Duration.
Figure 60 Adding a Layer 2 network domain
2. Click the Subnets tab, click Add, and create a wireless subnet. Use the subnet of VLAN 4093.
Figure 61 Adding a subnet
3. Click the Wireless AC tab, click Add, and add the address segments of VLAN-interface 4093 on master and backup ACs.
Figure 62 Adding ACs
Configure the master AC
# Create VLAN-interface 4093 and specify an IP address for CAPWAP tunnel establishment.
#
vlan 4093
#
interface Vlan-interface4093
ip address 130.3.0.89 255.255.255.0
#
# Create AP ap1 and set the AP connection priority to 7. The default priority is 4.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
priority 7
#
# Specify the IP address of the backup AC.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
backup-ac ip 130.3.0.90
#
# Enable master CAPWAP tunnel preemption.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
wlan tunnel-preempt enable
#
Configure the backup AC
# Create VLAN-interface 4093 and specify an IP address for CAPWAP tunnel establishment.
#
vlan 4093
#
interface Vlan-interface4093
ip address 130.3.0.90 255.255.255.0
#
# Create AP ap1 and set the AP connection priority to 5. The default priority is 4.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
priority 5
#
# Specify the IP address of the backup AC.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
backup-ac ip 130.3.0.89
#
# Enable master CAPWAP tunnel preemption.
#
wlan ap ap1 model WA6320
serial-id 219801A28N8205E000ZT
wlan tunnel-preempt enable
#
Configure N+1 networking
Make sure the service configuration is consistent on the master and backup ACs. For more information, see "Configure AP association" and "Configure wireless authentication parameters."
This section uses two master ACs as an example. You can deploy a maximum of four master ACs. The configuration procedure is similar for N+1 networking with different number of master ACs.
In 2+1 networking, AC 1 and AC 2 act as the master ACs and AC 3 acts as the backup AC. An AP establishes only one CAPWAP tunnel with the master AC and does not establish tunnels with the backup AC.
Configure the AC from the Web interface
Incorporate the ACs and configure the AC device group policy. For information about the basic configurations, see "Configure AC incorporation" and "Configure the AC device group policy." As a best practice, specify the same subnet for the master and backup ACs for management convenience.
Figure 63 Viewing AC configuration
After incorporating the master and backup ACs, create a Layer 2 network domain:
1. Navigate to Automation > Campus Network > Private Networks > Layer 2 Network Domain. Click Add, and configure the following parameters:
¡ Name.
¡ Isolation Domain.
¡ Private Network: vpn-default.
¡ Type: Wireless.
¡ IPv4 Address Lease Duration.
Figure 64 Adding a Layer 2 network domain
2. Click the Subnets tab, click Add, and create a wireless subnet. Use the subnet of VLAN 4093.
Figure 65 Adding a subnet
3. Click the Wireless AC tab, click Add, and add the address segments of VLAN-interface 4093 on master and backup ACs.
Figure 66 Adding ACs
Configure master AC 1
# Create VLAN-interface 4093 and specify an IP address for CAPWAP tunnel establishment.
#
vlan 4093
#
interface Vlan-interface4093
ip address 130.3.0.89 255.255.255.0
#
# Create AP ap1 and set the AP connection priority to 7. The default priority is 4.
#
wlan ap ap1 model WA536-WW
serial-id 219801A1NQ818AE0002M
priority 7
#
# Enable master CAPWAP tunnel preemption.
#
wlan ap ap1 model WA536-WW
serial-id 219801A1NQ818AE0002M
wlan tunnel-preempt enable
#
Configure master AC 2
# Create VLAN-interface 4093 and specify an IP address for CAPWAP tunnel establishment.
#
vlan 4093
#
interface Vlan-interface4093
ip address 130.3.0.90 255.255.255.0
#
# Create AP ap1 and set the AP connection priority to 7.
#
wlan ap ap2 model WA6528
serial-id 219801A1LH8196E000FH
priority 7
#
# Enable master CAPWAP tunnel preemption.
#
wlan ap ap2 model WA6528
serial-id 219801A1LH8196E000FH
wlan tunnel-preempt enable
#
Configure the backup AC
# Create VLAN-interface 4093 and specify an IP address for CAPWAP tunnel establishment.
#
vlan 4093
#
interface Vlan-interface4093
ip address 130.3.0.91 255.255.255.0
#
# Create AP ap1 and set the AP connection priority to 3. The default priority is 4. The priority setting is optional.
#
wlan ap ap1 model WA536-WW
serial-id 219801A1NQ818AE0002M
priority 3
#
# Specify the IP address of backup AC 1.
#
wlan ap ap1 model WA536-WW
serial-id 219801A1NQ818AE0002M
backup-ac ip 130.3.0.89
#
# Create AP ap2 and set the AP connection priority to 3. The default priority is 4. The priority setting is optional.
#
wlan ap ap2 model WA6528
serial-id 219801A1LH8196E000FH
priority 3
#
# Specify the IP address of backup AC 2.
#
wlan ap ap2 model WA6528
serial-id 219801A1LH8196E000FH
backup-ac ip 130.3.0.90
#
FAQs
Wireless client authentication fails
Possible reasons
1. The username or password is incorrect, the number of online clients has reached the upper limit, or the access scenario does not match.
2. The AC cannot reach the authentication server.
3. The AC is not added to the access device.
4. No certificate is imported to EIA when 802.1X authentication is used.
Solution
# Verify that AC and the authentication server can reach each other.
<AC>dis radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: campus
Index: 0
Primary authentication server:
IP : 100.1.0.100 Port: 1812
VPN : Not configured
State: Active
Test profile: Not configured
Weight: 0
Primary accounting server:
IP : 100.1.0.100 Port: 1813
VPN : Not configured
State: Active
Weight: 0
· If the state is Active, access EIA to view the authentication failure records. Navigate to Analytics > Health Analysis > User Analysis > Access Analysis > Authentication Failure Log, view the authentication failure logs, and resolve the issue.
· If the state is Block, ping the authentication server on the AC. If the ping operation fails, examine the network settings. If the ping operation succeeds, access EIA and verify that the access device has the AC's IP address and the pre-shared key is correct.
MAC-based portal authentication page cannot be opened
Possible reasons
1. The portal Web server (EIA) cannot be reached.
2. No page push policy is configured.
3. The user endpoint is an iPhone, but no DNS server is configured in the DHCP address pool for the BYOD security group.
4. The wireless service template is not configured with client url-redirect enable.
5. The port number of the MAC-based portal authentication page is 80 or 443, but ACL 3001 is not configured on the AP locally. You can use a map file to configure ACL 3001. Make sure the ACL has the same configuration as the configuration on the AC. If ACL 3001 is missing, verify if the map file is correct and make the AP come online and register again.
Solution
1. Verify if the user endpoint can ping the portal Web server successfully. If yes, go to step 4.
2. If the ping operation fails, verify that ACL 3001 is configured correctly on the AC.
3. Verify that the related route settings are configured correctly.
4. Navigate to Automation > User Business > Access Services > Page Push Policy and verify that the page push policy is configured correctly.
AP switchover from fat to fit
AD-Campus uses the AC+fit AP architecture. If an AP starts up in fat mode by default, manually switch the AP mode to fit. For more information, see the related documents for the wireless product.
AC shared by multiple isolation domains do not support IP binding
In a multi-isolation domain network that uses one set of ACs, IP address binding is not supported in the current software version.
In a single-isolation domain multi-fabric network, if each fabric uses an independent AC, you can configure only one Layer 2 network domain, and add multiple AC controllers. Make sure each AC controller manage its own AP templates, and disable AP auto registration.
Routing policy required in service VPN when a large number of APs exist
When a large number of APs exist, vpn-default contains massive AP-address host routes to different service VPNs, which might cause a high routing table usage on the device. In this case, configure routing policies on all the service VPNs at spine and leaf layer to filter host routes with AP addresses.
|
|
IMPORTANT: Do not configure routing policies in vpn-default. Routing policies are required only in service VPNs. |
For example:
1. Create an IPv4 prefix list to match the prefixes and host routes of the wireless Layer 2 domain.
ip prefix-list test index 50 permit 120.0.3.0 24 less-equal 32
2. Create a route policy to match IP prefix list test.
#
route-policy test deny node 10 //Deny IP prefix list test.
if-match ip address prefix-list test
#
route-policy test permit node 20 //Permit mismatching routes.
#
3. Apply the routing policy to the EVPN address family in each service VPN.
[Leaf_2-new-version-vpn-instance-XXXXX]dis th
#
ip vpn-instance XXXXX
XXXXX
#
address-family evpn
import route-policy test
vpn-target XXXX import-extcommunity
vpn-target XXXX export-extcommunity
#
|
|
IMPORTANT: Various manual routing configurations (IPv4 or IPv6) may exist in actual deployment. Adjust the configuration based on the actual situation when you add the policy. |
AP dual-uplink does not support auto aggregation
AC stacking not recommended
N+1 network restrictions and guidelines
1. Make sure the service configuration is the same on the master and backup ACs, including the map file.
2. When the master AC fails, packet loss might occur during master/backup switchover, which cannot be sensed by users. The number of lost packets depends on signal strength.
Operation and maintenance monitoring
For more information, see AD-Campus Operations Monitoring Deployment Guide.
