Login
- Table of Contents
-
- H3C Access Controllers Web-Based Configuration Guide(E3703P61 R2509P61 R3709P61 R2609P61 R3509P61)-6W103
- 00-Preface
- 01-About
- 02-Web overview
- 03-Login
- 04-Quick Start
- 05-Summary
- 06-Device
- 07-Network
- 08-AP Configuration
- 09-Wireless Service
- 10-WLAN Roaming Configuration
- 11-Radio Configuration
- 12-Authentication
- 13-Security
- 14-QoS Configuration
- 15-Advanced Settings
- 16-Stateful Failover Configuration
- 17-VPN
- 18-SSL VPN Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-Wireless Service | 4.04 MB |
Recommended configuration procedure
Configuring clear-type wireless service
Configuring crypto-type wireless service
Security parameter dependencies
Configuring an authentication mode·
Configuring source IP address verification·
Binding an AP radio to a wireless service
Displaying detailed information about a wireless service
Configuring policy-based forwarding
Applying a forwarding policy to an access service
Applying a forwarding policy to a user profile
Wireless service configuration example
WPA-PSK authentication configuration example
Local MAC authentication configuration example
Remote MAC authentication configuration example
Remote 802.1X authentication configuration example
Dynamic WEP encryption-802.1X authentication configuration example
Backup client authentication configuration example
Local client authentication configuration example
Policy-based forwarding configuration example
Configuring a peer MAC address
Displaying the mesh link status
WLAN mesh configuration example
Subway WLAN mesh configuration example
Mesh point-to-multipoint configuration example
Mesh DFS configuration example
Configuring access services
Wireless Local Area Networks (WLAN) provide the following services:
· Connectivity to the Internet
· Secured WLAN access with different authentication and encryption methods
· Seamless roaming of WLAN clients in a mobility domain
Access service overview
Terminology
· Wireless client—A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting WiFi can be a WLAN client.
· Access point—An AP bridges frames between wireless and wired networks.
· Access controller—An AC can control and manage APs associated with it in a WLAN. The AC communicates with an authentication server for WLAN client authentication.
· Service set identifier—An SSID identifies a wireless network. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network.
Client access
A client access process involves active/passive scanning surrounding wireless services, authentication, and association, as shown in Figure 1.
Figure 1 Establishing a client access
Scanning
Wireless clients use active scanning and passive scanning to obtain information about surrounding wireless networks.
1. Active scanning
A wireless client periodically sends probe request frames and obtains wireless network information from received probe response frames. Active scanning includes the following modes:
¡ Active scanning without an SSID—The client periodically sends a probe request frame without an SSID on each of its supported channels. APs that receive the probe request send a probe response, which includes the available wireless network information. The client associates with the AP with the strongest signal. This mode enables the client to find the optimal wireless network.
Figure 2 Active scanning without an SSID
¡ Active scanning with an SSID—If the wireless client is configured to access a wireless network or has associated with a wireless network, the client periodically sends a probe request that carries the SSID of that wireless network. When the target AP receives the probe request, it sends a probe response. This mode enables the client to access a specified wireless network.
Figure 3 Active scanning with an SSID
2. Passive scanning
A wireless client listens to the beacon frames periodically sent by APs to discover surrounding wireless networks. Passive scanning is used when a client wants to save battery power. Typically, VoIP clients adopt passive scanning.
Authentication
To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass authentication before it can access a wireless network. 802.11 define two authentication methods: open system authentication and shared key authentication.
· Open system authentication
Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful, because an AP might decline to authenticate the client. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP returns the result to the client.
Figure 5 Open system authentication process
· Shared key authentication
Figure 6 shows a shared key authentication process. The two parties have the same shared key configured.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c. The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to de-encrypt the challenge and compares the result with the original challenge sent to the client. If they are identical, the client passes the authentication. If they are not, the authentication fails.
Figure 6 Shared key authentication process
Association
To access a wireless network through an AP, a client must associate with that AP. After the client passes authentication on the AP, the client sends an association request to the AP. The AP verifies the capability information in the association request to determine the capability supported by the wireless client, and sends an association response to notify the client of the association result. A client can associate with only one AP at a time, and an association process is always initiated by the client.
WLAN data security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide encryption methods to make sure devices without the right key cannot read encrypted data.
· Plain-text data.
It is a WLAN service without security protection. No data packets are encrypted.
· WEP encryption.
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption algorithm) for confidentiality. WEP encryption uses static and dynamic encryption depending on how a WEP key is generated.
¡ Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will access all encrypted data. In addition, periodical manual key update enhances the management workload.
¡ Dynamic WEP encryption
Dynamic WEP encryption is an improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between the client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
· TKIP encryption.
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides advantages over WEP, and provides more secure protection for WLAN, as follows:
¡ TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.
¡ TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered.
¡ TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data might be tampered, and the system might be attacked. If two packets fail the MIC in a specific period, the AP automatically takes countermeasures. It will not provide services to prevent attacks while it takes countermeasures.
· AES-CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN, which improves security.
Client access authentication
· PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
· 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate with 802.1X for authenticating users. For more information about remote/local 802.1X authentication, see "Configuring 802.1X."
· MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses. You can configure permitted MAC address lists to filter MAC addresses of clients. However, the efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is applicable to environments without high security requirements, for example, SOHO and small offices.
MAC authentication includes the following modes:
¡ Local MAC authentication—When this authentication mode is used, you need to configure a permitted MAC address list on the device. If the MAC address of a client is not in the list, its access request will be denied.
Figure 7 Local MAC authentication
¡ Remote Authentication Dial-In User Service-based MAC authentication—When RADIUS-based MAC authentication is used, if the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server. After the client passes the authentication, the client can access the WLAN network and the corresponding authorized information.
Figure 8 Remote MAC authentication
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless service, and send MAC authentication information of different SSIDs to different remote RADIUS servers.
Configuring access service
Recommended configuration procedure
|
Step |
Remarks |
|
Required. |
|
|
2. Configuring wireless service: |
Required. Use either method. Complete the security settings as needed. |
|
Optional. |
|
|
Required. |
|
|
Required. |
|
|
Required. |
|
|
Optional. |
Creating a WLAN service
1. Select Wireless Service > Access Service from the navigation tree.
Figure 9 Configuring access service
2. Click Add.
Figure 10 Creating a wireless service
3. Configure the wireless service as described in Table 1.
4. Click Apply.
|
Item |
Description |
|
Wireless Service Name |
Set the SSID, a case-sensitive string of 1 to 32 characters, which can contain letters, digits, underlines, and spaces. Set an SSID as unique as possible. For security, the company name should not be contained in the SSID. Meanwhile, H3C recommends that you not use a long random string as the SSID, because a long random string only adds payload to the header field, and does not improve wireless security. |
|
Wireless Service Type |
Select the wireless service type: · clear—The wireless service will not be encrypted. · crypto—The wireless service will be encrypted. |
Configuring clear-type wireless service
Configuring basic settings for a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the 
icon for the target clear-type wireless
service.
Figure 11 Configuring clear-type wireless service
3. Configure basic settings for the clear-type wireless service as described in Table 2.
4. Click Apply.
|
Item |
Description |
|
WLAN ID |
Display the selected WLAN ID. |
|
Wireless Service |
Display the selected SSID. |
|
Service Description |
Specify a description for the wireless service. By default, no description is specified for a wireless service. The same wireless service can be configured for different WLAN IDs. Specify a description to distinguish between different functions of the wireless service. |
|
VLAN (Untagged) |
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed. |
|
Default VLAN |
Set the default VLAN of a port. By default, the default VLAN of all ports is VLAN 1. After you set the new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged. |
|
Delete VLAN |
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged. |
|
SSID Hide |
· Enable—Disable the advertisement of the SSID in beacon frames. · Disable—Enable the advertisement of the SSID in beacon frames. By default, the SSID is advertised in beacon frames.
· If the advertisement of the SSID in beacon frames is disabled, the SSID must be configured for the clients to associate with the AP. · Disabling the advertisement of the SSID in beacon frames does not improve wireless security. · Enabling the advertisement of the SSID in beacon frames allows a client to discover an AP more easily. |
Configuring advanced settings for the clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the
target clear-type wireless service.
Figure 12 Configuring advanced settings for the clear-type wireless service
3. Configure advanced settings for the clear-type wireless service as described in Table 3.
4. Click Apply.
|
Item |
Description |
|
Forwarding Mode |
· Remote Forwarding—The AC performs data forwarding. Centralized forwarding includes 802.3 centralized forwarding and 802.11 centralized forwarding. With 802.3 centralized forwarding, APs change incoming 802.11 frames to 802.3 frames and tunnel the 802.3 frames to the AC. With 802.11 centralized forwarding, APs directly tunnel incoming 802.11 frames to the AC. · Local Forwarding—APs directly forward data frames. The AC still performs authentication on clients. This forwarding mode reduces the workload of the AC and retains the security and management advantages of the AC/fit AP architecture. · Forwarding Policy Based —Based on the forwarding policy that matches the packets from clients, the AC chooses centralized forwarding mode or local forwarding mode. This forwarding mode reduces the workload of the AC (see "Configuring policy-based forwarding"). By default, the centralized forwarding mode is adopted.
Forwarding policies can only take effect on packets sent by clients. |
|
Local Forwarding VLAN |
Clients using the same SSID might belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy. |
|
Forwarding Policy |
Enable the policy-based forwarding mode and apply the forwarding policy to the access service. |
|
Packet Format |
· 802.11—Packets are encapsulated in 802.11 format and forwarded by the AC. · 802.3—Packets are encapsulated in 802.3 format and forwarded by the AC. This configuration only applies to a CAPWAP tunnel. For an LWAPP tunnel, data frames can only be encapsulated in 802.11 format. |
|
Beacon Measurement |
· Enable—Enable the beacon measurement function. · Disable—Disable the beacon measurement function. By default, the beacon measurement function is disabled. Beacon measurement, defined by 802.11k, provides a mechanism for APs and clients to measure the available radio resources. When this function is enabled, an AP periodically sends beacon requests to clients. Clients respond with beacon reports to inform the AP of the beacon measurement information they have collected. |
|
Beacon-measurement Type |
· Active—The AP sends a beacon measurement requests to the client. Upon receiving the request, the client broadcasts probe requests on all supported channels, sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons and probe responses into a measurement report. · Beacon-table—The AP sends a beacon measurement request to a client. Upon receiving the request, the client measures beacons and returns a report to the AP. The report contains all beacon information stored on the client. The client does not perform any additional measurements. · Passive—The AP sends a beacon measurement request to a client. Upon receiving the request, the client sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons and probe responses into a measurement report. |
|
Beacon-measurement Interval |
The interval at which the AP sends beacon requests to clients. |
|
Authentication Mode |
|
|
Max Clients Per Radio |
Maximum number of clients of an SSID to be associated with the same radio of the AP.
When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden. |
|
Bonjour Policy |
Apply the specified Bonjour policy to the wireless service. |
|
Management Right |
Web interface management right of online clients. · Disable—Disable the Web interface management right of online clients. · Enable—Enable the Web interface management right of online clients. By default, Web interface management right of online clients is enabled. |
|
MAC VLAN |
· Enable—Enable the MAC VLAN feature for the wireless service. · Disable—Disable the MAC VLAN feature for the wireless service. By default, the MAC VLAN feature for the wireless service is disabled.
Before binding an AP radio to a VLAN, enable the MAC VLAN feature first. |
|
Fast Association |
· Enable—Enable fast association. · Disable—Disable fast association. By default, fast association is disabled. When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients. |
|
Wired Service |
Enabling status of wired service. By default, wired service is disabled. |
|
IP Verify Source |
|
|
Unknown Client |
Configure the AP to deauthenticate the clients or drop the packets when it receives the packets from unknown clients. · Deauthenticate—The AP sends deauthentication packets to unknown clients. · Drop—The AP drops the packets sent by unknown clients. |
|
Client Cache Aging-time |
The client cache saves information such as the PMK list and access VLAN for clients. A value of 0 means the client cache information is cleared when a client goes offline. After the client cache information is cleared, the client cannot roam. |
|
Remote AP Keep Client |
Enabling status of the remote AP feature. By default, the remote AP feature is enabled. |
|
Gsm Uplink Hide Ssid |
Whether SSIDs can be advertised in beacon frames when the uplink is a GSM network. · Enable. · Disable. By default, SSIDs cannot be advertised in beacon frames when the uplink is a GSM network. |
Configuring security settings for a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target
clear-type wireless service.
Figure 13 Configuring security settings for the clear-type wireless service
3. Configure security settings for the clear-type wireless service as described in Table 4.
4. Click Apply.
|
Item |
Description |
|
|
Authentication Type |
For the clear-type wireless service, you can select Open-System only. |
|
|
Port Mode |
· mac-authentication—Perform MAC address authentication on users. · mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes. MAC authentication has a higher priority than userlogin-secure mode. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. When it receives an 802.1X frame, the port performs MAC authentication. It performs 802.1X if MAC authentication fails. · mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC authentication users on the port. · userlogin-secure—In this mode, MAC-based 802.1X authentication is performed for users. Multiple 802.1X authenticated users can access the port, but only one user can be online. · userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes. 802.1X authentication has a higher priority than MAC authentication. For a wireless user, 802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed. · userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple 802.1X and MAC authentication users on the port. · userlogin-secure-ext—In this mode, a port performs 802.1X authentication on users in macbased mode and supports multiple 802.1X users.
There are multiple security modes. The following rules explain the port security mode names: · userLogin indicates port-based 802.1X authentication. · mac indicates MAC address authentication. · The authentication mode before Else is used preferentially. If the authentication fails, the authentication after Else might be used depending on the protocol type of the packets to be authenticated. · The authentication modes before Or and after Or have the same priority. The device determines the authentication mode according to the protocol type of the packets to be authenticated. For wireless users, the 802.1X authentication mode is used preferentially. · userLogin together with Secure indicates MAC-based 802.1X authentication. · A security mode with Ext allows multiple 802.1X users to pass the authentication. A security mode without Ext allows only one 802.1X user to pass the authentication. |
|
|
Max User |
Maximum number of users that can be connected to the network through a specific port. |
|
a. Configure mac-authentication:
Figure 14 Configuring mac-authentication port security
|
Item |
Description |
|
Port Mode |
mac-authentication—MAC-based authentication is performed on access users. Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client. |
|
Max User |
Control the maximum number of users allowed to access the network through the port. |
|
MAC Authentication |
Select MAC Authentication. |
|
Domain |
Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. · The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting. · Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out. |
b. Configure userlogin-secure/userlogin-secure-ext:
Figure 15 Configuring userlogin-secure/userlogin-secure-ext port security (userlogin-secure is taken for example)
|
Item |
Description |
|
Port Mode |
· userlogin-secure—Perform MAC-based 802.1X authentication for access users. In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online. · userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users. |
|
Max User |
Control the maximum number of users allowed to access the network through the port. |
|
Mandatory Domain |
Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. · The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting. · Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out. |
|
Authentication Method |
· EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It is not required to repackage the EAP packets into standard RADIUS packets for authentication. · CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network. This method is safer than the other two methods. · PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text. |
|
Handshake |
· Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to identify whether the user is online. By default, the function is enabled. · Disable—Disable the online user handshake function. |
|
Multicast Trigger |
· Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled. · Disable—Disable the 802.1X multicast trigger function.
For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages for initiating authentication periodically. H3C recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth. |
|
Stateful Failover |
· Enable—Enable 802.1X support for the stateful failover function. You need to select High Availability > Stateful Failover and configure the stateful failover function. For more information, see "Configuring stateful failover." · Disable—Disable 802.1X support for the stateful failover function. Whether a device supports the stateful failover function varies with the device model. For more information, see "About the H3C Access Controllers Web-Based Configuration Guide." |
c. Configure the other four port security modes
Figure 16 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example)
|
Item |
Description |
|
Port Mode |
· mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes. MAC authentication has a higher priority than the userlogin-secure mode. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. When it receives an 802.1X frame, the port performs MAC authentication and if MAC authentication fails, the port performs 802.1X authentication. · mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC authentication users on the port. · userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes, with 802.1X authentication having a higher priority. For a wireless user, 802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed. · userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple 802.1X and MAC authentication users on the port. Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client. |
|
Max User |
Control the maximum number of users allowed to access the network through the port. |
|
Mandatory Domain |
Select an existing domain from the list. After a mandatory domain is configured, all 802.1X users accessing the port are forced to use the mandatory domain for authentication, authorization, and accounting. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. |
|
Authentication Method |
· EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It is not required to repackage the EAP packets into standard RADIUS packets for authentication. · CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network. This method is safer than the other two methods. · PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text. |
|
Handshake |
· Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to identify whether the user is online. By default, the function is enabled. · Disable—Disable the online user handshake function. |
|
Multicast Trigger |
· Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically to initiate authentication. By default, the multicast trigger function is enabled. · Disable—Disable the 802.1X multicast trigger function.
For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. H3C recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth. |
|
Stateful Failover |
· Enable—Enable 802.1X support for the stateful failover function. You need to select High Availability > Stateful Failover and configure the stateful failover function (see "Configuring stateful failover"). · Disable—Disable 802.1X support for the stateful failover function. Whether a device supports the stateful failover function varies with the device model. For more information, see "About the H3C Access Controllers Web-Based Configuration Guide." |
|
MAC Authentication |
Select MAC Authentication. |
|
Domain |
Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. · The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting. · Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out. |
Configuring crypto-type wireless service
Configuring basic settings for a crypto-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the 
icon for the target crypto-type wireless service.
Figure 17 Configuring crypto-type wireless service
3. Configure basic settings for the crypto-type wireless service as described in Table 2.
4. Click Apply.
Configuring advanced settings for a crypto-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.
Figure 18 Configuring advanced settings for the crypto-type wireless service
3. Configure advanced settings for the crypto-type wireless service as described in Table 8.
4. Click Apply.
|
Item |
Description |
|
Forwarding Mode |
· Remote Forwarding—The AC performs data forwarding. Centralized forwarding comprises 802.3 centralized forwarding and 802.11 centralized forwarding. With 802.3 centralized forwarding, APs change incoming 802.11 frames to 802.3 frames and tunnel the 802.3 frames to the AC. With 802.11 centralized forwarding, APs directly tunnel incoming 802.11 frames to the AC. · Local Forwarding—APs directly forward data frames. The AC still performs authentication on clients. This forwarding mode reduces the workload of the AC and retains the security and management advantages of the AC/fit AP architecture. · Forwarding Policy Based —Based on the forwarding policy that matches the packets from clients, the AC chooses centralized forwarding mode or local forwarding mode. This forwarding mode reduces the workload of the AC. For more information, see "Configuring policy-based forwarding". By default, the centralized forwarding mode is adopted.
Forwarding policies are only available to packets sent by clients. |
|
Local Forwarding VLAN |
Clients using the same SSID might belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy. |
|
Forwarding Policy |
Enable the policy-based forwarding mode and apply the forwarding policy to the access service. |
|
Packet Format |
· 802.11—Packets are encapsulated in 802.11 format in the data tunnel and forwarded by the AC. · 802.3—Packets are encapsulated in 802.3 format in the data tunnel and forwarded by the AC. This configuration only applies to a CAPWAP tunnel. For a LWAPP tunnel, data frames can only be encapsulated in 802.11 format. |
|
Beacon Measurement |
· Enable—Enable the beacon measurement function. · Disable—Disable the beacon measurement function. By default, the beacon measurement function is disabled. Beacon measurement, defined by 802.11k, provides a mechanism for APs and clients to measure the available radio resources. When this function is enabled, an AP periodically sends beacon requests to clients. Clients respond with beacon reports to inform the AP of the beacon measurement information they have collected. |
|
Beacon-measurement Type |
· Active—The AP sends a beacon measurement requests to the client. Upon receiving the request, the client broadcasts probe requests on all supported channels, sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons and probe responses into a measurement report. · Beacon-table—The AP sends a beacon measurement request to a client. Upon receiving the request, the client measures beacons and returns a report to the AP. The report contains all beacon information stored on the client. The client does not perform any additional measurements. · Passive—The AP sends a beacon measurement request to a client. Upon receiving the request, the client sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons and probe responses into a measurement report. |
|
Beacon-measurement Interval |
The interval at which the AP sends beacon requests to clients. |
|
Authentication Mode |
|
|
Max Clients Per Radio |
Maximum number of clients of an SSID to be associated with the same radio of the AP.
When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden. |
|
PTK Life Time |
Set the pairwise transient key (PTK) lifetime. A PTK is generated through a four-way handshake. |
|
Bonjour Policy |
Apply the specified Bonjour policy to the wireless service. |
|
TKIP CM Time |
Set the TKIP countermeasure time. By default, the TKIP countermeasure time is 0 seconds and the TKIP countermeasure policy is disabled. Message integrity check (MIC) is designed to avoid hacker tampering. It uses the Michael algorithm and is very secure. When failures occur to MIC, the data might have been tampered, and the system might be under attack. With the countermeasure policy enabled, if more than two MIC failures occur within the specified time, the TKIP associations are disassociated and no new associations are allowed within the TKIP countermeasure time. |
|
Management Right |
Web interface management right of online clients. · Disable—Disable the Web interface management right of online clients. · Enable—Enable the Web interface management right of online clients. By default, Web interface management right of online clients is enabled. |
|
MAC VLAN |
· Enable—Enable the MAC VLAN feature for the wireless service. · Disable—Disable the MAC VLAN feature for the wireless service. By default, MAC VLAN feature for the wireless service is disabled.
Before you bind an AP radio to a VLAN, enable the MAC VLAN feature first. |
|
Fast Association |
· Enable—Enable fast association. · Disable—Disable fast association. By default, fast association is disabled. When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients. |
|
Wired Service |
Enabling status of wired service. By default, wired service is disabled. |
|
IP Verify Source |
|
|
Unknown Client |
Configure the AP to deauthenticate the clients or drop the packets when it receives the packets from unknown clients. · Deauthenticate—The AP sends deauthentication packets to unknown clients. · Drop—The AP drops the packets sent by unknown clients. |
|
Client Cache Aging-time |
The client cache saves information such as the PMK list and access VLAN for clients. A value of 0 means the client cache information is cleared when a client goes offline. After the client cache information is cleared, the client cannot roam. |
|
GTK Rekey Method |
An AC generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake/the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. · If Time is selected, the GTK will be refreshed after a specified period of time. · If Packet is selected, the GTK will be refreshed after a specified number of packets are transmitted. By default, the GTK rekeying method is time-based, and the interval is 86400 seconds. |
|
GTK User Down Status |
Enable refreshing the GTK when a client goes offline. By default, the GTK is not refreshed when a client goes off-line. |
|
PMF |
Management frame protection status: · Mandatory—Clients supporting PMF can associate with the AP. The AP protects management frames from these clients. Clients not supporting PMF cannot associate with the AP. · Optional—All clients can associate with the AP. The AP protects management frames from clients supporting PMF. · Disable—All clients can associate with the AP. The AP does not protect management frames. By default, PMF is disabled. NOTE: You can only configure management frame protection on a service template whose: · Authentication type is PSK or 802.1X. · Cipher suite is AES. · Security IE is WPA2. |
|
Association Comeback |
The AP does not respond to any association or reassociation requests from the client within the association comeback time. |
|
SA Query Timeout |
If the AP receives no SA Query response within the timeout time, it resends the request. |
|
SA Query Retry |
The retransmission time for an AP to retransmit SA Query requests. |
|
Bind Hotspot2.0 Policy |
Select a Hotspot 2.0 policy. |
|
Remote AP Keep Client |
Enabling status of the remote AP feature. By default, the remote AP feature is enabled. |
|
Gsm Uplink Hide Ssid |
Whether SSIDs can be advertised in beacon frames when the uplink is a GSM network. · Enable. · Disable. By default, SSIDs cannot be advertised in beacon frames when the uplink is a GSM network. |
Configuring management frame protection for a crypto-type wireless service
Perform this task to enable an AP to protect management frames, including deauthentication frames, deassociation frames, and some robust action frames.
Management frame protection uses the PTK encrypt method to ensure privacy, integrity, and replay protection of unicast management frames.
For multicast and broadcast management frames, this feature uses Broadcast Integrity Protocol (BIP) to ensure integrity and replay protection. BIP adds the Management MIC IE (MME) field to the end of the management frames to protect their privacy.
If management frame protection is enabled, the AC/AP uses SA Query to secure connections with clients.
SA Query includes active SA Query and passive SA Query.
· Active SA Query.
If the AP receives spoofing association or reassociation requests, this mechanism can prevent the AP from responding to clients.
As shown in Figure 19, active SA Query operates as follows:
a. The client sends an association or a reassociation request to the AP.
b. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate later. The response contains an association comeback time specified by the pmf association-comeback command.
c. The AP sends an SA Query request to the client.
- If the AP receives an SA Query response within the timeout time, it determines that the client is online.
- If the AP receives no SA Query response within the timeout time, it resends the request. If the AP receives an SA Query response within the retransmission time, it determines that the client is online.
If the client is online, the AP does not respond to any association or reassociation request from the client within the association comeback time.
- If the AP receives no SA Query response within the retransmission time, it determines that the client is offline. The AP allows the client to reassociate with it.
· Passive SA Query.
If a client receives unencrypted deassociation or deauthentication frames with failure code 6 or 7, this mechanism can prevent the client from going offline abnormally.
As shown in Figure 20, passive SA Query operates as follows:
a. The client triggers the SA Query mechanism upon receiving an unencrypted deassociation or deauthentication frame.
b. The client sends an SA Query request to the AP.
c. The AP responds with an SA Query response.
d. The client determines the AP is online because it receives the SA Query response. The client does not go offline.
To configure management frame protection:
2. Select Wireless Service > Access Service from the navigation tree.
3. Click the icon for the target crypto-type wireless service.
4. Configure management frame protection for a crypto-type wireless service as described in Table 8.
5. Click Apply.
Configuring security settings for a crypto-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target crypto-type wireless service.
Figure 21 Configuring security settings for the crypto-type wireless service
3. Configure security settings for the crypto-type wireless service as described in Table 9.
4. Click Apply.
|
Item |
Description |
|
Authentication Type |
· Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. · Shared-Key—The two parties need to have the same shared key configured for this authentication mode. You can select this option only when the WEP encryption mode is used. · Open-System and Shared-Key—You can select both open-system and shared-key authentication.
WEP encryption can be used together with open system and shared-key authentication. · Open system authentication—When this authentication mode is used, a WEP key is used for encryption only. If the two parties do not use the same key, a wireless link can still be established, but all data will be discarded. · Shared-key authentication—When this authentication mode is used, a WEP key is used for both authentication and encryption. If the two parties do not use the same key, the client cannot pass the authentication, and cannot access the wireless network. |
|
Cipher Suite |
Encryption mechanisms supported by the wireless service: · AES—Encryption mechanism based on the AES encryption algorithm. · TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key management. When a client that uses TKIP wants to associate with an AP supporting 802.11n, the client cannot operate in 802.11n mode. · AES and TKIP—You can select both AES and TKIP encryption. |
|
Security IE |
Wireless service type (IE information carried in the beacon or probe response frame): · WPA—Wi-Fi Protected Access. · RSN—An RSN is a security network that allows only the creation of robust security network associations (RSNAs). It provides greater protection than WEP and WPA. · WPA and RSN—You can select both WPA and RSN.. |
|
Key Derivation |
Specify the hash algorithm used to generate PTK and GTK based on PMK. Key derivation type: · SHA1—Supports the HMAC-SHA1 hash algorithm. · SHA256—Supports the HMAC-SHA256 hash algorithm. · SHA1 and SHA256—Supports the HMAC-SHA1 and the HMAC-SHA256 hash algorithms. By default, the key derivation type is SHA1. NOTE: PSK or 802.1X authentication takes effect only after the key derivation type is configured. |
|
Encryption |
|
|
Provide Key Automatically |
· Enable—A WEP key is dynamically assigned. · Disable—A static WEP key is used. By default, a static WEP key is used. When you enable this function, the WEP option is automatically set to wep104.
· This function must be used together with 802.1X authentication. · When dynamic WEP encryption is configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. |
|
WEP |
· wep40—WEP40 key option. · wep104—WEP104 key option. · wep128—WEP128 key option. |
|
Key ID |
· 1—Key index 1. · 2—Key index 2. · 3—Key index 3. · 4—Key index 4. There are four static keys in WEP. The key index can be 1, 2, 3, or 4. The key for the specified key index will be used for encrypting and decrypting broadcast and multicast frames. |
|
Key Length |
· For wep40, the key is a string of five alphanumeric characters or a 10-digit hexadecimal number. · For wep104, the key is a string of 13 alphanumeric characters or a 26-digit hexadecimal number. · For wep128, the key is a string of 16 alphanumeric characters or a 32-digit hexadecimal number. |
|
WEP Key |
Configure the WEP key. |
|
Port Security |
See Table 4. Parameters such as authentication type and encryption type determine the port mode. For more information, see Table 12. After you select the Cipher Suite option, the following port security modes are added: · mac and psk—MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the preconfigured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds. · psk—An access user must use the pre-shared key (PSK) that is preconfigured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds. · userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users. |
a. Configure mac and psk.
Figure 22 Configuring mac and psk port security
|
Item |
Description |
|
Port Mode |
mac and psk: MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user is required to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds. Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client. |
|
Max User |
Control the maximum number of users allowed to access the network through the port. |
|
MAC Authentication |
Select MAC Authentication. |
|
Domain |
Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. · The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting. · Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out. |
|
Preshared Key |
· pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and consists of 8 to 63 characters. · raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number. |
b. Configure psk.
Figure 23 Configuring psk port security
|
Item |
Description |
|
Port Mode |
psk: An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds. |
|
Max User |
Control the maximum number of users allowed to access the network through the port. |
|
Preshared Key |
· pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and consists of 8 to 63 characters. · raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number. |
c. Configure userlogin-secure-ext:
Perform the configurations shown in Configure userlogin-secure/userlogin-secure-ext.
Security parameter dependencies
For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are shown in Table 12.
Table 12 Security parameter dependencies
|
Service type |
Authentication mode |
Encryption type |
Security IE |
WEP encryption/key ID |
Port mode |
|
Clear |
Open-System |
Unavailable |
Unavailable |
Unavailable |
· mac-authentication · mac-else-userlogin-secure · mac-else-userlogin-secure-ext · userlogin-secure · userlogin-secure-ext · userlogin-secure-or-mac · userlogin-secure-or-mac-ext |
|
Crypto |
Open-System |
Selected |
Required |
WEP encryption is available The key ID can be 2, 3, or 4. |
· mac and psk · psk · userlogin-secure-ext |
|
Unselected |
Unavailable |
WEP encryption is required The key ID can be 1, 2, 3 or 4. |
· mac-authentication · userlogin-secure · userlogin-secure-ext |
||
|
Shared-Key |
Unavailable |
Unavailable |
WEP encryption is required The key ID can be 1, 2, 3 or 4. |
mac-authentication |
|
|
Open-System and Shared-Key |
Selected |
Required |
WEP encryption is required The key ID can be 1, 2, 3 or 4. |
· mac and psk · psk · userlogin-secure-ext |
|
|
Unselected |
Unavailable |
WEP encryption is required The key ID can be 1, 2, 3 or 4. |
· mac-authentication · userlogin-secure · userlogin-secure-ext |
Configuring an authentication mode
WLAN access supports the following client authentication modes:
· Centralized—The AC authenticates clients. In centralized authentication mode, the data forwarding mode is determined by the forwarding mode settings (see "Configuring advanced settings for the clear-type wireless service"). If the connection between AC and AP fails, whether to log off clients associated with the AP depends on the remote AP settings (see "Configuring APs").
· Local—The AP authenticates clients. Use this mode in simple networks. In this mode, the AP directly forwards data frames from clients. If the connection between AP and AC fails, the AP does not log off locally authenticated clients and accepts new clients after they pass local authentication.
· Backup—When the AP-AC connection is correct, the AC authenticates clients. When the connection fails, the AP authenticates clients and performs local forwarding. When the AP re-establishes a connection with the AC, the AP logs out all clients and the AC re-authenticates clients.
Configuration guidelines
· If clients are authenticated remotely, make sure the AP is still connected to the authentication server when the AC-AP connection fails. Otherwise, the existing clients go offline. You can deploy the authentication server at the AP side (see "Configuring clear-type wireless service").
· Portal authentication is not supported.
· Clients authenticated by the AP do not support roaming.
· Locally authenticated clients do not support roaming and client information backup. For more information about client information backup, see "Configuring advanced settings."
· You can click Disconnect on the Summary > Client page on the AC to log off locally authenticated clients.
· For the local authentication mode and backup authentication mode, if the AC-AP connection fails, do not modify the configuration on the AC before the connection recovers because the AC verifies the configuration after the connection recovers. If the configuration is inconsistent, online clients might be logged off.
Networking mode
For the local authentication mode and backup authentication mode, you can use the following networking modes if an authentication server is needed. The networking mode shown in Figure 25 is recommended. In this mode, the authentication server is deployed at the AP side so that online clients are not logged off if the AC-AP connection fails.
Figure 24 Network diagram
Configuration prerequisites
1. Enable the remote AP function on the AP > AP Setup page before you configure the backup or local authentication mode.
2. If you configure the backup or local authentication mode and clients use 802.1X or MAC authentication, edit the configuration file of the AP on the AC and then download the file to the AP on the AP > AP Setup page. The configuration file of the AP must contain the following contents:
¡ If clients use local 802.1X or local MAC authentication, the configuration file must contain port security, ISP domain, and local user configurations.
¡ If clients use remote 802.1X or remote MAC authentication, the configuration file must contain port security, ISP domain, and RADIUS scheme configurations.
Configuring an authentication mode
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service in the list.
Figure 26 Configuring an authentication mode
3. Select Central, Local, or Backup from the Authentication Mode list.
4. Click Apply.
Configuring source IP address verification
Source IP address verification is intended to improve wireless network security by filtering and blocking illegal packets.
For a client using an IPv4 address, the AP can obtain the IP address assigned to the client in the DHCPv4 packets exchanged between the DHCP server and the client, and bind the IP address with the MAC address of the client.
For a client using an IPv6 address, the AP can generate binding entries in either of the following ways:
· DHCPv6—The AP obtains the complete IPv6 address assigned to the client in the DHCPv6 packets exchanged between the DHCP server and the client, and binds the IPv6 address with the MAC address of the client. If the AP obtains the IPv6 address prefix assigned to the client, it cannot generate a proper binding entry.
· ND (Neighbor Discovery)—The AP obtains the IPv6 address in the router advertisement packets exchanged between the router and the client, and binds the IPv6 address with the MAC address of the client.
After source IP address verification is enabled, the AP looks up the binding entries for received packets. If the source MAC address and the source IP address of a packet match a binding entry, the AP forwards the packets. Otherwise, the AP discards it. Figure 27 shows how source IP address verification works.
Figure 27 Source IP address verification process
|
|
NOTE: · For more information about DHCP, see "DHCP overview." · For more information about DHCPv6, see Layer 3 Configuration Guide. · For more information about ND, see Layer 3 Configuration Guide. |
Configuring source IP address verification
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service in the list.
Figure 28 Configuring source IP address verification
3. Select IPv4 or IPv6 for IP Verify Source. By default, the source IP address verification function is disabled.
4. Click Apply.
|
|
NOTE: · For a client using an SSID configured with source IP address verification, if it accesses the network through AP local authentication, the source IP address verification feature is effective but the IP-MAC binding entry for the client cannot be displayed on the AC. For more information about local authentication, see "Configuring an authentication mode." · If the client needs to roam to an AP of another AC in the roaming group, the AC to which the client roams must be configured with source IP address verification for the specified SSID. Otherwise, the client connection is lost. For more information about AP local authentication and WLAN roaming, see "Configuring WLAN roaming". |
Enabling a wireless service
1. Select Wireless Service > Access Service from the navigation tree.
Figure 29 Enabling a wireless service
2. Select the wireless service to be bound.
3. Click Enable.
Binding an AP radio to a wireless service
Binding an AP radio to a wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the 
icon for the target wireless service.
Figure 30 Binding an AP radio to a wireless service
3. Select the radio to be bound.
4. Click Bind.
Binding an AP radio to a VLAN
Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different locations access different services. For a user roaming between different APs, you can provide services for the user based on its access AP. The detailed requirements are as follows:
· Users with the same SSID but accessing through different APs can be assigned to different VLANs based on their configurations.
· A roaming user always belongs to the same VLAN.
· For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user is required to use an HA in the AC group for forwarding packets to avoid packet loss.
Figure 31 Schematic diagram for WLAN support for AP-based access VLAN recognition
As shown in Figure 31, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1 roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. A client going online through a different AP is assigned to a different VLAN.
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the 
icon for the target wireless service to enter the
AP radio setup page, as shown in Figure 30.
3. Select the box for the AP radio mode to be bound.
4. Select Binding VLAN and enter the VLAN to be bound in the Binding VLAN field.
5. Click Bind.
Binding a service template to a VLAN pool
For more information about VLAN pool, see "Configuring advanced settings."
To bind a service template to a VLAN pool:
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the
target wireless service, as shown in Figure 30.
3. Select the AP radio mode to be bound.
4. Select Binding VLAN pool and select the target VLAN pool from the Binding VLAN pool list.
5. Click Bind.
Enabling a radio
1. Select Radio > Radio from the navigation tree.
Figure 32 Enabling 802.11n radio
2. Select the box of the target radio.
3. Click Enable.
Displaying detailed information about a wireless service
Displaying detailed information about a clear-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the specified clear-type wireless service to see its detailed information.
Figure 33 Displaying detailed information about a clear-type wireless service
Table 13 Field description
|
Field |
Description |
|
Service Template Number |
Current service template number. |
|
SSID |
Service set identifier. |
|
Description |
Description for the service template. Not Configured means no description is configured. |
|
Binding Interface |
Name of the WLAN-ESS interface bound with the service template. |
|
Hotspot policy |
Name of the Hotspot policy applied to the service template. |
|
Service Template Type |
Service template type. |
|
Authentication Method |
Type of authentication used. A clear-type wireless service can use only Open System authentication. |
|
Authentication Mode |
Authentication mode used by the service template: · Central. · Local. · Backup. |
|
Beacon-measurement |
Enable: The beacon measurement function is enabled. |
|
Beacon-measurement Interval |
The interval at which the AP sends beacon requests to clients. |
|
Beacon-measurement Type |
· Passive. · Active. · Beacon-table. |
|
SSID-hide |
· Disable—SSID advertisement is enabled. · Enable—SSID advertisement is disabled, and the AP does not advertise the SSID in the beacon frames. |
|
Bridge Mode |
Forwarding mode: · Local Forwarding—The AP forwards the data. · Remote Forwarding—The AC forwards the data. |
|
Service Template Status |
Service template status, which can be: · Enable—The wireless service is enabled. · Disable—The wireless service is disabled. |
|
Maximum clients per BSS |
Maximum number of associated clients per BSS. |
|
IP Verify Source |
Status of source IPv4 address verification: · Enable—Verify the source IPv4 address. · Disable—Do not verify the source IPv4 address. |
|
IPv6 Verify Source |
Status of source IPv6 address verification: · Enable—Verify the source IPv6 address. · Disable—Do not verify the source IPv6 address. |
|
Bonjour Policy |
Name of the Bonjour policy applied to this service template. |
Displaying detailed information about a crypto-type wireless service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click a crypto-type wireless service to see its detailed information.
Figure 34 Displaying detailed information about a crypto-type wireless service
Table 14 Field description
|
Field |
Description |
|
Service Template Number |
Current service template number. |
|
SSID |
Service set identifier. |
|
Description |
Description for the service template. Not Configured means no description is configured. |
|
Binding Interface |
Name of WLAN-ESS the interface bound with the service template. |
|
Hotspot policy |
Name of the Hotspot policy applied to the service template. |
|
Service Template Type |
Service template type. |
|
Security IE |
Security IE: WPA or WPA2(RSN). |
|
Authentication Method |
Type of authentication used: Open System or Shared Key. |
|
Authentication Mode |
Authentication mode used by the service template: · Central. · Local. · Backup. |
|
Beacon-measurement |
Enable: The beacon measurement function is enabled. |
|
Beacon-measurement Interval |
The interval at which the AP sends beacon requests to clients. |
|
Beacon-measurement Type |
· Passive. · Active. · Beacon-table. |
|
SSID-hide |
· Disable—SSID advertisement is enabled. · Enable—SSID advertisement is disabled, and the AP does not advertise the SSID in the beacon frames. |
|
Cipher Suite |
Cipher suite: AES-CCMP, TKIP, or WEP40/WEP104/WEP128. |
|
WEP Key Index |
WEP key index for encryption or de-encryption frames. |
|
WEP Key Mode |
WEP key mode: · HEX—WEP key in hexadecimal format. · ASCII—WEP key in the format of string. |
|
WEP Key |
WEP key. |
|
TKIP Countermeasure Time(s) |
TKIP MIC failure holdtime, in seconds. |
|
PTK Life Time(s) |
PTK lifetime in seconds. |
|
GTK Rekey |
GTK rekey configured. |
|
GTK Rekey Method |
GTK rekey method configured: · Time-based, which displays the GTK rekey time in seconds. · Packet-based, which displays the number of packets. |
|
GTK Rekey Time(s) |
Time for GTK rekey in seconds. |
|
Bridge Mode |
Forwarding mode: · Local Forwarding—The AP forwards the data. · Remote Forwarding—The AC forwards the data. |
|
PMF Status |
Management frame protection status: · Disable—PMF is disabled. · Optional—PMF is enabled. All clients can be associated with the AP. · Mandatory—PMF is enabled. Clients supporting PMF can be associated with the AP. |
|
Service Template Status |
Service template status: · Enable—The wireless service is enabled. · Disable—The wireless service is disabled. |
|
Maximum clients per BSS |
Maximum number of associated clients per BSS. |
|
IP Verify Source |
Status of source IPv4 address verification: · Enable—Verify the source IPv4 address. · Disable—Do not verify the source IPv4 address. |
|
IPv6 Verify Source |
Status of source IPv4 address verification: · Enable—Verify the source IPv6 address. · Disable—Do not verify the source IPv6 address. |
|
Bonjour Policy |
Name of the Bonjour policy applied to this service template. |
Configuring policy-based forwarding
If the AC adopts the local authentication mode, it also uses the local forwarding mode. Configuration of policed-based forwarding mode is invalid. For more information about authentication modes, see "Configuring an authentication mode."
Before you can apply a forwarding policy, create a forwarding policy and specify forwarding rules. The ACL sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If a match is found, the AC forwards the packet according to this rule. If no match is found, or no rule is configured, the AC adopts the centralized forwarding mode by default.
The forwarding modes can be applied to a user profile or service template:
· User profile—If a client passes the 802.1X authentication, the authentication server sends the user profile name used by the client to the AP. Then the AP obtains the forwarding mode applied to the user profile. You need to create and enable the user profile on the AC first. If you configure a QoS policy in the user profile at the same time, and the packets match both the QoS policy and the forwarding mode, the QoS policy enjoys a higher priority.
· Service template—Clients associated with the AP adopt the forwarding mode in the service template.
If you configure different forwarding modes in the user profile and the service template, the forwarding mode in the user profile has a higher priority.
The forwarding mode takes effect only when applied to the AP, so you need to download the configuration file from the AC to the AP. The configuration files must contain ACL numbers and ACL rules. To apply the forwarding mode to the user profile, you must include user profile configurations in the configuration file. For more information about the configuration file, see "Configuring APs."
Creating a forwarding policy
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the Forwarding Policy tab.
3. Click Add.
Figure 35 Creating a forwarding policy
4. Create a forwarding policy as described in Table 15.
5. Click Add.
6. Click Apply.
|
Item |
Description |
||
|
Policy Name |
Create a forwarding policy. You can create 1000 forwarding policies at most. |
||
|
Forwarding Policy Rule |
ACL Type |
Choose IPv4 or IPv6. |
The AC When matching the ACL number of data with forwarding rules, the AC does not distinguish parameters permit and deny. |
|
ACL Number |
Specify the ACL number. |
||
|
Behavior |
· Remote—Use the centralized forwarding mode to forward packets. · Local—Use the local forwarding mode to forward packets. |
||
Table 16 Supported ACL category
|
Category |
Match criteria |
|
|
IPv4 basic ACL |
Source IPv4 addresses |
|
|
IPv6 basic ACL |
Source IPv6 addresses |
|
|
IPv4 advanced ACL IPv6 advanced ACL |
IP |
Source and destination IP addresses |
|
TCP and UDP |
Source and destination port numbers |
|
|
ICMP |
Message type and message code of specified ICMP packets |
|
|
Ethernet frame header ACL |
Source and destination MAC addresses |
|
Applying a forwarding policy to an access service
1. Select Wireless Service > Access Service from the navigation tree.
2. Click the icon for the target wireless service.
Figure 36 Applying a forwarding policy to an access service
3. Apply the forwarding policy to the access service as described in Table 17.
4. Click Apply.
|
Item |
Description |
|
Forwarding Mode |
Select Forwarding Policy Based from the list to enable policy-based forwarding.
Forwarding policies are only available to packets sent by clients. |
|
Forwarding Policy |
Forwarding policy name. NOTE: The name field can be null when you apply the forwarding policy to a user profile. |
Applying a forwarding policy to a user profile
1. Enable the policy-based forwarding mode (see "Applying a forwarding policy to an access service").
2. Configure the user profile.
a. On the AC, create and activate the user profile that will be applied to the AP.
Make sure the user profile on the AC, user scheme in the configuration files and user profile sent by the authentication server have the same name.
b. Select Authentication > User from the navigation tree.
c. Click the User Profile tab.
d. Click Add.
Figure 37 Specify the name of the user profile
e. Enter a name of the user profile.
f. Click Apply.
g. Select User Profile, and click Enable.
Wireless service configuration example
Network requirements
As shown in Figure 38, enable the client to access the internal network resources at any time. The manually entered serial ID of the AP is 210235A29G007C000020. The AP adopts 802.11n (2.4 GHz) and provides plain-text wireless access service with SSID service1.
Configuration guidelines
Select a correct district code.
Configuring the AC
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, and enter the serial ID of the AP.
d. Click Apply.
Figure 39 Creating an AP
2. Configure a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to service1 and select the wireless service type Clear.
d. Click Apply.
Figure 40 Creating a wireless service
3. Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select service1 and click Enable.
Figure 41 Enabling wireless service
4. Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the wireless service service1.
c. On the page that appears, select the box to the left of the radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 42 Binding an AP radio
5. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the box to the left of the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 43 Enabling 802.11n(2.4GHz) radio
Verifying the configuration
· The client can successfully associate with the AP and access the WLAN network.
· You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.
Figure 44 Viewing the online clients
WPA-PSK authentication configuration example
Network requirements
As shown in Figure 45, connect the client to the wireless network through WPA-PSK authentication. The client and the AC have the same PSK 12345678.
Configuring the AC
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 46 Creating an AP
2. Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to psk, select the wireless service type crypto, and click Apply.
Figure 47 Creating a wireless service
3. Configure wireless service:
After you create a wireless service, you will enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select Cipher Suite, select TKIP (select an encryption type as needed), and then select WPA from the Security IE list.
c. Select Port Set, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
e. Click Apply.
Figure 48 Configuring security settings
4. Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select psk.
c. Click Enable.
Figure 49 Enabling wireless service
5. Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the wireless service psk.
c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and click Bind.
Figure 50 Binding an AP radio
6. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the ap box to the left of 802.11n(2.4GHz).
c. Click Enable.
Figure 51 Enabling 802.11n(2.4GHz) radio
Configuring the client
1. Launch the client, and refresh the network list.
2. Select the configured service in Choose a wireless network (PSK in this example).
3. Click Connect.
4. In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
Figure 52 Configuring the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
Figure 53 The client is associated with the AP
Verifying the configuration
· The client can successfully associate with the AP and access the WLAN network.
· You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.
Local MAC authentication configuration example
Network requirements
AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC authentication on the client.
Figure 54 Network diagram
Configuring the AC
1. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 55 Creating an AP
2. Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to mac-auth, select the wireless service type Clear, and click Apply.
Figure 56 Creating a wireless service
3. Configure the wireless service:
After you have created a wireless service, you enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.
Figure 57 Configuring security settings
4. Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the mac-auth box.
c. Click Enable.
Figure 58 Enabling wireless service
5. Configure a MAC authentication list:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.
c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used in this example.
d. Click Add.
Figure 59 Adding a MAC authentication list
6. Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the wireless service mac-auth.
c. On the page that appears, select the box to the left of the radio mode 802.11n(2.4GHz) and click Bind.
Figure 60 Binding an AP radio
7. Enable 802.11n (2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the 802.11n(2.4GHz) box of the target AP.
c. Click Enable.
Figure 61 Enabling 802.11n(2.4GHz) radio
Configuring the client
1. Launch the client, and refresh the network list.
2. Select the configured service in Choose a wireless network (mac-auth in this example).
3. Click Connect.
Figure 62 Configuring the client
Verifying the configuration
· The client can successfully associate with the AP and access the WLAN.
· You can view the online clients on the page you enter by selecting Summary > Client.
Remote MAC authentication configuration example
Network requirements
As shown in Figure 63, perform remote MAC authentication on the client.
· Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization, and accounting (AAA). On the RADIUS server, configure the client's username and password as the MAC address of the client and the shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
· The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with the RADIUS server as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server.
Configuring the AC
1. Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2. Configure a RADIUS scheme:
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c. On the page that appears, add two servers in the RADIUS Server Configuration area as shown in Figure 64, and specify the key expert.
d. Enter mac-auth in the Scheme Name field.
e. Select Extended as the server type.
f. Select Without domain name from the Username Format List.
g. Click Apply.
3. Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme mac-auth from the Name list, and click Apply.
Figure 65 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme mac-auth from the Name list, and click Apply.
f. Click Close after the configuration process is complete.
Figure 66 Configuring the AAA authorization method for the ISP domain
g. On the Accounting tab, select the ISP domain system, select the Accounting Optional box and then select Enable from the Accounting Optional list, select the accounting mode RADIUS, and select the accounting scheme mac-auth from the Name list.
h. Click Apply.
Figure 67 Configuring the AAA accounting method for the ISP domain
4. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 68 Configuring an AP
5. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the wireless service name to mac-auth, select the wireless service type Clear, and click Apply.
Figure 69 Creating a wireless service
6. Configure MAC authentication:
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.
Figure 70 Configuring security settings
7. Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the mac-auth box.
c. Click Enable.
Figure 71 Enabling the wireless service
8. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service mac-auth.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 72 Binding an AP radio to a wireless service
9. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the ap 802.11n(2.4GHz) box of the target AP.
c. Click Enable.
Figure 73 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMC v3)
The following example uses the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) to illustrate the basic configuration of the RADIUS server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC Platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter expert as the Shared Key, enter 1812 and 1813 as the port number for authentication and accounting, respectively, select LAN Access Service as service type, select H3C as the access device type, select or manually add the access device with the IP address 10.18.1.1, and click Apply.
Figure 74 Adding access device
2. Add service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.
Figure 75 Adding service
3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 76 Adding account
Configuring the RADIUS server (IMC v5)
The following example uses IMC (IMC PLAT 5.0 and IMC UAM 5.0) to illustrate the basic configuration of the RADIUS server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter expert as the Shared Key, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click Apply.
Figure 77 Adding an access device
2. Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.
Figure 78 Adding a service
3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 79 Adding an account
Verifying the configuration
· During the authentication, the user does not need to enter the username or password. After passing MAC authentication, the client can associate with the AP and access the WLAN.
· You can view the online clients on the page you enter by selecting Summary > Client.
Remote 802.1X authentication configuration example
Network requirements
Perform remote 802.1X authentication on the client.
· Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
· On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Figure 80 Network diagram
Configuring the AC
1. Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2. Obtain the CA certificate and local certificate:
If the certificates are saved on the AC, load the certificates. If the certificates are not saved on the AC, apply for the local certificate and obtain the CA certificate. The PKI domain for the certificates is eappki. For more information about PKI, see "Managing certificates."
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c. On the page that appears, add the authentication and accounting servers in the RADIUS Server Configuration, and specify the key expert.
d. Enter 802.1x in the Scheme Name field.
e. Select the server type Extended, and select Without domain name from the Username Format list.
f. Click Apply.
Figure 81 Configuring RADIUS
a. Select Authentication > AAA from the navigation tree. In this example, the default ISP domain system is used. You can create a new ISP domain if needed.
b. (Optional.) On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme 802.1x from the Name list, and click Apply.
Figure 82 Configuring the AAA authentication method for the ISP domain
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name list, and click Apply.
Figure 83 Configuring the AAA authorization method for the ISP domain
e. On the Accounting tab, select the domain name system, select the Accounting Optional box and then select Enable from the Accounting Optional list, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name list, and click Apply.
Figure 84 Configuring the AAA accounting method for the ISP domain
5. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 85 Configuring an AP
6. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type Crypto, and click Apply.
Figure 86 Creating a wireless service
7. Configure 802.1X authentication:
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list, select the Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c. Select system from the Mandatory Domain list.
d. Select EAP from the Authentication Method list.
e. Disable Handshake and Multicast Trigger (recommended).
f. Click Apply.
Figure 87 Configuring security settings
8. Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.
Figure 88 Enabling the wireless service
9. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the wireless service dot1x.
c. Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 89 Binding an AP radio to a wireless service
10. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the box of the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 90 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMC v3)
The following example uses the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) to illustrate the basic configuration of the RADIUS server. Make sure a certificate has been installed on the RADIUS server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC Platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter expert as the Shared Key for authentication and accounting, enter 1812 and 1813 as the port number for authentication and accounting, respectively, select LAN Access Service as the service type, select H3C as the access device type, select or manually add the access device with the IP address 10.18.1.1, and click OK.
Figure 91 Adding an access device
2. Add service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the Service Name to dot1x, select the Certificate Type as EAP-PEAP AuthN, select the Certificate Sub-Type as MS-CHAPV2 AuthN, and click Apply.
Figure 92 Adding a service
3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, set the userName and the Account Name to user, set the password to dot1x, select the service dot1x, and click Apply.
Figure 93 Adding an account
Configuring the RADIUS server (IMC v5)
The following example uses IMC (IMC PLAT 5.0 and IMC UAM 5.0) to illustrate the basic configuration of the RADIUS server. Make sure a certificate has been installed on the RADIUS server.
To configure the RADIUS server:
1. Add an access device:
a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c. Click Add.
d. On the page that appears, enter expert as the Shared Key for authentication and accounting, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click OK.
Figure 94 Adding access device
2. Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
Figure 95 Adding a service
3. Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username user, set the account name to user and password to dot1x, and select the service dot1x, and click Apply.
Figure 96 Adding account
Configuring the wireless client
1. Double click the 
icon at
the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
2. Click Properties in the General tab.
The Wireless Network Connection Properties window appears.
3. In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties.
The dot1x Properties window appears.
4. In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5. In the popup window, clear Validate server certificate, and click Configure.
6. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any).
Figure 97 Configuring the wireless client (1)
Figure 98 Configuring the wireless client (2)
Figure 99 Configuring the wireless client (3)
Verifying the configuration
· After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
· You can view the online clients on the page you enter by selecting Summary > Client.
Dynamic WEP encryption-802.1X authentication configuration example
Network requirements
Perform dynamic WEP encryption-802.1X authentication on the client.
· Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
· On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Figure 100 Network diagram
Configuration procedure
1. Assign an IP address for the AC:
See "Assign an IP address to the AC:."
2. Configure a RADIUS scheme:
See "Configure a RADIUS scheme."
3. Configure AAA:
See "Configure AAA."
4. Configure the AP:
See "Create an AP."
5. Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type Crypto, and click Apply.
Figure 101 Creating a wireless service
6. Configure 802.1X authentication:
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select Encryption, and select Enable from the Provide Key Automatically list.
c. Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f. Select EAP from the Authentication Method list.
g. Disable Handshake and Multicast Trigger (recommended).
h. Click Apply.
Figure 102 Configuring security settings
7. Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.
Figure 103 Enabling the wireless service
8. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the wireless service dot1x.
c. On the page that appears, select the box of 802.11n(2.4GHz) and click Bind.
Figure 104 Binding an AP radio to a wireless service
9. Enable 802.11n(2.4GHz) radio:
See "Enable 802.11n(2.4GHz) radio."
10. Configure the RADIUS server (IMCv3):
See "Configuring the RADIUS server (IMC v3)."
11. Configure the RADIUS server (IMCv5):
See "Configuring the RADIUS server (IMC v5)."
Configuring the wireless client
1. Double click the icon at
the bottom right corner of your desktop.
2. The Wireless Network Connection Status window appears.
3. Click Properties.
The Wireless Network window appears.
4. Click Add.
5. Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure you have selected The key is provided for me automatically. Click OK.
Figure 105 Configuring the wireless client (1)
6. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7. In the popup window, clear Validate server certificate, and click Configure.
8. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any), and then click OK.
Figure 106 Configuring the wireless client (2)
Figure 107 Configuring the wireless client (3)
Figure 108 Configuring the wireless client (4)
Verifying the configuration
· After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
· You can view the online clients on the page you enter by selecting Summary > Client.
Backup client authentication configuration example
Network requirements
Configure backup client authentication on the AC to achieve the following purposes:
· When the AC-AP connection is normal, the AC authenticates clients in the branch.
· When the connection fails, the AP authenticates clients and does not log off online clients.
Figure 109 Network diagram
Adding commands to the configuration file of the AP
port-security enable
domain branch.net
authentication lan-access local
authorization lan-access local
accounting lan-access local
local-user 00-14-6c-8a-43-ff
password simple 00-14-6c-8a-43-ff
service-type lan-access
mac-authentication user-name-format mac-address with-hyphen lowercase
Then save the configuration file with the name map.cfg, and upload it to the storage media of the AC.
Configuring the AC
Before configuring the AC in the Web interface, use the mac-authentication user-name-format mac-address with-hyphen lowercase command to use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated and in lower case..
To configure the AC:
1. Configure an ISP domain branch.net:
a. Select Authentication > AAA from the navigation tree.
You are placed on the Domain Setup tab.
b. Enter the domain name in the Domain Name field.
c. Click Apply.
Figure 110 Configuring an ISP domain
2. Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
Figure 111 Creating an AP
3. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to mac-auth, select the wireless service type Clear, and click Apply.
Figure 112 Creating a wireless service
4. Configure backup client authentication:
After you create a wireless service, you will enter the wireless service configuration page. Select Backup from the Authentication Mode list and then configure local MAC authentication on the page.
Figure 113 Configuring backup client authentication
5. Configure local MAC authentication:
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication box, and select branch.net from the Domain list. Make sure the mandatory authentication domain and the ISP domain in the configuration file are the same.
d. Click Apply.
Figure 114 Configuring local MAC authentication
6. Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the mac-auth box.
c. Click Enable.
Figure 115 Enabling wireless service
7. Configure a MAC authentication list:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.
c. Add a local user in the MAC Address field. 00-14-6c-8a-43-ff is used in this example.
d. Click Add.
Figure 116 Adding a MAC authentication list
8. Enable remote AP and download the configuration file to the AP:
a. Select AP > AP Setup from the navigation tree.
b. Click the 
icon for the target AP in the list.
The page for configuring an AP appears.
c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the Remote AP list.
d. Click Apply.
Figure 117 Enabling remote AP
9. Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the
wireless service mac-auth.
c. Select the box to the left of ap with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 118 Binding an AP radio
10. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio Setup from the navigation tree.
b. Select the box to the left of ap with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 119 Enabling 802.11n(2.4GHz) radio
11. Verify the configuration:
¡ When the connection between AP and AC is correct, clients associated with the AP can access the network after passing centralized authentication. Select Summary > Client from the navigation tree to view detailed client information. The Central field in the output shows that the AC authenticates the clients.
¡ When the connection between AC and AP fails, clients associated with the AP are not logged off and the AP authenticates new clients.
¡ When the connection between AC and AP recovers, the AP logs off all associated clients. The clients can associate with the AP again after authenticated by the AC. Select Summary > Client from the navigation tree to view detailed client information. The authentication-mode field in the output displays Central.
Local client authentication configuration example
Network requirements
Configure local client authentication on the AC so the AP performs 802.1X authentication on clients through the RADIUS server whenever the AC-AP connection fails or not.
Deploy the RADIUS server at the AP side so associated 802.1X clients are not logged off when the connection between the branch and headquarters fails.
Figure 120 Network diagram
Adding commands to the configuration file of the AP
port-security enable
dot1x authentication-method eap
radius scheme rad
primary authentication 192.168.100.254
primary accounting 192.168.100.254
key authentication simple 123456
key accounting simple 123456
user-name-format without-domain
domain cams
authentication default radius-scheme rad
authorization default radius-scheme rad
accounting default radius-scheme rad
Then save the file with the name map.cfg, and upload it to the storage media on the AC.
Configuring the AC
1. Configure the AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
Figure 121 Configuring the AP
2. Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c. On the page that appears, set the service name to dot1x, select the wireless service type Crypto, and click Apply.
Figure 122 Configuring a wireless service
3. Configure local authentication:
After you create a wireless service, you will enter the wireless service configuration page. Select Local from the Authentication Mode list.
Figure 123 Configuring local client authentication
4. Configure 802.1X authentication:
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select the Open-System from the Authentication Type list.
b. Select the Cipher Suite box, select AES from the Cipher Suite list, and select WPA2 from the Security IE list.
c. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
d. Select cams from the Mandatory Domain list. Make sure the mandatory authentication domain and the ISP domain in the configuration file are the same.
e. Select EAP from the Authentication Method list.
f. Disable Handshake and Multicast Trigger (recommended).
g. Click Apply.
Figure 124 Security setup
5. Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the dot1x box.
c. Click Enable.
Figure 125 Enabling the wireless service
6. Enable remote AP and download the configuration file to the AP:
a. Select AP > AP Setup from the navigation tree.
b. Click the icon for the target AP in the list.
The page for configuring an AP appears.
c. Expand Advanced Setup, set the configuration file to map.cfg, and select Enable from the Remote AP list.
d. Click Apply.
Figure 126 Enabling remote AP
7. Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the 
icon for the wireless service dot1x.
c. Select the box for the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
Figure 127 Binding an AP radio to a wireless service
8. Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the box for the AP with the radio mode 802.11n(2.4GHz).
c. Click Enable.
Figure 128 Enabling 802.11n(2.4GHz) radio
9. Verify the configuration:
The AP performs 802.1X authentication on clients through the RADIUS server whenever the AC-AP connection fails or not. When the connection is correct, select Summary > Client from the navigation tree on the AC to view detailed client information. The Local field in the output shows that the AP authenticates clients.
Policy-based forwarding configuration example
Network requirements
Configure policy-based forwarding so that both the centralized forwarding mode and the local forwarding mode can be achieved for one SSID.
Figure 129 Network diagram
Adding commands to the configuration file of the AP
acl number 3000
rule 0 permit icmp icmp-type echo
acl ipv6 number 3001
rule 0 permit icmpv6 icmp6-type echo-request
undo user-profile aaa enable
user-profile aaa
wlan forwarding-policy us
user-profile aaa enable
Configuring the authentication server
Configure the shared key 12345678, add the username and password of the client, and make sure the user scheme name is aaa. (Details not shown.)
Configuring the AC
1. Configure forwarding policy st:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the Forwarding Policy tab.
c. Click Add.
d. On the page that appears, create a forwarding policy st as described in Figure 130.
e. Click Apply.
Figure 130 Creating a forwarding policy (1)
2. Configure forwarding policy us:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the Forwarding Policy tab.
c. Click Add.
d. On the page that appears, create forwarding policy us as described in Figure 131.
e. Click Apply.
Figure 131 Creating a forwarding policy (2)
3. Configure 802.1X authentication method:
See "Remote 802.1X authentication configuration example."
4. Download the configuration file to the AP:
a. Select AP > AP Setup from the navigation tree,
click the icon for the
target AP.
b. Click Advanced Setup, and specify the configuration file as ACL.cfg.
c. Click Apply.
Figure 132 Downloading the configuration file to the AP
5. Apply the forwarding policy to the access service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the icon for the
target wireless service.
c. Select the forwarding mode Forwarding Policy Based, specify the forwarding policy as st, select the packets format 802.3, and click Apply.
Figure 133 Applying the forwarding policy to the access service
6. Apply the forwarding policy to the user profile:
a. Select Authentication > User from the navigation tree.
b. Click the User Profile tab.
c. Click Add.
d. Click Apply.
e. On the page that appears, select the box of the user profile, and click Enable.
Figure 134 Specifying the user profile name
Verifying the configuration
The forwarding policy applied to the user profile has a higher priority and the forwarding policy us takes effect.
· Use an IPv4 client to ping the IP address that connects the AP to the AC. The ICMP packet matches ACL 3000 and is forwarded by the AC. Before the CAPWAP encapsulation, the AP transfers 802.11 frames to 802.3 frames.
· Use an IPv6 client to ping the IP address that connects the AP to the AC. The ICMPv6 packet matches ACL 3001 and is forwarded by the AP.
Configuring mesh services
Support for mesh services depends on the device model. For more information, see "About the H3C Access Controllers Web-Based Configuration Guide."
A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. Also, you can establish multi-hop wireless links between APs. In these ways, a WLAN mesh network differs from a traditional WLAN.
Mesh overview
Basic concepts in WLAN mesh
Figure 135 Typical WLAN mesh network
As shown in Figure 135, the concepts involved in WLAN mesh are described below.
|
Concept |
Description |
|
Access controller (AC) |
Device that controls and manages all the APs in the WLAN. |
|
Mesh point (MP) |
Wireless AP that connects to a mesh portal point (MPP) through a wireless connection but cannot have any client attached. |
|
Mesh access point (MAP) |
AP providing the mesh service and the access service concurrently. |
|
Mesh portal point (MPP) |
Wireless AP that connects to an AC through a wired connection. |
|
Mesh link |
Wireless link between MPs. |
Advantages of WLAN mesh
The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime. WLAN mesh offers the following advantages:
· High performance/price ratio—In a mesh network, only the MPPs need to connect to a wired network. In this way, the dependency on the wired network is reduced to the minimum extent, and the investment in wired devices, cabling, and installation is also reduced.
· Excellent scalability—In a mesh network, the APs can automatically discover each other and initiate wireless link setup. To add new APs to the mesh network, you need to install these new APs and perform the related configurations.
· Fast deployment—Only the MPPs need to connect to a wired network, so WLAN mesh reduces the network deployment time.
· Various application scenarios—The mesh network is applicable to enterprise, office, and campus networks, which are common application scenarios of traditional WLANs, and also applicable to large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
· High reliability—In a traditional WLAN, when the wired upstream link of an AP fails, all clients associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the wired network to effectively avoid single point failure.
Deployment scenarios
This section includes WLAN mesh deployment scenarios.
Normal fit MP scenario
As shown in Figure 136, two mesh networks are controlled by the same AC. At least one MPP in a mesh has wired connectivity with the AC. When an MP comes up, it scans the network and forms temporary connections with all available MPs in its vicinity. These temporary connections allow the MP to connect to the AC to download its configurations. After downloading its configurations from the AC, the MP will establish secure connections with neighbors sharing the same pre-shared key.
Figure 136 Normal fit MP scenario
One fit MP with two radios, each on a different mesh
As shown in Figure 137, to avoid cross-interruption between Mesh 1 and Mesh 2, you can configure two radios for an MP, each of which is present in a different mesh network. The only constraint is that both meshes must be managed by the same AC.
Figure 137 Two radios on different meshes
One fit MP with two radios on the same mesh
As shown in Figure 138, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio 1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and provide the mesh service.
Figure 138 Two radios on different meshes
Subway WLAN mesh deployment
In a subway system, control information must be sent to trains to effectively manage trains and provide various services to passengers.
As shown in Figure 139, a subway WLAN mesh solution has fit MPs deployed both on the train and along the rail, which are managed by the same AC. A train MP continuously scans new rail MPs, and sets up active/dormant links with the rail MPs with the best signal quality. The active mesh link is used for data transmission and the dormant mesh link acts as the backup link.
Figure 139 Subway WLAN mesh deployment
H3C developed a proprietary protocol named Mobile Link Switch Protocol (MLSP) to support the subway WLAN mesh deployment. This protocol is used for high-speed link switch with zero packet loss during train movement. H3C has adopted new IEEE standard 802.11s as the underlying protocol for link information and communication between train MP and rail MP. Train MPs are not required to act as authenticators.
WLAN mesh security
A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a mesh network, a wireless connection passes through multiple hops, and a mesh network is also vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys. A PSK + AES + CCMP combination is used for securing mesh networks.
Mobile link switch protocol
At any given time, an active link must be available between a rail MP and a train MP for data communication. MLSP was developed to create and break link during train movement.
As shown in Figure 140, when the train is moving, it must break the existing active link with rail MP 2 and create a new active link with another rail MP.
· Active link—Logical link through which all data communication from/to a train MP happens. Forward all data sent from or to the rail MP.
· Dormant link—Logical link over which no data transfer happens, but it meets all the criteria for becoming an active link.
MLSP advantages
· MLSP makes sure the link switch time is less than 30 milliseconds.
· MLSP operates correctly even if the devices get saturated at high power level.
· MLSP achieves zero packet loss during link switch.
MLSP operation
MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link redundancy, thus ensuring high performance and good robustness for the network.
The following parameters are considered by MLSP for link switch. Based on the deployment, all theses parameters are tunable to achieve best results.
· Link formation RSSI/link hold RSSI—This is the minimum RSSI to allow a link to be formed and held. Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high.
· Link switch margin—If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.
· Link hold time—An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.
· Link saturation RSSI—This is the upper limit of RSSI on the active link. If the value is reached, link switch occurs.
Formation of dormant links
A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very high rate. Based on probe responses received, the train MP forms a neighbor table.
After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link formation RSSI.
Selection of active link
A train MP selects the active link from dormant links based on the following rules:
1. If no dormant link is available, the active link cannot be formed.
2. Active link switch will not happen within the link hold time, except the following two conditions:
¡ Condition 1—The active link RSSI exceeds the link saturation RSSI.
¡ Condition 2—The active link RSSI is below the link hold RSSI.
3. When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by the link switch margin, link switch does not happen.
4. In normal scenarios, active link switch does happen when all of these following conditions are met:
¡ The link hold timer expires.
¡ The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.
¡ The dormant link RSSI is not greater than the link saturation RSSI.
5. Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be broken. However, to ensure service availability in worse cases, if the active link RSSI has gone below the link hold RSSI and no dormant links exist, the active link is not broken.
Mesh network topologies
The mesh feature supports the following three topologies. Mesh is implemented through configuration of a peer MAC address for each AP. For more information, see "Configuring a peer MAC address."
Point to point connection
In this topology, by configuring the peer MAC address for an AP, you can determine the mesh link to be formed.
Figure 141 Mesh point to point topology
Point to multi-point connection
In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data among multiple LAN segments. As shown below, data transferred between different LAN segments goes via AP 1.
Figure 142 Mesh point to multi-point topology
Self topology detection and bridging connection
In this topology, MPs automatically detect neighbors and form wireless links to provide wireless connectivity between LAN segments, as shown Figure 143. Loops are easy to occur in the topology. In the topology, you can use mesh routes to selectively block redundant links to eliminate loops, and back up the links when the mesh links fail.
Figure 143 Self topology detection and bridging
Configuring mesh service
Configuring mesh service
Creating a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
Figure 144 Configuring mesh service
3. Click Add.
Figure 145 Creating a mesh service
4. Configure the mesh service as described in Table 18.
5. Click Apply.
|
Item |
Description |
|
Mesh Service Name |
Name of the created mesh service. |
Configuring a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
3. Click the icon for the target
mesh service.
Figure 146 Configuring mesh service
4. Configure the mesh service as described in Table 19.
5. Click Apply.
|
Item |
Description |
|
Mesh Service |
Display the selected mesh service name. |
|
VLAN (Tagged) |
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged) indicates that the port sends the traffic of the VLAN without removing the VLAN tag. |
|
VLAN (Untagged) |
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the ports send the traffic of the VLAN with the VLAN tag removed. |
|
Default VLAN |
Set the default VLAN. By default, the default VLAN of all ports is VLAN 1. After you set the new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged. |
|
Exclude VLAN |
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged. |
|
Mesh Route |
Enable or disable mesh route selection algorithm: · Disable—Disable the mesh route selection algorithm. · Enable—Enable the mesh route selection algorithm. By default, the mesh route selection algorithm is enabled. |
|
Link Keep Alive Interval |
Configure the mesh link keep-alive interval. |
|
Link Backhaul Rate |
Configure the backhaul radio rate. |
|
Security Configuration |
|
|
Pass Phrase |
Enter a pre-shared key in the format of character string. |
|
Raw Key |
Enter a pre-shared key in the format of hexadecimal digits. |
|
Preshared Key |
Pre-shared key, which takes one of the following values: · A string of 8 to 63 characters. · A valid hexadecimal number of 64 bits. |
Binding an AP radio to a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the icon.
3. Select the radio to be bound.
4. Click Bind.
Figure 147 Binding an AP radio to a mesh service
Enabling a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
Figure 148 Enabling a mesh service
3. Select the mesh service to be enabled.
4. Click Enable.
Displaying detailed information about a mesh service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
3. Click a mesh service to see its detailed information.
Figure 149 Displaying detailed mesh service information
Table 20 Field description
|
Field |
Description |
|
Mesh Profile Number |
Mesh service number. |
|
Mesh ID |
Mesh ID of the mesh service. |
|
Binding Interface |
Mesh interface bound to the mesh service. |
|
MKD Service |
MKD service status: · Enable—The MKD service is enabled. · Disable—The MKD service is disabled. |
|
Link Keep Alive Interval |
Interval to send keep-alive packets. |
|
Link Backhaul Rate |
Link backhaul rate. |
|
Mesh Profile Status |
Mesh service status: · Enable—The mesh service is enabled. · Disable—The mesh service is disabled. |
Configuring a mesh policy
Creating a mesh policy
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Service tab.
Figure 150 Mesh policy configuration page
3. Click Add.
Figure 151 Creating a mesh policy
4. Configure the mesh policy as described in Table 21.
5. Click Apply.
|
Item |
Description |
|
Mesh Policy Name |
Name of the created mesh policy. The created mesh policies use the contents of the default mesh policy default_mp_plcy. |
Configuring a mesh policy
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click the icon for the target
mesh policy.
Figure 152 Configuring a mesh policy
4. Configure the mesh policy as described in Table 22.
5. Click Apply.
|
Item |
Description |
|
Mesh Policy |
Display the name of the created mesh policy. |
|
Link establishment |
By default, link initiation is enabled.
· Disable this feature when you configure an MP policy for a rail AP. · This function can only be disabled on train MPs in subway WLAN mesh deployment. |
|
Minimum time to hold a link |
Set the link hold time. An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch. |
|
Maximum number of links |
Set the maximum number of links that an MP can form in a mesh network.
When configuring mesh, if the number of mesh links configured on an AP is greater than two, you need to configure the maximum links that an MP can form as needed. |
|
Minimum rssi to hold a link |
Set the link formation/link hold RSSI (received signal strength indicator). This is the minimum RSSI to allow a link to be formed and held. Therefore, the minimum RSSI must be used at any given point in the tunnel. Otherwise, the error rate can be very high. |
|
Minimum margin rssi |
Set the link switch margin. If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch will occur. This mechanism is used to avoid frequent link switch. |
|
Maximum rssi to hold a link |
Set link saturation RSSI. This is the upper limit of RSSI on the active link. If the value is reached, the chipset is saturated and link switch will occur. |
|
Interval between probe requests |
Set the probe request interval. |
|
Role as authenticator |
By default, whether or not a device plays the role of an authenticator is based on negotiation results. |
|
ratemode |
· fixed—This is the default mode. The rate adopted is of a fixed value. It is the maximum rate of the current radio. · realtime—The rate adopted changes with the link quality. The rate changes with the change of the RSSI of the current radio. |
|
The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train movement. It is only applicable to subway WLAN mesh deployment. |
|
|
Proxy MAC Address |
Select the Proxy MAC Address option to specify the MAC address of the peer device. |
|
Proxy VLAN |
VLAN ID of the peer device. |
Binding an AP radio to a mesh policy
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click the button for the
target mesh policy.
4. Select the AP radio to be bound.
5. Click Bind.
Displaying detailed information about a mesh policy
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Policy tab.
3. Click a mesh policy to see its detailed information.
Figure 153 Displaying detailed mesh policy information
Table 23 Field description
|
Field |
Description |
|
MP Policy Name |
Name of the mesh policy. |
|
Mesh Link Initiation |
Whether link initiation is enabled or not. |
|
Mlsp |
Mobile Link Switch Protocol (MLSP) status : · Enable—MLSP is enabled. · Disable—MLSP is disabled. |
|
Authenticator Role |
Authenticator role status: · Enable—The authenticator role is enabled. · Disable—The authenticator role is disabled. |
|
Max Links |
Maximum number of links on a device using this mesh policy. |
|
Probe Request Interval (ms) |
Interval between probe requests sent by a device using this mesh policy. |
|
Link Hold RSSI |
Link hold RSSI. |
|
Link Hold Time (ms) |
Link hold time. |
|
Link Switch Margin |
Link switch margin. |
|
Link saturation RSSI |
Link saturation RSSI. |
|
Link rate-mode |
Method of calculating the link cost: · Fixed—The mesh interface rate is fixed. · real-time—The mesh interface rate changes with the RSSI in real-time. |
Mesh global setup
Mesh basic setup
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Global Setup tab.
Figure 154 Configuring basic mesh settings
3. Configure the basic mesh settings as described in Table 24.
4. Click Apply.
|
Item |
Description |
|
MKD-ID |
Make sure the MAC address configured is unused and has the correct vendor specific part. The MAC address of an AC should not be configured as the MKD ID. |
|
Dynamic Channel Select: |
· Manual—Select one-time dynamic channel selection (DFS) and click Apply to enable it. After manual mode is selected, if no mesh network is manually specified when the next calibration interval is reached, the AC will refresh radio information of all mesh networks that it manages, and display it on the Radio Info tab of the Mesh Channel Optimize page. You can view the radio information and select mesh networks for which one-time DFS will be performed on the Mesh Channel Optimize tab. After that, if you want the AC to perform DFS for the mesh network, you have to make this configuration again. · Auto—Select auto-DFS and click Apply to enable it. Auto-DFS applies to all mesh networks where the working channels of the radios are automatically selected. With auto DFS enabled, an AC makes DFS decisions at the calibrate interval automatically. · Close—Close DFS. At the next calibration interval, the radio information and channel switching information on the Mesh Channel Optimize page will be cleared. By default, DFS for a mesh network is disabled.
Before enabling auto or one-time DFS for a mesh network, make sure auto mode is selected for the working channel of radios in the mesh network. For the related configuration, see "Configuring radios." |
Enabling mesh portal service
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Global Setup tab.
Figure 155 Enabling mesh portal service
3. Select the AP for which mesh portal service is to be enabled.
4. Click Enable.
Configuring a working channel
You can configure a working channel by using one of the following methods.
No matter which method is used, as long as an AP detects radar signals on its working channel, the AP and any other AP that establish a mesh link switch to another available working channel.
In some countries, most available channels on the 802.11a band are radar channels, so H3C recommends that you use the auto mode to establish mesh links on the 802.11a band.
Manual
1. Select Radio > Radio
from the navigation tree, and click the 
icon
for the target AP.
Figure 156 Configuring a radio
2. On the page that appears, select a specified channel from the Channel list.
3. Click Apply.
|
|
NOTE: Specify a working channel for the radios of the MAP and MPP. Specify the same working channel for the radio of the MAP and the radio of the MPP. |
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically negotiated when a WDS link is established between the MPP and MAP.
|
|
NOTE: If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically selected working channel is a non-radar channel. |
Enabling radio
1. Select Radio > Radio from the navigation tree.
2. Select the radio mode to be enabled.
3. Click Enable.
Configuring a peer MAC address
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click .
3. Select the AP radio to be bound, and click
the icon.
Figure 158 Configuring a peer MAC address
4. Configure the peer MAC address as described in Table 25.
5. Click Apply.
|
Item |
Description |
|
Peer MAC Address |
The mesh feature supports three topologies. For more information, see "Mesh network topologies." The mesh feature is implemented through configuration of peer MAC addresses for each AP. |
|
cos |
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is automatically calculated by STP. You can view the cost of the mesh link on the page shown in Figure 158. |
Configuring mesh DFS
Displaying radio information
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the specified mesh network, and click the Radio Info tab.
Figure 159 Displaying radio information
Displaying channel switch information
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the mesh network, and then select the Channel Switch Info tab to view the channel switching information.
Figure 160 Displaying mesh channel switching information
|
|
NOTE: · If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the Mesh Channel Optimize page, the Channel Optimize button is grayed out, and you cannot perform the operation. · If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed, and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration interval. In manual mode, DFS is performed one time. |
Table 26 Field description
|
Field |
Description |
|
AP |
AP name in the mesh network. |
|
Radio |
Radio of the AP. |
|
Chl(After/Before) |
Channels before and after channel optimization. |
|
Date(yyyy-mm-dd) |
Date, in the format of yyyy-mm-dd. |
|
Time(hh:mm:ss) |
Time, in the format of hh:mm:ss. |
Displaying the mesh link status
Mesh link monitoring
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Link Info tab.
Figure 161 Displaying the mesh link monitoring information
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Mesh link test
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Link Test tab.
Figure 162 Displaying mesh link test information
3. Select the box of the target AP.
4. Click Begin.
WLAN mesh configuration example
Network requirements
As shown in Figure 163, establish a mesh link between the MAP and the MPP.
Configure 802.11n (5GHz) on the MAP so that the client can access the network.
1. Establish a mesh link between the MPP and the MAP by following these steps:
¡ Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to configure MAP and MPP. For more information, see "Create an MAP and MPP."
¡ Configure mesh service—After creating a mesh service and configuring a pre-shared key, you can bind the mesh service to the AP and enable the mesh service. For more information, see "Create a mesh service:."
¡ Configure a mesh policy—A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
¡ Mesh global setup—Configure an MKD-ID (which exists by default), enable mesh portal service for the MPP. For more information, see "Configure mesh service globally."
¡ Configure the same working channel, and enable the radio. For more information, see "Configure the same working channel and enable the radio on the MAP and MPP:."
2. Configure 802.11n (2.4GHz) service on the MAP to enable the client to access the WLAN network. For more information, see "Wireless service configuration example."
Configuring the AC
a. Select AP> AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to map, select the AP model WA3628i-AGN, select Manual from the Serial ID list, enter the AP serial ID, and click Apply.
Figure 164 Configuring an AP
d. Configure MPP by following the same steps.
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Service tab.
c. Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 166.
Figure 165 Creating a mesh service
Figure 166 Configuring a pre-shared key
e. Select Pass Phrase, and set the pre-shared key to 12345678.
f. Click Apply.
3. Bind a radio to the mesh service:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the 
icon for the mesh service outdoor.
c. Select the AP radios to be bound.
d. Click Bind.
Figure 167 Binding an AP radio to a mesh service
4. Enable the mesh service:
a. Select Wireless Service > Mesh Service from the navigation tree.
Figure 168 Enabling the mesh service
b. Select the mesh service to be enabled.
c. Click Enable.
5. (Optional) Configure a mesh policy ()
|
|
NOTE: By default, the default mesh policy default_mp_plcy already exists. You can create a mesh policy and bind the mesh policy to an AP as needed. By default, the default_mp_plcy mesh policy is mapped to an AP. |
6. Configure mesh service globally:
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c. Click Enable.
Figure 169 Configuring mesh portal service
7. Configure the same working channel and enable the radio on the MAP and MPP:
a. Select Radio > Radio from the navigation tree.
b. Click the icon for the target MAP.
Figure 170 Configuring the working channel
c. Select the channel 153 to be used from the Channel list.
d. Click Apply.
You can follow this step to configure the working channel for the MPP. The working channel of the radio on the MPP must be the same as the working channel of the radio on the MAP.
8. Enable radio:
a. Select Radio > Radio from the navigation tree.
b. Select the radio modes to be enabled for the MAP and MPP.
c. Click Enable.
Figure 171 Enabling radio
Verifying the configuration
· The mesh link between the MAP and the MPP has been established, and they can ping each other.
· After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the mesh link.
Subway WLAN mesh configuration example
Network requirements
· As shown in Figure 172, all rail MPs are connected to an AC.
· Configure WLAN mesh so that the train MP can form links with rail MPs during movement.
Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Follow these guidelines when configuring subway WLAN mesh:
1. Create a rail AP mesh policy:
¡ Disable the link initiation function. For more information, see "Configuring a mesh policy."
¡ Enable mesh portal service. For more information, see "Enabling mesh portal service."
2. Create a train AP mesh policy.
¡ Enable MLSP.
¡ Configure MLSP proxy VLAN information and MAC address.
¡ Disable Role as authenticator. For more information, see "Configuring a mesh policy."
¡ Set the value of maximum links that an MP can form in a mesh network (the default value is 2.). For more information, see "Configuring a mesh policy."
Configuring the AC
Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy configuration of rail APs and train APs. Other configurations are the same. For more information, see "WLAN mesh configuration example."
Mesh point-to-multipoint configuration example
Network requirements
AP 1 operates as an MPP, and establishes a mesh link with AP 2, AP 3, AP 4, and AP 5.
The mesh configuration is the same as the normal WLAN mesh configuration.
Figure 173 Network diagram
Configuration guidelines
· Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2 through AP 5 on AP 1, and configure the MAC address of only AP 1 on AP 2 through AP 5.
· Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It must be set to 4 in this example.). For more information, see "Configuring a mesh policy."
Configuring mesh point-to-multipoint
Mesh configuration in this example is the same as normal WLAN mesh configuration. For more information, see "Configuring the AC."
Mesh DFS configuration example
Network requirements
· As shown in Figure 174, establish an 802.11n(5GHz) mesh link between the MAP and MPP. The working channel is automatically selected.
· Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions are met on the channel.
Configuration guidelines
The mesh configuration in this example is similar to a common wireless mesh configuration. Follow these guidelines when you configure mesh DFS:
· Configure the working channel mode of the radios that provide mesh services as auto.
· Do not configure any wireless service on radios that provide mesh services.
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration procedures, see "WLAN mesh configuration example." Perform the following operations after completing mesh configuration:
1. (Optional) Set a calibration interval:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c. On the page that appears, enter the calibration interval 3 and click OK.
Figure 175 Setting mesh calibration interval
2. Configure mesh DFS:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Global Setup tab.
c. On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click Apply.
Figure 176 Configuring mesh DFS
3. Enable one time DFS for the mesh network:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Channel Optimize tab.
c. Select the outdoor mesh network.
d. Click Channel Optimize.
Figure 177 Configuring one-time mesh DFS
Verifying the configuration
After a next calibration interval, you can view the channel switching information:
1. Select Wireless Service > Mesh Service from the navigation tree.
2. Click the Mesh Channel Optimize tab.
3. Click the Channel Info tab.
4. Select the target mesh network to display the radio information.
Figure 178 Displaying mesh channel switching information
