05-WLAN Access Configuration Guide

HomeSupportResource CenterH3C FAT AP Configuration Guide(R5436)-6W10105-WLAN Access Configuration Guide
01-WLAN access configuration
Title Size Download
01-WLAN access configuration 391.72 KB

Contents

Configuring WLAN access· 1

About WLAN access· 1

WLAN access process· 1

Scanning· 1

Association· 3

Client access control 3

Whitelist- and blacklist-based access control 3

ACL-based access control 4

Client mode· 4

About the client mode· 4

Hardware compatibility with the client mode· 5

WLAN access tasks at a glance· 5

Configuring wireless services· 6

Configuring a service template· 6

Configuring a description for a service template· 6

Setting an SSID·· 7

Setting the maximum number of associated clients on a radio for a service template· 7

Enabling a service template· 8

Binding a service template to a radio interface· 8

Configuring client data forwarding· 8

Configuring client management 9

Enabling quick association· 9

Specifying the Web server to which client information is reported· 9

Enabling generation of client logs in the specified format 9

Setting the aging timer for the cache of clients· 10

Setting the idle period before client reauthentication· 10

Enabling smart client access· 11

Configuring client maintenance· 11

Setting the client idle timeout 11

Configuring client keepalive· 11

Performing a wireless link quality test 12

Setting the NAS ID·· 12

Setting the NAS port type· 12

Configuring client association ratio optimization· 13

Configuring client access control 13

Adding a client to the whitelist 13

Adding a client to the static blacklist 13

Configuring the dynamic blacklist 14

Configuring ACL-based access control 14

Disabling an AP from responding to broadcast probe requests· 15

Configuring the client mode· 15

Tasks at a glance· 15

Enabling the client mode· 16

Disconnecting the AP from the WLAN· 17

Connecting the AP to the WLAN· 17

Enabling auto roaming· 17

Enabling roaming enhancement 18

Setting the roaming RSSI threshold and gap threshold· 19

Setting the roaming calibration interval 19

Setting the roaming scanning interval 20

Setting the scanning aging count for BSS entries· 20

Enabling beacon-based AP keepalive· 21

Enabling probe response-based AP keepalive· 21

Set the minimum RSSI threshold for BSS recording· 22

Set the link hold RSSI for the current link· 22

Setting the retransmission interval and maximum number of retransmission attempts for authentication and association requests· 23

Enabling SNMP notifications for WLAN access· 23

Display and maintenance commands for WLAN access· 23

WLAN access configuration examples· 25

Example: Configuring WLAN access· 25

Example: Configuring whitelist-based access control 27

Example: Configuring static blacklist-based access control 27

Example: Configuring client mode· 28

Example: Configuring roaming enhancement 30

 


Configuring WLAN access

About WLAN access

Wireless access is provided by APs deployed at the edge of a wired network. The APs connect to the uplink through wired connections and provide wireless access services to downlink clients.

WLAN access process

A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.

For more information about data link layer authentication, see WLAN Security Configuration Guide. For more information about WLAN authentication, see User Access and Authentication Configuration Guide.

Figure 1 WLAN access process

Scanning

Active scanning

A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:

·     Active scanning of all wireless networks.

As shown in Figure 2, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information. The client associates with the optimal AP.

Figure 2 Scanning all wireless networks

·     Active scanning of a specific wireless network.

As shown in Figure 3, the client periodically sends a probe request carrying the specified SSID or the SSID of the wireless network it has been associated with. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.

Figure 3 Scanning a specific wireless network

Passive scanning

As shown in Figure 4, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.

Figure 4 Passive scanning

Association

A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.

Client access control

The following client access control methods are available:

·     Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control client access.

·     ACL-based access control—Uses ACL rules bound to APs or service templates to control client access.

Whitelist- and blacklist-based access control

You can configure the whitelist or blacklists to filter frames from clients for client access control.

Whitelist-based access control

The whitelist contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.

Blacklist-based access control

The following blacklists are available for access control:

·     Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

·     Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging time expires. For more information about WIPS, see WLAN Security Configuration Guide. For more information about WLAN MAC authentication, see User Access and Authentication Configuration Guide.

Working mechanism

When the AP receives an association request, the AP performs the following operations to determine whether to permit the client:

1.     Searches the whitelist:

¡     If the client MAC address does not match any entry in the whitelist, the client is rejected.

¡     If a match is found, the client is permitted.

2.     Searches the static and dynamic blacklists if no whitelist entries exist:

¡     If the client MAC address matches an entry in either blacklist, the client is rejected.

¡     If no match is found, or no blacklist entries exist, the client is permitted.

Figure 5 Whitelist- and blacklist-based access control

ACL-based access control

This feature controls client access by using ACL rules bound to an AP or a service template.

Upon receiving an association request from a client, the device performs the following actions:

·     Allows the client to access the WLAN if a match is found and the rule action is permit.

·     Denies the client's access to the WLAN if no match is found or the matched rule has a deny statement.

Client mode

About the client mode

The client mode enables a fat AP to access a WLAN as a client to provide wired network access for devices without wireless network adapters.

As shown in Figure 6, when the client mode is enabled on radio interface 1 of AP 2, the PC and the printer connected to AP 2 through wired connection can access the WLAN provided by AP 1. Radio interface 2 on AP 2 can still provide wireless access for the client.

Figure 6 Client mode

Hardware compatibility with the client mode

Hardware series

Model

Client mode compatibility

WA6600 series

WA6628E-T

No

WA5600 series

WA5630X

WA5620E-T

Yes

WA5500 series

WA5530

WA5530i

WA5530X

WA5530S

WA5530-SI

WA5530-LI

WA5510E-T

Yes

WA5300 series

WA5340

WA5320i

WA5320i-LI

WA5320X

WA5320X-LI

WA5320X-E

WA5320X-SI

WA5340

Yes

UAP300 series

UAP300

Yes

WAP723 series

WAP723-W2

Yes

WAP722 series

WAP722X-W2

Yes

WAP722XS-W2

Yes

Hardware series

Model

Client mode compatibility

WA5600 series

WA538

WA536

WA5330

WA530X

Yes

WLAN access tasks at a glance

To configure WLAN access, perform the following tasks:

1.     Configuring wireless services

¡     Configuring a service template

¡     (Optional.) Configuring a description for a service template

¡     Setting an SSID

¡     (Optional.) Setting the maximum number of associated clients on a radio for a service template

¡     Enabling a service template

¡     Binding a service template to a radio interface

2.     (Optional.) Configuring client data forwarding

3.     (Optional.) Configuring client management

¡     Enabling quick association

¡     Specifying the Web server to which client information is reported

¡     Enabling generation of client logs in the specified format

¡     Setting the aging timer for the cache of clients

¡     Setting the idle period before client reauthentication

¡     Enabling smart client access

4.     (Optional.) Configuring client maintenance

¡     Setting the client idle timeout

¡     Configuring client keepalive

¡     Performing a wireless link quality test

¡     Setting the NAS ID

¡     Setting the NAS port type

¡     Configuring client association ratio optimization

5.     (Optional.) Configuring client access control

¡     Adding a client to the whitelist

¡     Adding a client to the static blacklist

¡     Configuring the dynamic blacklist

¡     Configuring ACL-based access control

6.     (Optional.) Disabling an AP from responding to broadcast probe requests

7.     (Optional.) Configuring the client mode

8.     (Optional.) Enabling SNMP notifications for WLAN access

Configuring wireless services

Configuring a service template

About this task

A service template defines a set of wireless service attributes, such as SSID and authentication method.

Procedure

1.     Enter system view.

system-view

2.     Create a service template.

wlan service-template service-template-name

By default, no service template exists.

3.     (Optional.) Assign clients coming online through the service template to the specified VLAN.

vlan vlan-id

By default, clients are assigned VLAN 1 after coming online through a service template.

Configuring a description for a service template

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Configure a description for the service template.

description text

By default, no description is configured for a service template.

Setting an SSID

About this task

APs advertise SSIDs in beacon frames. If the number of clients in a BSS exceeds the limit or the BSS is unavailable, you can enable SSID-hidden to prevent clients from discovering the BSS. When SSID-hidden is enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Set an SSID for the service template.

ssid ssid-name

By default, no SSID is set for a service template.

4.     (Optional.) Enable SSID-hidden in beacon frames.

beacon ssid-hide

By default, beacon frames carry SSIDs.

Setting the maximum number of associated clients on a radio for a service template

About this task

Perform this task to limit the associated client quantity on a radio to avoid overload. With this feature configured, new clients cannot access the WLAN and the SSID is hidden when the maximum number is reached on a radio.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Set the maximum number of associated clients on a radio for the service template.

client max-count max-number

By default, the number of associated clients on a radio for a service template is not limited.

Enabling a service template

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Enable the service template.

service-template enable

By default, a service template is disabled.

Binding a service template to a radio interface

Restrictions and guidelines

You can bind a maximum of 16 service templates to a radio interface.

Procedure

1.     Enter system view.

system-view

2.     Enter WLAN-Radio interface view.

interface wlan-radio interface-number

3.     Bind a service template to the radio interface.

service-template service-template-name

By default, no service template is bound to a radio interface.

Configuring client data forwarding

About this task

Perform this task to configure APs using the specified service template to drop data packets from unknown clients and deauthenticate these clients or to drop the packets only.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Specify the method for APs to process traffic from unknown clients.

unknown-client [ deauthenticate | drop ]

By default, APs drop packets from unknown clients and deauthenticate these clients.

Configuring client management

Enabling quick association

About this task

Enabling band navigation might affect client association efficiency. For delay-sensitive services or in an environment where band navigation is not needed, you can enable quick association for a service template.

Quick association disables band navigation on clients associated with the service template. The device will not perform band navigation even if the feature is enabled in the WLAN.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Enable quick association.

quick-association enable

By default, quick association is disabled.

Specifying the Web server to which client information is reported

About this task

Perform this task to enable the device to report client information, such as client MAC address, associated AP, and association time, to the specified Web server through HTTP. The Web server accepts client information only when the server's host name, port number, and path are specified.

Procedure

1.     Enter system view.

system-view

2.     Specify the host name and port number of the Web server.

wlan web-server host host-name port port-number

By default, the host name and port number of the Web server are not specified.

3.     Specify the path of the Web server.

wlan web-server api-path path

By default, the path of the Web server is not specified.

4.     (Optional.) Set the maximum number of client entries that can be reported at a time.

wlan web-server max-client-entry number

By default, a maximum of ten client entries can be reported at a time.

Enabling generation of client logs in the specified format

About this task

The device supports client logs in the following formats:

·     H3C—Logs AP name, radio ID, client MAC address, SSID, BSSID, and client online status. By default, the device generates client logs only in H3C format.

·     Normal—Logs AP MAC address, AP name, client IP address, client MAC address, SSID, and BSSID.

·     Sangfor—Logs AP MAC address, client IP address, and client MAC address.

This feature enables the device to generate client logs in normal or sangfor format and send the logs to the information center. Log destinations are determined by the information center settings. For more information about the information center, see System Management Configuration Guide.

This feature does not affect generation of client logs in the H3C format.

Procedure

1.     Enter system view.

system-view

2.     Enable the device to generate client logs in the specified format.

customlog format wlan { normal | sangfor }

By default, the device generates client logs only in the H3C format.

Setting the aging timer for the cache of clients

About this task

The cache of a client saves the PMK list, access VLAN, and other authorized information for the client. If an offline client comes online again before the aging timer expires, it can inherit all information in its cache for fast roaming. If the client does not come online before the aging timer expires, the device clears the client cache.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Set the aging timer for the cache of clients.

client cache aging-time aging-time

By default, the aging timer for the cache of clients is 180 seconds.

Setting the idle period before client reauthentication

About this task

When URL redirection for WLAN MAC authentication is enabled, an AP redirects clients whose information is not recorded on the RADIUS server to the specified URL for Web authentication. Clients passing Web authentication are logged off and must perform MAC reauthentication to come online. However, MAC reauthentication fails if the IP addresses assigned to the clients have not expired.

Perform this task to add these clients to the dynamic blacklist for the specified idle period after they pass Web authentication to reduce reauthentication failures.

Procedure

1.     Enter system view.

system-view

2.     Set the idle period before client reauthentication.

wlan client reauthentication-period [ period-value ]

By default, the idle period is 10 seconds.

Enabling smart client access

About this task

This feature enables H3C wireless clients to access the WLAN automatically when the AKM mode is set to PSK or when the radio is bound to an empty service template.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Enable smart client access.

client smart-access enable

By default, smart client access is disabled.

Configuring client maintenance

Setting the client idle timeout

About this task

If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.

Procedure

1.     Enter system view.

system-view

2.     Set the client idle timeout.

wlan client idle-timeout timeout

By default, the client idle timeout is 3600 seconds.

Configuring client keepalive

About this task

This feature enables an AP to send keepalive packets to clients at the specified interval to determine whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.

Procedure

1.     Enter system view.

system-view

2.     Enable client keepalive.

wlan client keep-alive enable

By default, client keepalive is disabled.

3.     Set the client keepalive interval.

wlan client keep-alive interval interval

By default, the client keepalive interval is 300 seconds.

Performing a wireless link quality test

About this task

This feature enables an AP to test the quality of the link to a wireless client. The AP sends empty data frames to the client at each supported rate. Then it calculates link quality information such as RSSI, packet retransmissions, and RTT based on the responses from the client.

The timeout for a wireless link quality test is 10 seconds. If the wireless link test is not completed before the timeout expires, test results cannot be obtained.

Procedure

To perform a wireless link quality test, execute the wlan link-test mac-address command in user view.

Setting the NAS ID

About this task

A network access server identifier (NAS ID) or network access server port identifier (NAS port ID) identifies the network access server of a client and differentiates the source of client traffic.

Restrictions and guidelines

If you specify a NAS ID when binding a service template to a radio, the radio uses the NAS ID specified for the service template.

Procedure

1.     Enter system view.

system-view

2.     Set the format of NAS port IDs for clients.

wlan nas-port-id format { 2 | 4 }

By default, clients use format 2 to generate NAS port IDs.

3.     Enter global configuration view.

wlan global-configuration

4.     Set the NAS ID.

nas-id nas-id

By default, no NAS ID is set.

Setting the NAS port type

About this task

RADIUS requests carry the NAS port type attribute to indicate type of the access port for 802.1X and MAC authentication clients.

Restrictions and guidelines

Make sure the service template has been disabled before you perform this task.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template

3.     Set the NAS port type.

nas-port-type value

By default, the NAS port type is WLAN-IEEE 802.11 with a code value of 19.

Configuring client association ratio optimization

About this task

This feature enables the device to recalculate the client association success ratio, association congestion ratio, and abnormal disassociation ratio by using the specified index to get smaller ratio values.

The client association success ratio is the number of successful client associations divided by the total number of client association attempts. The client association congestion ratio is the number of failed client associations caused by AP overloading divided by the total number of client association attempts. The client abnormal disassociation ratio is the number of abnormal disassociations divided by the sum of successful associations and online clients.

Procedure

1.     Enter system view.

system-view

2.     Enter global configuration view.

wlan association optimization value

By default, the index is 0. The device does not optimize client association ratios.

Configuring client access control

Adding a client to the whitelist

Restrictions and guidelines

When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.

Procedure

1.     Enter system view.

system-view

2.     Add a client to the whitelist.

wlan whitelist mac-address mac-address

Adding a client to the static blacklist

Restrictions and guidelines

You cannot add a client to both the whitelist and the static blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

1.     Enter system view.

system-view

2.     Add a client to the static blacklist.

wlan static-blacklist mac-address mac-address

Configuring the dynamic blacklist

About this task

The AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients.

Entries in the dynamic blacklist are removed when the aging timer expires.

Restrictions and guidelines

The configured aging timer takes effect only on entries newly added to the dynamic blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

1.     Enter system view.

system-view

2.     Set the aging timer for dynamic blacklist entries.

wlan dynamic-blacklist lifetime lifetime

By default, the aging timer is 300 seconds.

The aging timer for dynamic blacklist entries takes effect only on rogue client entries.

Configuring ACL-based access control

Restrictions and guidelines

The ACL-based access control configuration takes precedence over the whitelist and blacklist configuration. As a best practice, do not configure both ACL-based access control and whitelist- and blacklist-based access control on the same device.

If the specified ACL contains a deny statement, configure a permit statement for the ACL to permit all clients. If you do not do so, no clients can come online.

This feature supports only Layer 2 ACLs and can only use source MAC address as the match criterion. If you specify an ACL of another type, the configuration does not take effect.

Procedure

1.     Enter system view.

system-view

2.     Enter service template view.

wlan service-template service-template-name

3.     Specify an ACL.

access-control acl acl-number

By default, no ACL is specified.

Disabling an AP from responding to broadcast probe requests

About this task

Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.

This feature enables clients that send unicast probe requests to the AP to associate with the AP more easily.

Procedure

1.     Enter system view.

system-view

2.     Disable the AP from responding to broadcast probe requests.

undo wlan broadcast-probe reply

By default, an AP responds to broadcast probe requests.

Configuring the client mode

Tasks at a glance

To configure the client mode, perform the following tasks:

1.     Establish or terminate the client mode connection

¡     Enabling the client mode

¡     Disconnecting the AP from the WLAN

¡     Connecting the AP to the WLAN

2.     (Optional.) Configure AP roaming in client mode

Choose one of the following tasks:

¡     Enabling auto roaming

¡     Enabling roaming enhancement

3.     (Optional.) Configure client mode parameters

¡     Setting the roaming RSSI threshold and gap threshold

¡     Setting the roaming calibration interval

¡     Setting the roaming scanning interval

¡     Setting the scanning aging count for BSS entries

¡     Enabling beacon-based AP keepalive

¡     Enabling probe response-based AP keepalive

¡     Set the minimum RSSI threshold for BSS recording

¡     Set the link hold RSSI for the current link

¡     Setting the retransmission interval and maximum number of retransmission attempts for authentication and association requests

Enabling the client mode

CAUTION

CAUTION:

Do not configure wireless access services or WDS services on a radio interface with the client mode enabled.

Restrictions and guidelines

A radio enabled with the client mode cannot provide wireless access services or WDS services.

Only one radio interface of an AP can be enabled with the client mode at a time.

Make sure the following VLANs are the same on the AP:

·     VLAN to which the radio interface with the client mode enabled belongs.

·     VLAN assigned to clients coming online through the service template bound to another radio interface.

·     VLAN to which the Ethernet ports belong.

To modify client mode configuration, first use the client-mode disconnect command to disconnect the client-mode AP from the WLAN.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Enable the client mode.

client-mode enable

By default, the client mode is disabled.

4.     (Optional.) Specify the authentication method for the AP.

client-mode authentication-method { open-system | shared-key | wpa2-psk }

By default, the authentication method is open-system.

Make sure the authentication method is the same for the client-mode AP and the WLAN for the AP to access.

For the client-mode AP to access a WLAN, make sure the RSN IE and PSK AKM mode have been configured for the WLAN if the authentication method is WPA2-PSK.

5.     (Optional.) Specify the cipher suite and the pre-shared key for the AP.

client-mode cipher-suite { ccmp | tkip | { wep40 | wep104 | wep128 } [ key-id key-id ] } key [ cipher | simple ] string

By default, no cipher suite and pre-shared key are specified for a client-mode AP.

Make sure the specified cipher suite and pre-shared key are the same as the cipher suite and pre-shared key for the WLAN to access.

6.     (Optional.) Assign the radio interface to a VLAN.

client-mode vlan vlan-id

By default, the radio interface enabled with the client mode is assigned to VLAN 1.

7.     Specify the SSID for the AP to associate with.

client-mode ssid ssid

By default, no SSID is specified for a client-mode AP to associate with.

The AP automatically associates with the SSID after you specify an SSID.

Disconnecting the AP from the WLAN

IMPORTANT

IMPORTANT:

This feature disables wireless services. Use it with caution.

Restrictions and guidelines

To modify client mode configuration, first disconnect the client-mode AP from the WLAN.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Disconnect the client-mode AP from the WLAN.

client-mode disconnect

Connecting the AP to the WLAN

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Connect the client-mode AP to the WLAN.

client-mode connect

Enabling auto roaming

About this task

This feature enables the AP to automatically roam to a wireless service that has the strongest RSSI in an ESS. This ensures wireless access performance.

Client-mode APs support the following roaming modes:

·     Quick roaming—An AP performs roaming when the RSSI gap between an optimal wireless service and the current wireless service exceeds the gap threshold.

·     Slow roaming—An AP performs roaming when the following conditions are met:

¡     The RSSI of the current wireless service is lower than the roaming RSSI threshold.

¡     The RSSI gap between an optimal wireless service and the current wireless service has exceeded the gap threshold.

Restrictions and guidelines

Make sure the client mode has been enabled before you perform this task.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Enable auto roaming for the client-mode AP.

client-mode roam { quick | slow }

By default, a client-mode AP cannot automatically roam in an ESS.

Enabling roaming enhancement

About this task

As shown in Figure 7, in an Automated Guided Vehicle (AGV) system, client-mode fat APs deployed on the vehicles provide wireless access to onboard devices not equipped with a wireless NIC. In this networking mode, each fat AP must scan the network for better links and transmit data at the same time, which might cause packet loss.

To resolve this issue, enable roaming enhancement on the fat AP to enable the 2.4G radio to scan the network and the 5G radio to transmit data.

Figure 7 AGV system network diagram

 

Restrictions and guidelines

Enable roaming enhancement on the 2.4G radio and enable client mode on the 5G radio. Make sure auto roaming has been disabled before you enable roaming enhancement.

Enable automatic channel selection on the 5G radio.

To ensure good performance, do not configure the 2.4G radio to provide wireless access services.

Enabling this feature triggers the fat AP to go offline and then come online again.

To use the client-mode disconnect command to disconnect the fat AP from the WLAN, you must first disable roaming enhancement on the AP.

For this feature to take effect, you must also configure it for the fit APs.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Enable roaming enhancement.

client-mode roam-enhance { quick | slow }

By default, roaming enhancement is disabled.

For more information about the quick and slow roaming types, see "Enabling auto roaming."

Setting the roaming RSSI threshold and gap threshold

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the threshold configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the roaming RSSI threshold and gap threshold.

client-mode roam rssi-threshold rssi-value [ gap gap-value ]

By default, both the roaming RSSI threshold and the gap threshold are 20.

Setting the roaming calibration interval

About this task

Perform this task to set the interval at which the fat AP triggers a roaming calibration. A short interval might result in frequent roaming, affecting network stability. A long interval might prevent the AP from switching to the optimal WLAN in time, affecting communication quality.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the interval configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the roaming calibration interval.

client-mode roam calibration-interval interval

By default, the roaming calibration interval is 1000 milliseconds.

Setting the roaming scanning interval

About this task

Perform this task to set the interval at which the fat AP scans the network for beacon frames and probe responses. A short interval might result in frequent scanning, causing packet loss. A long interval might prevent the AP from discovering the optimal WLAN in time, affecting communication quality.

Restrictions and guidelines

If roaming enhancement is disabled, you can set the interval only on the radio enabled with the client mode. Disabling the client mode removes the threshold configuration.

If roaming enhancement is enabled, you can set the interval only on the radio enabled with roaming enhancement. Disabling roaming enhancement removes the threshold configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the roaming scanning interval.

client-mode roam scan-interval interval

By default, the roaming scanning interval is 5000 milliseconds.

Setting the scanning aging count for BSS entries

About this task

The fat AP generates an entry for each BSS detected through scanning. If the BSS cannot be detected again after the specified scanning intervals, the AP deletes the BSS entry.

If the fat AP is associated with the deleted BSS, the AP goes offline from the BSS and then comes online from another BSS.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the aging count configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the scanning aging count for BSS entries.

client-mode roam scan-aging count

By default, the scanning aging count for BSS entries is 5.

Enabling beacon-based AP keepalive

About this task

This feature enables the fat AP to proactively connect to another radio if the AP fails to receive any beacon frame from the currently associated radio before the beacon keepalive timer expires.

The beacon keepalive time equals the keepalive interval multiplied by the keepalive count.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the keepalive configuration.

As a best practice, set the beacon-based AP keepalive interval to a value twice the beacon sending interval or higher.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Enable beacon-based AP keepalive.

client-mode beacon-keepalive interval interval count count

By default, beacon-based AP keepalive is disabled.

Enabling probe response-based AP keepalive

About this task

This feature enables the fat AP to proactively connect to another radio if no probe response is received from the currently associated radio before the maximum number of probe request retransmission attempts is reached.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the keepalive configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the scanning aging count for BSS entries.

client-mode probe-keepalive [ interval interval retry retries ]

By default, probe response-based AP keepalive is enabled, the keepalive interval is 1000 milliseconds, and the maximum number of retransmission attempts is 5.

Set the minimum RSSI threshold for BSS recording

About this task

Perform this task to set the minimum RSSI of a BSS that can be recorded. For a BSS that has been recorded, the AP determines that the BSS is not detected if the detected RSSI of the BSS does not reach the minimum threshold.

Restrictions and guidelines

If roaming enhancement is disabled, you can set the threshold only on the radio enabled with the client mode. Disabling the client mode removes the threshold configuration.

If roaming enhancement is enabled, you can set the threshold only on the radio enabled with roaming enhancement. Disabling roaming enhancement removes the threshold configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the minimum RSSI threshold for BSS recording.

client-mode min-record-rssi rssi

By default, the minimum RSSI threshold for BSS recording is 15.

Set the link hold RSSI for the current link

About this task

Perform this task to set the minimum RSSI for the current link to be retained. If the current link's RSSI drops below the link hold RSSI, the fat AP goes offline and then comes online from another radio.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the link hold RSSI for the current link.

client-mode link-hold-rssi rssi

By default, the link hold RSSI for the current link is 0. The AP does not switch to another link proactively when the current link's RSSI is low.

Setting the retransmission interval and maximum number of retransmission attempts for authentication and association requests

About this task

If the fat AP fails to receive any authentication or association response within the retransmission interval after the last retransmission, the AP tries to associate with another radio.

Restrictions and guidelines

Make sure the client mode has been enabled on the interface before you perform this task. Disabling the client mode removes the retransmission configuration.

Procedure

1.     Enter system view.

system-view

2.     Enter radio interface view.

interface wlan-radio interface-number

3.     Set the retransmission interval and maximum number of retransmission attempts for authentication and association requests.

client-mode access-retransmit interval interval [ count count ]

By default, the retransmission interval is 300 milliseconds and the AP does not retransmit authentication and association requests.

Enabling SNMP notifications for WLAN access

About this task

To report critical WLAN access events to an NMS, enable SNMP notifications for WLAN access. For WLAN access event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Choose the options to configure as needed:

¡     Enable SNMP notifications for client access.

snmp-agent trap enable wlan client

¡     Enable SNMP notifications for client audit.

snmp-agent trap enable wlan client-audit

By default, SNMP notifications are disabled.

Display and maintenance commands for WLAN access

For hardware compatibility of the following commands, see the command reference:

·     display wlan client-mode packet-statistics radio radio-id

·     display wlan client-mode radio

·     display wlan client-mode roam-enhance bss

·     display wlan client-mode roaming-state

·     display wlan client-mode ssid [ ssid ]

·     reset wlan client-mode packet-statistics radio radio-id

·     reset wlan client-mode roaming-state

Execute display commands in any view and the reset command in user view.

 

Task

Command

Display WLAN radio interface information.

display interface wlan-radio [ interface-number ] [ brief ]

Display the number of online clients at the 2.4 GHz band and the 5 GHz band.

display wlan ap all client-number

Display the number of online clients and channel information for each radio.

display wlan ap all radio client-number

Display blacklist entries.

display wlan blacklist { dynamic | static }

Display basic service set (BSS) information.

display wlan bss { all | bssid bssid } [ verbose ]

Display client information.

display wlan client [ interface wlan-radio interface-number | mac-address mac-address | service-template service-template-name | vlan vlan-id ] [ verbose ]

Display information about client IPv6 addresses.

display wlan client ipv6

Display client online duration.

display wlan client online-duration [ verbose ]

Display client status information.

display wlan client status [ mac-address mac-address ] [ verbose ]

Display statistics about received and transmitted packets in client mode.

display wlan client-mode packet-statistics radio radio-id

Display information about the radio interface with the client-mode enabled.

display wlan client-mode radio

Display information about BSSs detected in client mode.

display wlan client-mode roam-enhance bss

Display roaming state changes of the AP in client mode.

display wlan client-mode roaming-state

Display information about all detected SSIDs.

display wlan client-mode ssid [ ssid ]

Display service template information.

display wlan service-template [ service-template-name ] [ verbose ]

Display client statistics.

display wlan statistics client [ mac-address mac-address ]

Display client connection history.

display wlan statistics connect-history service-template service-template-name

Display service template statistics.

display wlan statistics service-template service-template-name

Display whitelist entries.

display wlan whitelist

Log off the specified client or all clients.

reset wlan client { all | mac-address mac-address }

Clear statistics about received and transmitted packets in client mode.

reset wlan client-mode packet-statistics radio radio-id

Clear information about BSSs detected in client mode.

reset wlan client-mode roaming-state

Remove the specified client or all clients from the dynamic blacklist.

reset wlan dynamic-blacklist [ mac-address mac-address ]

Clear client statistics.

reset wlan statistics client { all | mac-address mac-address }

Clear service template statistics.

reset wlan statistics service-template service-template-name

WLAN access configuration examples

Example: Configuring WLAN access

Network configuration

As shown in Figure 8, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with SSID trade-off.

Figure 8 Network diagram

Procedure

# Create service template service1, set the SSID to trade-off, and enable the service template.

<AP> system-view

[AP] wlan service-template service1

[AP-wlan-st-service1] ssid trade-off

[AP-wlan-st-service1] service-template enable

[AP-wlan-st-service1] quit

# Bind service template service1 to WLAN-Radio 1/0/1.

[AP] interface wlan-radio 1/0/1

[AP-WLAN-Radio1/0/1] undo shutdown

[AP-WLAN-Radio1/0/1] service-template service1

[AP-WLAN-Radio1/0/1] quit

Verifying the configuration

# Verify that the SSID is trade-off, and the service template is enabled.

[AP] display wlan service-template verbose

Service template name                            : service1

Description                                      : Not configured

SSID                                             : trade-off

SSID-hide                                        : Disabled

User-isolation                                   : Disabled

Service template status                          : Enabled

Maximum clients per BSS                          : Not configured

VLAN ID                                          : 3

AKM mode                                         : Not configured

Security IE                                      : Not configured

Cipher suite                                     : Not configured

TKIP countermeasure time                         : 0 sec

PTK life time                                    : 43200 sec

PTK rekey                                        : Enabled

GTK rekey                                        : Enabled

GTK rekey method                                 : Time-based

GTK rekey time                                   : 86400 sec

GTK rekey client-offline                         : Disabled

WPA3 status                                      : Disabled

Enhance-open status                              : Enabled

Enhanced-open transition-mode service-template   : N/A

User authentication mode                         : Bypass

Intrusion protection                             : Disabled

Intrusion protection mode                        : Temporary-block

Temporary block time                             : 180 sec

Temporary service stop time                      : 20 sec

Fail VLAN ID                                     : Not configured

Critical VLAN ID                                 : Not configured

802.1X handshake                                 : Disabled

802.1X handshake secure                          : Disabled

802.1X domain                                    : my-domain

MAC-auth domain                                  : Not configured

Max 802.1X users per BSS                         : 4096

Max MAC-auth users per BSS                       : 4096

802.1X re-authenticate                           : Disabled

Authorization fail mode                          : Online

Accounting fail mode                             : Online

Authorization                                    : Permitted

Key derivation                                   : SHA1

PMF status                                       : Disabled

Hotspot policy number                            : Not configured

Forwarding policy status                         : Disabled

Forwarding policy name                           : Not configured

Forwarder                                        : AP

FT status                                        : Disabled

QoS trust                                        : Port

QoS priority                                     : 0

BTM status                                       : Disabled

# Associate the client with the fat AP. (Details not shown.)

# Verify that the client can access the WLAN.

[AP] display wlan client service-template service1

Total number of clients: 1

 

MAC address    Username             AP name               R IP address      VLAN

0023-8933-223b N/A                  fatap                 1 3.0.0.3         3

Example: Configuring whitelist-based access control

Network configuration

As shown in Figure 9, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 9 Network diagram

Procedure

# Add MAC address 0000-000f-1211 to the whitelist.

<AP> system-view

[AP] wlan whitelist mac-address 0000-000f-1211

Verifying the configuration

# Verify that MAC address 0000-000f-1211 is in the whitelist.

<AP> display wlan whitelist

Total number of clients: 1

 MAC addresses:

  0000-000f-1211

Example: Configuring static blacklist-based access control

Network configuration

As shown in Figure 10, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 10 Network diagram

Procedure

# Add MAC address 0000-000f-1211 to the static blacklist.

<AP> system-view

[AP] wlan static-blacklist mac-address 0000-000f-1211

Verifying the configuration

# Verify that MAC address 0000-000f-1211 is in the static blacklist.

<AP> display wlan blacklist static

Total number of clients: 1

 MAC addresses:

  0000-000f-1211

Example: Configuring client mode

Network configuration

As shown in Figure 11, the client mode is enabled on radio interface 1 on AP 2. The printer and the PC are connected to the WLAN provided by AP 1 through the wired connection with AP 2.

Figure 11 Network diagram

Procedure

1.     Configure AP 1:

# Create service template service.

<AP1> system-view

[AP1] wlan service-template service

# Set the SSID to service1.

[AP1-wlan-st-service] ssid service1

# Set the PSK AKM mode, and configure simple character string of 12345678 as the pre-shared key.

[AP1-wlan-st-service] akm mode psk

[AP1-wlan-st-service] preshared-key pass-phrase simple 12345678

# Set the CCMP cipher suite, and enable the RSN IE in beacon and probe responses.

[AP1-wlan-st-service] cipher-suite ccmp

[AP1-wlan-st-service] security-ie rsn

# Enable the service template.

[AP1-wlan-st-service] service-template enable

[AP1-wlan-st-service] quit

# Bind the service template to WLAN-Radio 1/0/1.

[AP1] interface wlan-radio 1/0/1

[AP1-WLAN-Radio1/0/1] undo shutdown

[AP1-WLAN-Radio1/0/1] service-template service

[AP1-WLAN-Radio1/0/1] quit

2.     Configure AP 2:

# Create VLAN 2 and assign port GigabitEthernet 1/0/1 to VLAN 2.

<AP2> system-view

[AP2] vlan 2

[AP2-vlan2] port gigabitethernet 1/0/1

[AP2-vlan2] quit

# Enter radio interface view of WLAN-Radio 1/0/1.

[AP2] interface wlan-radio 1/0/1

# Enable the client mode.

[AP2-WLAN-Radio1/0/1] client-mode enable

# Set the authentication method to WPA2-PSK.

[AP2-WLAN-Radio1/0/1] client-mode authentication-method wpa2-psk

# Set the CCMP cipher suite, and configure simple character string of 12345678 as the pre-shared key.

[AP2-WLAN-Radio1/0/1] client-mode cipher-suite ccmp key simple 12345678

# Assign the radio interface to VLAN 2.

[AP2-WLAN-Radio1/0/1] client-mode vlan 2

# Specify the SSID for the client-mode AP to associate with as service1.

[AP2-WLAN-Radio1/0/1] client-mode ssid service1

[AP2-WLAN-Radio1/0/1] quit

3.     Configure the switch:

# Create VLAN 2, and assign ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 2.

<switch> system-view

[switch] vlan 2

[switch-vlan2] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3

[switch-vlan2] quit

Verifying the configuration

# Verify that the client mode is enabled on radio interface 1 and the AP is associated with SSID service1.

<Sysname> display wlan client-mode radio

Radio                          : 1

Mode                           : 802.11g

Authentication method          : WPA2-PSK

Cipher suite                   : AES-CCMP

Key (simple)                   : ********

WEP key ID                     : N/A

SSID                           : service1

BSSID                          : 6CF0-49CD-30BB

Status                         : Connected

Received data packets          : 1324939

Received management packets    : 34876

Sent data packets              : 46365

Discarded packets              : 38272

Rate(Rx/Tx)                    : 1 2 5.5 6 9 11 12 18 24 36 48 54

Online time                    : 0 days 0 hours 45 minutes 5 seconds

You can execute the ping command on the PC to verify network connectivity.

Example: Configuring roaming enhancement

Network configuration

As shown in Figure 12, AP 1 and AP 2 are fit APs associated with the AC to provide wireless access service for client-mode fat APs. AP 3 operates in client mode to provide wireless access for devices that do not have a wireless NIC on the vehicle. Configure radio 1 (5 GHz) on AP 3 to access SSID agv and enable radio enhancement on radio 2 (2.4 GHz) on AP 3.

Figure 12 Network diagram

Procedure

1.     Configure the AC:

# Create service template agv and set the SSID to agv. This service template is used for the wireless access of AP 3.

<AC> system-view

[AC] wlan service-template agv

[AC-wlan-st-agv] ssid agv

[AC-wlan-st-agv] service-template enable

[AC-wlan-st-agv] quit

# Create service template service and set the SSID to service. This service template is used for roaming enhancement and the wireless access of devices other than AP 3, for example, phones and iPads.

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create AP ap1 and specify its serial ID.

[AC] wlan ap ap1 model WA5620i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC13C004126

# Configure radio 1 of AP ap1 to operate in channel 36, and bind service template agv to the radio.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 36

[AC-wlan-ap-ap1-radio-1] service-template agv

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

# Configure radio 2 of AP ap1 to operate in channel 1, enable roaming enhancement, and bind service template service to the radio.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] channel 1

[AC-wlan-ap-ap1-radio-2] service-template service

[AC-wlan-ap-ap1-radio-2] roam-enhance ssid agv

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP ap2 and specify its serial ID.

[AC] wlan ap ap2 model WA5620i-ACN

[AC-wlan-ap-ap2] serial-id 219801A0CNC13C0041328

# Configure radio 1 of AP ap2 to operate in channel 40, and bind service template agv to the radio.

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] channel 40

[AC-wlan-ap-ap2-radio-1] service-template agv

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] quit

# Configure radio 2 of AP ap2 to operate in channel 6, enable roaming enhancement, and bind service template service to the radio.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] channel 6

[AC-wlan-ap-ap2-radio-2] service-template service

[AC-wlan-ap-ap2-radio-2] roam-enhance ssid agv

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

2.     Configure AP 3.

# Enter view of radio interface WLAN-Radio 1/0/1.

[AP3] interface wlan-radio 1/0/1

# Enable client mode.

[AP3-WLAN-Radio1/0/1] client-mode enable

# Specify SSID agv for the radio.

[AP3-WLAN-Radio1/0/1] client-mode ssid agv

[AP3-WLAN-Radio1/0/1] quit

# Enter view of radio interface WLAN-Radio 1/0/2.

[AP3] interface wlan-radio 1/0/2

# Add channels 1, 6, and 11 to the channel scanning whitelist.

[AP3-WLAN-Radio1/0/2] scan channel whitelist 1 6 11

# Enable roaming enhancement and set the roaming mode to quick.

[AP3-WLAN-Radio1/0/2] client-mode roam-enhance quick

[AP3-WLAN-Radio1/0/2] quit

Verifying the configuration

# Verify that you can view information about detected BSSs on AP 3.

<AP3> display wlan client-mode roam-enhance bss

Total number of BSSs: 2

BSSID          Time      MSec  RSSI AVER CHL  AGE SSID

84d9-3100-4b00 16:51:09  0244  37   36   36   5   agv

               16:51:08  0834  37                  

               16:51:08  0732  36

               16:51:08  0642  37

               16:51:09  0253  36

50da-00df-33e0 16:51:08  0802  45   45   40   5   agv

               16:51:08  0699  44

               16:51:08  0597  46

               16:51:08  0261  46

               16:51:09  0251  45