10-High availability

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10210-High availability
Table of Contents
Related Documents
08-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Network Configuration Examples

 

H3C Access Controllers

Comware 7 OAuth-Based Portal MAC-trigger Authentication on a Local-Forwarding Dual-Link Backup Network Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example of configuring OAuth-based portal MAC-trigger authentication on a local-forwarding dual-link backup network.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of WLAN high availability, AAA, portal MAC-trigger authentication, and WLAN access.

Example: Configuring OAuth-based portal MAC-trigger authentication on a local-forwarding dual-link backup network

Network configuration

As shown in Figure 1:

·     The AP and the client obtain IP addresses from the DHCP server.

·     The network deploys an IMC server as the portal authentication server, portal Web server, MAC binding server, and RADIUS server.

Configure the devices to meet the following requirements:

·     The ACs operate in active/standby mode. When AC 1 (the master AC) fails, the AP associates with AC 2 (the backup AC). When AC 1 recovers, the AP re-associates with AC 1.

·     The ACs use a service template to provide OAuth-based portal MAC-trigger authentication for the client. Before passing the authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources. If the client goes offline and then attempts to come online again, the client does not need to enter the username and password.

·     The AP forwards the client traffic locally.

·     The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.

·     The RADIUS server can dynamically change user authorization information or forcibly disconnect users.

Figure 1 Network diagram

 

Analysis

To allow a client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.

In local forwarding mode, to ensure that valid clients can perform portal authentication, enable validity check on wireless clients.

To avoid portal authentication failure caused by frequent logins and logouts in a short time, disable the Rule ARP entry feature.

For the RADIUS server to dynamically change user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.

To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the ACs.

For dual-link backup to operate correctly, configure a manual AP or auto AP on the ACs. Make sure that the AP can establish CAPWAP tunnels with each of the ACs.

To implement MAC-trigger authentication by using the OAuth protocol, enable cloud MAC-trigger authentication by using the cloud-binding enable command.

Restrictions and guidelines

Make sure the master and backup ACs have the same portal authentication configuration. The following items in the portal authentication can be different on the master and backup ACs:

·     The portal Web server configuration.

·     The BAS-IP attribute for portal packets sent to the portal authentication server.

·     The specified interface of the AC for portal client access during portal authentication.

If you configure a manual AP on the ACs, make sure the AP name, serial ID, and MAC address of the manual AP are the same on the ACs.

Use the serial ID labeled on the AP's rear panel to specify an AP.

Some endpoints by default use random MAC addresses. For transparent MAC authentication to take effect on such an endpoint, disable the endpoint from using a random MAC address.

You must upload the configuration file of the AP to both the master and backup ACs.

Procedures

Editing the AP configuration file

# Use a text editor to edit the AP's configuration file. Name the configuration file map.txt, and then upload the file to the storage medium of the ACs.

The content of the configuration file is as follows:

system-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

Configuring AC 1

1.     Configure interfaces:

# Create VLAN 100, create VLAN-interface 100, and then assign the VLAN interface an IP address. The AC will use this IP address to establish CAPWAP control and data tunnels with the AP.

<AC1> system-view

[AC1] vlan 100

[AC1-vlan100] quit

[AC1] interface vlan-interface 100

[AC1-Vlan-interface100] ip address 2.2.1.1 24

[AC1-Vlan-interface100] quit

# Create VLAN 200, create VLAN-interface 200, and then assign the VLAN interface an IP address. This VLAN will be used for wireless client access.

[AC1] vlan 200

[AC1-vlan200] quit

[AC1] interface vlan-interface 200

[AC1-Vlan-interface200] ip address 2.2.2.1 24

[AC1-Vlan-interface200] quit

2.     Configure a static route:

# Configure a static route to the IMC server.

[AC1] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure the DNS server. (Details not shown.)

4.     Configure the wireless service:

# Create a service template named st1.

[AC1] wlan service-template st1

# Set the SSID of the service template.

[AC1-wlan-st-st1] ssid service

# Specify VLAN 200 for the service template.

[AC1-wlan-st-st1] vlan 200

# Configure APs to forward client data traffic from all VLANs.

[AC1–wlan-st-st1] client forwarding-location ap

[AC1-wlan-st-st1] quit

# Create an AP named office with model WA5320, and then specify the serial ID of the AP.

[AC1] wlan ap office model WA5320

[AC1-wlan-ap-office] serial-id 219801A0CNC138011454

# Deploy configuration file map.txt to the AP.

[AC1-wlan-ap-office] map-configuration map.txt

# Bind service template st1 to radio 2, and then enable the radio.

[AC1-wlan-ap-office] radio 2

[AC1-wlan-ap-office-radio-2] service-template st1

[AC1-wlan-ap-office-radio-2] radio enable

[AC1-wlan-ap-office-radio-2] quit

5.     Configure a backup AC:

# Set the AP connection priority to 7.

[AC1-wlan-ap-office] priority 7

# Enable master CAPWAP tunnel preemption.

[AC1-wlan-ap-office] wlan tunnel-preempt enable

# Specify AC 2 as a backup AC.

[AC1-wlan-ap-office] backup-ac ip 2.2.1.2

[AC1-wlan-ap-office] quit

6.     Configure portal authentication:

# Create an ISP domain named dm1.

[AC1] domain dm1

# Configure the AC not to perform AAA on portal users.

[AC1-isp-dm1] authentication portal none

[AC1-isp-dm1] authorization portal none

[AC1-isp-dm1] accounting portal none

[AC1-isp-dm1] quit

# Create a portal Web server named newpt, specify http://192.168.0.111:8080/wsmAuth/protocol as the server's URL, and then configure the server type as OAuth. (Make sure the server' URL is the same as the URL of the actual portal Web server.)

[AC1] portal web-server newpt

[AC1-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol

[AC1-portal-websvr-newpt] server-type oauth

# Enable the optimized captive-bypass feature for iOS users.

[AC1-portal-websvr-newpt] captive-bypass ios optimize enable

[AC1-portal-websvr-newpt] quit

# Create an HTTP-based local portal Web service.

[AC1] portal local-web-server http

[AC1-portal-local-websvr-http] quit

# Configure destination-based portal-free rules 2 and 3 to allow portal users to access the DNS server without authentication.

[AC1] portal free-rule 2 destination ip any udp 53

[AC1] portal free-rule 3 destination ip any tcp 53

# Configure the safe-redirect feature to reduce the redirect workload on the portal server.

[AC1] portal safe-redirect enable

[AC1] portal safe-redirect method get post

[AC1] portal safe-redirect user-agent CaptiveNetworkSupport

[AC1] portal safe-redirect user-agent MicroMessenger

[AC1] portal safe-redirect user-agent Mozilla

[AC1] portal safe-redirect user-agent WeChat

[AC1] portal safe-redirect user-agent iPhone

[AC1] portal safe-redirect user-agent micromessenger

# Specify VLAN-interface 200 as the interface for portal clients to access the AC during portal authentication.

[AC1] portal client-gateway interface Vlan-interface 200

# Set the NAS ID. (Make sure the NAS ID is the same as that in the configuration file iMC\client\conf\wiportal\conf.properties.)

[AC1] wlan global-configuration

[AC1-wlan-global-configuration] nas-id wiportal

[AC1-wlan-global-configuration] quit

# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.

[AC1] portal oauth user-sync interval 60

# Configure destination-based portal-free rules to allow users to access the portal Web server, AC 1, and AC 2 without authentication.

[AC1] portal free-rule 0 destination ip 192.168.0.111 32

[AC1] portal free-rule 1 destination ip 2.2.2.1 32

[AC1] portal free-rule 4 destination ip 2.2.2.2 32

# Enable roaming for portal users.

[AC1] portal roaming enable

# Disable the Rule ARP entry feature.

[AC1] undo portal refresh arp enable

# Enable the RADIUS session-control feature.

[AC1] radius session-control enable

# Enable validity check on wireless portal clients.

[AC1] portal host-check enable

# Enable direct portal authentication on service template st1.

[AC1] wlan service-template st1

[AC1-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain.

[AC1-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1.

[AC1-wlan-st-st1] portal apply web-server newpt

# Enable portal temporary pass and set the temporary pass period to 300 seconds on service template st1.

[AC1-wlan-st-st1] portal temp-pass period 300 enable

# Configure the BAS-IP as 2.2.2.1 for portal packets sent from service template st1 to the portal authentication server.

[AC1-wlan-st-st1] portal bas-ip 2.2.2.1

[AC1-wlan-st-st1] quit

7.     Configure MAC-trigger authentication:

# Create a MAC binding server named mts.

[AC1] portal mac-trigger-server mts

# Specify 192.168.0.111 as the IP address of the MAC binding server.

[AC1-portal-mac-trigger-server-mts] ip 192.168.0.111

# Enable cloud MAC-trigger authentication (using Oauth for authentication).

[AC1-portal-mac-trigger-server-mts] cloud-binding enable

[AC1-portal-mac-trigger-server-mts] quit

# Specify MAC binding server mts on service template st1.

[AC1] wlan service-template st1

[AC1-wlan-st-st1] portal apply mac-trigger-server mts

# Enable service template st1.

[AC1-wlan-st-st1] service-template enable

[AC1-wlan-st-st1] quit

Configuring AC 2

1.     Configure interfaces:

# Create VLAN 100, create VLAN-interface 100, and then assign the VLAN interface an IP address. The AC will use this IP address to establish CAPWAP control and data tunnels with the AP.

<AC2> system-view

[AC2] vlan 100

[AC2-vlan100] quit

[AC2] interface vlan-interface 100

[AC2-Vlan-interface100] ip address 2.2.1.2 24

[AC2-Vlan-interface100] quit

# Create VLAN 200, create VLAN-interface 200, and then assign the VLAN interface an IP address. This VLAN will be used for wireless client access.

[AC2] vlan 200

[AC2-vlan200] quit

[AC2] interface vlan-interface 200

[AC2-Vlan-interface200] ip address 2.2.2.2 24

[AC2-Vlan-interface200] quit

2.     Configure a static route:

# Configure a static route to the IMC server.

[AC2] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure the DNS server. (Details not shown.)

4.     Configure the wireless service:

# Create a service template named st1.

[AC2] wlan service-template st1

# Set the SSID of the service template.

[AC2-wlan-st-st1] ssid service

# Specify VLAN 200 for the service template.

[AC2-wlan-st-st1] vlan 200

# Configure APs to forward client data traffic from all VLANs.

[AC2–wlan-st-st1] client forwarding-location ap

[AC2-wlan-st-st1] quit

# Create an AP named office with model WA5320, and then specify the serial ID of the AP.

[AC2] wlan ap office model WA5320

[AC2-wlan-ap-office] serial-id 219801A0CNC138011454

# Deploy configuration file map.txt to the AP.

[AC2-wlan-ap-office] map-configuration map.txt

# Bind service template st1 to radio 2, and then enable the radio.

[AC2-wlan-ap-office] radio 2

[AC2-wlan-ap-office-radio-2] service-template st1

[AC2-wlan-ap-office-radio-2] radio enable

[AC2-wlan-ap-office-radio-2] quit

5.     Configure a backup AC:

# Set the AP connection priority to 6.

[AC2-wlan-ap-office] priority 6

# Enable master CAPWAP tunnel preemption.

[AC2-wlan-ap-office] wlan tunnel-preempt enable

# Specify AC 1 as a backup AC.

[AC2-wlan-ap-office] backup-ac ip 2.2.1.1

[AC2-wlan-ap-office] quit

6.     Configure portal authentication:

# Create an ISP domain named dm1.

[AC2] domain dm1

# Configure the AC not to perform AAA on portal users.

[AC2-isp-dm1] authentication portal none

[AC2-isp-dm1] authorization portal none

[AC2-isp-dm1] accounting portal none

[AC2-isp-dm1] quit

# Create a portal Web server named newpt, specify http://192.168.0.111:8080/wsmAuth/protocol as the server's URL, and configure the server type as OAuth. (Make sure the server' URL is the same as the URL of the actual portal Web server.)

[AC2] portal web-server newpt

[AC2-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol

[AC2-portal-websvr-newpt] server-type oauth

# Enable the optimized captive-bypass feature for iOS users.

[AC2-portal-websvr-newpt] captive-bypass ios optimize enable

[AC2-portal-websvr-newpt] quit

# Create an HTTP-based local portal Web service and enter its view.

[AC2] portal local-web-server http

[AC2-portal-local-websvr-http] quit

# Configure destination-based portal-free rules 2 and 3 to allow portal users to access the DNS server without authentication.

[AC2] portal free-rule 2 destination ip any udp 53

[AC2] portal free-rule 3 destination ip any tcp 53

# Configure the safe-redirect feature to reduce the redirect workload on the portal server.

[AC2] portal safe-redirect enable

[AC2] portal safe-redirect method get post

[AC2] portal safe-redirect user-agent CaptiveNetworkSupport

[AC2] portal safe-redirect user-agent MicroMessenger

[AC2] portal safe-redirect user-agent Mozilla

[AC2] portal safe-redirect user-agent WeChat

[AC2] portal safe-redirect user-agent iPhone

[AC2] portal safe-redirect user-agent micromessenger

# Specify VLAN-interface 200 as the interface for portal clients to access the AC during portal authentication.

[AC2] portal client-gateway interface Vlan-interface 200

# Set the NAS ID. (Make sure the NAS ID is the same as that in the configuration file iMC\client\conf\wiportal\conf.properties.)

[AC2] wlan global-configuration

[AC2-wlan-global-configuration] nas-id wiportal

[AC2-wlan-global-configuration] quit

# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.

[AC2] portal oauth user-sync interval 60

# Configure destination-based portal-free rules to allow users to access the portal Web server, AC 1, and AC 2 without authentication.

[AC2] portal free-rule 0 destination ip 192.168.0.111 32

[AC2] portal free-rule 1 destination ip 2.2.2.1 32

[AC2] portal free-rule 4 destination ip 2.2.2.2 32

# Enable roaming for portal users.

[AC2] portal roaming enable

# Disable the Rule ARP entry feature.

[AC2] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC2] portal host-check enable

# Enable the RADIUS session-control feature.

[AC2] radius session-control enable

# Enable direct portal authentication on service template st1.

[AC2] wlan service-template st1

[AC2-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain.

[AC2-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1.

[AC2-wlan-st-st1] portal apply web-server newpt

# Enable portal temporary pass and set the temporary pass period to 300 seconds on service template st1.

[AC2-wlan-st-st1] portal temp-pass period 300 enable

# Configure the BAS-IP as 2.2.2.2 for portal packets sent from service template st1 to the portal authentication server.

[AC2-wlan-st-st1] portal bas-ip 2.2.2.2

[AC2-wlan-st-st1] quit

7.     Configure MAC-trigger authentication:

# Create a MAC binding server named mts.

[AC2] portal mac-trigger-server mts

# Specify 192.168.0.111 as the IP address of the MAC binding server.

[AC2-portal-mac-trigger-server-mts] ip 192.168.0.111

# Enable cloud MAC-trigger authentication.

[AC2-portal-mac-trigger-server-mts] cloud-binding enable

[AC2-portal-mac-trigger-server-mts] quit

# Specify MAC binding server mts on service template st1.

[AC2] wlan service-template st1

[AC2-wlan-st-st1] portal apply mac-trigger-server mts

# Enable service template st1.

[AC2-wlan-st-st1] service-template enable

[AC2-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on CAPWAP tunnels between the ACs and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2. The switch will use this VLAN to communicate with the IMC server.

[Switch] vlan 2

[Switch-vlan2] quit

# Assign the port that connects the switch to the IMC server to VLAN 2. (Details not shown.)

# Configure GigabitEthernet 1/0/1 (the port connected to AC 1) as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/4 (the port connected to AC 2) as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/4

[Switch-GigabitEthernet1/0/4] port link-type trunk

[Switch-GigabitEthernet1/0/4] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/4] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as a trunk port, set the PVID to 100, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 (the port connected to the DHCP server) as a trunk port, set the PVID to 100, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/3

[Switch-GigabitEthernet1/0/3] port link-type trunk

[Switch-GigabitEthernet1/0/3] port trunk permit vlan 100 200

# Assign an IP address to VLAN-interface 200.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Assign an IP address to the VLAN-interface 2.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Configuring the DHCP server

# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[DHCP] interface gigabitethernet 1/0/1

[DHCP-GigabitEthernet1/0/1] port link-type trunk

[DHCP-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[DHCP-GigabitEthernet1/0/1] quit

# Assign an IP address to VLAN-interface 100.

[DHCP] interface vlan-interface 100

[DHCP-Vlan-interface100] ip address 2.2.1.200 255.255.255.0

[DHCP-Vlan-interface100] quit

# Assign an IP address to VLAN-interface 200.

[DHCP] interface vlan-interface 200

[DHCP-Vlan-interface200] ip address 2.2.2.200 255.255.255.0

[DHCP-Vlan-interface200] quit

# Enable the DHCP service.

[DHCP] dhcp enable

# Configure DHCP address pool VLAN100. In the address pool, specify 2.2.1.200 as the gateway IP address and 2.2.1.0/24 as the subnet for dynamic allocation, and then exclude IP addresses 2.2.2.100, 2.2.1.1 and 2.2.1.2 from dynamic allocation.

[DHCP] dhcp server ip-pool VLAN100

[DHCP-dhcp-pool-vlan100] gateway-list 2.2.1.200

[DHCP-dhcp-pool-vlan100] network 2.2.1.0 mask 255.255.255.0

[DHCP-dhcp-pool-vlan100] forbidden-ip 2.2.2.100 2.2.1.1 2.2.1.2

[DHCP-dhcp-pool-vlan100] quit

# Configure DHCP address pool VLAN200. In the address pool, specify 2.2.2.100 as the gateway IP address and 2.2.2.0/24 as the subnet for dynamic allocation, and 8.8.8.8 as the DNS server address, and then exclude IP addresses 2.2.2.100, 2.2.2.1, and 2.2.2.2 from dynamic allocation.

[DHCP] dhcp server ip-pool VLAN200

[DHCP-dhcp-pool-vlan200] gateway-list 2.2.2.100

[DHCP-dhcp-pool-vlan200] network 2.2.2.0 mask 255.255.255.0

[DHCP-dhcp-pool-vlan200] dns-list 8.8.8.8

[DHCP-dhcp-pool-vlan200] forbidden-ip 2.2.2.100 2.2.2.1 2.2.2.2

[DHCP-dhcp-pool-vlan200] quit

Configuring the IMC server

In this example, the IMC server runs IMC PLAT 7.3 (E0605) and IMC IPM 7.3 (E0516).

1.     Add an access user:

a.     Log in to IMC and click the Service tab.

b.     From the navigation tree, select Intelligent Portal Management > User Management > Users.

c.     Click Add to open the Add User page.

d.     Enter username Client and password admin@123.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 2 Adding an access user

 

2.     Add an authentication page template:

a.     From the navigation tree, select Intelligent Portal Management > Page Template List.

b.     Click Add to open the Add Theme page.

c.     Enter template name theme in the Theme Name field.

d.     Use the default settings for other parameters.

e.     Click OK to open the page for editing the template.

Figure 3 Adding an authentication page template

 

f.     On the theme page, click the Authentication icon  in the Basic Controls area.

g.     Click Edit in authentication edit area, select Other and Account in the Authentication Method area, click OK, and then click Save Page.

h.     Use the default settings for other configuration.

i.     Click Confirm Release.

Figure 4 Editing the template

 

3.     Add an authentication policy:

a.     From the navigation tree, select Intelligent Portal Management > Authentication Policies.

b.     Click Add to open the Add Authentication Policy page.

c.     Enter authentication policy name policy1, and select theme from the Page Template list.

d.     Select a transparent authentication period to enable portal transparent authentication (MAC-trigger authentication).

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 5 Adding an authentication policy

 

4.     Add a site:

a.     From the navigation tree, select Intelligent Portal Management > Site Management.

b.     Click Add to open the Add Site page.

c.     Enter the site name, the site address, the expected number of clients to be supported, and the telephone number.

d.     Click OK.

Figure 6 Adding a site

 

e.     In the Associated APs area, click Add to associate an AP.

f.     Enter the serial number and MAC address of the AP.

g.     Click OK.

Figure 7 Adding an AP

 

i.     In the Bind Authentication Policy area, click Add to bind the AP to an authentication policy.

j.     Select authentication policy policy1.

k.     Use the default settings for other parameters.

l.     Click OK.

Figure 8 Binding the AP to an authentication policy

 

Verifying the configuration

1.     Verify that the AP can come online from AC 1 and AC 2.

# Display AP information on AC 1.

<AC1> display wlan ap all

Total number of APs: 38

Total number of connected APs: 35

Total number of connected manual APs: 35

Total number of connected auto APs: 0

Total number of connected common APs: 9

Total number of connected WTUs: 23

Total number of inside APs: 0

Maximum supported APs: 6144

Remaining APs: 6112

Total AP licenses: 2048

Local AP licenses: 2048

Server AP licenses: 0

Remaining Local AP licenses: 2033.25

Sync AP licenses: 0

 

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

 

AP name                        APID  State Model           Serial ID

office                         1     R/M   WA5320          219801A0CNC138011454

The output shows that the AP has come online from AC 1 and the AP is in the R/M state.

# Display AP information on AC 2.

<AC2> display wlan ap all

Total number of APs: 38

Total number of connected APs: 35

Total number of connected manual APs: 35

Total number of connected auto APs: 0

Total number of connected common APs: 9

Total number of connected WTUs: 23

Total number of inside APs: 0

Maximum supported APs: 6144

Remaining APs: 6112

Total AP licenses: 2048

Local AP licenses: 2048

Server AP licenses: 0

Remaining Local AP licenses: 2033.25

Sync AP licenses: 0

 

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

 

AP name                        APID  State Model           Serial ID

office                         1     R/B   WA5320          219801A0CNC138011454

The output shows that the AP has come online from AC 2 and the AP is in R/B state.

2.     Verify that user Client can perform portal authentication through a Web browser on the wireless client. Before passing authentication, all Web accesses are redirected to the portal authentication page (http://192.168.0.111:8080/portal). After passing authentication, the user can access other network resources.

# Display online portal user information on the ACs. This example uses AC 1.

[AC1] display portal user all

Total portal users: 1

Username: Client

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.3               200     WLAN-BSS1/0/16

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

The output shows that the user has come online.

# Verify that the user can come online without entering the username and password when attempting to come online again. (Details not shown.)

3.     Verify that the local forwarding mode can take effect.

# Display portal filtering rules on the ACs. This example uses AC 1.

[AC1] display portal rule all ap office

Slot 1:

The output shows that AC 1 does not have portal filtering rules, indicating that AC 1 does not forward client data traffic.

# Display portal filtering rules on the AP.

[AP] display portal rule all

 

IPv4 portal rules on WLAN-BSS1/0/16:

Rule 1:

 Type                : Static

 Action              : Permit

 Protocol            : Any

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

    MAC            : 0000-0000-0000

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 Destination:

    IP             : 192.168.0.111

    Mask           : 255.255.255.255

    Port           : Any

 

Rule 2:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 2.2.2.3

    MAC            : 0021-6330-0933

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 

Rule 3:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

    Protocol       : TCP

 Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : 443

 

Rule 4:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

    Protocol       : TCP

 Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : 80

 

Rule 5:

 Type                : Static

 Action              : Deny

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

The output shows that the AP has portal filtering rules, indicating that the AP forwards client data traffic.

Configuration files

·     AC 1:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client forwarding-location ap

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.1

 portal apply web-server newpt

 portal apply mac-trigger-server mts

 portal temp-pass period 300 enable

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

domain dm1

 authentication portal none

 authorization portal none

 accounting portal none

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.111 255.255.255.255

portal free-rule 1 destination ip 2.2.2.1 255.255.255.255

portal free-rule 2 destination ip any udp 53

portal free-rule 3 destination ip any tcp 53

portal free-rule 4 destination ip 2.2.2.2 255.255.255.255

portal safe-redirect enable

portal safe-redirect method get post

portal safe-redirect user-agent CaptiveNetworkSupport

portal safe-redirect user-agent MicroMessenger

portal safe-redirect user-agent Mozilla

portal safe-redirect user-agent WeChat

portal safe-redirect user-agent iPhone

portal safe-redirect user-agent micromessenger

#

portal web-server newpt

 url http://192.168.0.111:8080/wsmAuth/protocol

 captive-bypass ios optimize enable

 service-type oauth

#

portal local-web-server http

#

portal mac-trigger-server mts

 ip 192.168.0.111

 cloud-binding enable

#

wlan ap office model WA5320

 wlan tunnel-preempt enable

 priority 7

 backup-ac ip 2.2.1.2

 serial-id 219801A0CNC138011454

 map-configuration flash:/map.txt

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     AC 2:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client forwarding-location ap

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.2

 portal apply web-server newpt

 portal mac-trigger-server mts

 portal temp-pass period 300 enable

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.2 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.2 255.255.255.0

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

domain dm1

 authentication portal none

 authorization portal none

 accounting portal none

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.111 255.255.255.255

portal free-rule 1 destination ip 2.2.2.1 255.255.255.255

portal free-rule 2 destination ip any udp 53

portal free-rule 3 destination ip any tcp 53

portal free-rule 4 destination ip 2.2.2.2 255.255.255.255

portal safe-redirect enable

portal safe-redirect method get post

portal safe-redirect user-agent CaptiveNetworkSupport

portal safe-redirect user-agent MicroMessenger

portal safe-redirect user-agent Mozilla

portal safe-redirect user-agent WeChat

portal safe-redirect user-agent iPhone

portal safe-redirect user-agent micromessenger

#

portal web-server newpt

 url http://192.168.0.111:8080/wsmAuth/protocol

 captive-bypass ios optimize enable

 service-type oauth

#

portal mac-trigger-server mts

 ip 192.168.0.111

 cloud-binding enable

#

wlan ap office model WA5320

 wlan tunnel-preempt enable

 priority 6

 backup-ac ip 2.2.1.1

 serial-id 219801A0CNC138011454

 map-configuration flash:/map.txt

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk pvid vlan 100

port trunk permit vlan 100 200

 poe enable

#

interface GigabitEthernet1/0/3

 port link-type trunk

port trunk permit vlan 100 200

#

interface GigabitEthernet1/0/4

 port link-type trunk

 port trunk permit vlan 1 100 200

#

·     DHCP server:

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

interface vlan-interface 100

 ip address 2.2.2.200 255.255.255.0

#

interface vlan-interface 200

 ip address 2.2.2.200 255.255.255.0

#

dhcp enable

#

dhcp server ip-pool vlan100

 gateway-list 2.2.1.200

 network 2.2.1.0 mask 255.255.255.0

 forbidden-ip 2.2.1.1

 forbidden-ip 2.2.1.2

#

dhcp server ip-pool vlan200

 gateway-list 2.2.2.100

 network 2.2.2.0 mask 255.255.255.0

 dns-list 8.8.8.8

 forbidden-ip 2.2.2.1

 forbidden-ip 2.2.2.2

 forbidden-ip 2.2.2.100

#

Related documentation

·     High Availability Configuration Guide in H3C Access Controllers Configuration Guides

·     High Availability Command Reference in H3C Access Controllers Command References

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References