10-High availability

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10210-High availability
Table of Contents
Related Documents
13-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples

 

H3C Access Controllers

Comware 7 Dual-Link Backup Remote Portal and Transparent MAC Authentication in Centralized Forwarding

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example for configuring remote portal and transparent MAC authentication with centralized forwarding.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, portal, WLAN access, and WLAN high availability.

Example: Configuring remote portal and transparent MAC authentication for dual-link AC backup and centralized forwarding

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as the portal authentication server, portal Web server, RADIUS server, and MAC binding server.

Configure the devices to meet the following requirements:

·     The AP associates with both ACs and the two ACs to back up each other. When the master AC (AC 1) fails, the backup AC (AC 2) takes over, and the AP can provide services correctly through the backup AC.

·     Remote MAC authentication and direct portal authentication are used for wireless clients.

·     Before passing portal authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources.

·     The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.

·     The IMC server can dynamically modify user authorization information and log off clients.

Figure 1 Network diagram

 

Analysis

·     To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, you must enable the portal roaming feature.

·     To allow the RADIUS server to modify user authorization information and log off users, enable the RADIUS session-control feature.

·     To avoid allocation failures of dynamic authorization information during client association, configure RADIUS DAE.

Restrictions and guidelines

When you configure MAC-based portal authentication for dual-link AC backup and centralized forwarding, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     If you configure manual APs, make sure the manual APs configured on the two ACs have the same AP name and identifier (serial ID or MAC address).

·     Make sure the two ACs are of the same version.

·     Make sure the portal authentication server type and portal Web server type configured on the ACs are the same as the actual server type. This example uses a China Mobile server.

·     To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.

·     To allow the RADIUS server to modify user authorization information and log off users, enable the RADIUS session-control feature.

·     URLs redirected from the ACs to the portal Web server do not carry parameters by default. You can configure the parameters to carry as needed.

·     If you enable portal authentication in VLAN interface view, only centralized forwarding is supported. If you enable portal authentication in service template view, both centralized forwarding and local forwarding are supported. This example enables portal authentication in service template view.

·     Make sure the two ACs have the same portal-free rule settings, including the rule numbers.

·     Some clients are enabled with MAC randomization by default, which might cause seamless roaming failures. As a best practice, disable MAC randomization.

Procedures

Configuring AC 1

1.     Configure AC interfaces:

# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC1> system-view

[AC1] vlan 100

[AC1-vlan100] quit

[AC1] interface vlan-interface 100

[AC1-Vlan-interface100] ip address 2.2.1.1 24

[AC1-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. The client will use this VLAN to access the WLAN.

[AC1] vlan 200

[AC1-vlan200] quit

[AC1] interface vlan-interface 200

[AC1-Vlan-interface200] ip address 2.2.2.1 24

[AC1-Vlan-interface200] quit

# Create AP office, and specify the AP name and serial ID.

[AC1] wlan ap office model WA5320

[AC1-wlan-ap-office] serial-id 219801A0CNC138011454

# Set the AP connection priority to 7.

[AC1-wlan-ap-office] priority 7

# Specify AC 2 as the backup AC for AC 1.

[AC1-wlan-ap-office] backup-ac ip 2.2.1.48

# Enable master CAPWAP tunnel preemption.

[AC1-wlan-ap-office] wlan tunnel-preempt enable

[AC1-wlan-ap-office] quit

# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port, and assign it to VLAN 1, VLAN 100, and VLAN 200.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-type trunk

[AC1-GigabitEthernet1/0/1] port trunk permit vlan 1 100 200

[AC1-GigabitEthernet1/0/1] quit

2.     Configure a static route to the IMC server.

[AC1] ip route-static 173.18.4.0 255.255.255.0 2.2.2.100

3.     Configure wireless services:

# Create service template st1 and enter its view.

[AC1] wlan service-template st1

# Specify the SSID as service.

[AC1-wlan-st-st1] ssid service

# Assign clients coming online through the service template to VLAN 200.

[AC1-wlan-st-st1] vlan 200

[AC1-wlan-st-st1] quit

# Enter AP view of AP office.

[AC1] wlan ap office

# Enter radio view of radio 2.

[AC1-wlan-ap-office] radio 2

# Bind service template st1 to radio 2 and enable the radio.

[AC1-wlan-ap-office-radio-2] service-template st1

[AC1-wlan-ap-office-radio-2] radio enable

[AC1-wlan-ap-office-radio-2] quit

[AC1-wlan-ap-office] quit

4.     Configure a RADIUS scheme:

# Create RADIUS scheme rs1.

[AC1] radius scheme rs1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[AC1-radius-rs1] primary authentication 173.18.4.100

[AC1-radius-rs1] primary accounting 173.18.4.100

# Specify shared keys for RADIUS authentication and accounting.

[AC1-radius-rs1] key authentication simple radius

[AC1-radius-rs1] key accounting simple radius

# Configure AC 1 to remove the ISP domain name from the usernames sent to the RADIUS servers.

[AC1-radius-rs1] user-name-format without-domain

# Specify IP address 2.2.2.1 as the source address for outgoing RADIUS packets.

[AC1-radius-rs1] nas-ip 2.2.2.1

[AC1-radius-rs1] quit

# Enable RADIUS session-control.

[AC1] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC1] radius dynamic-author server

# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[AC1-radius-da-server] client ip 173.18.4.100 key simple radius

[AC1-radius-da-server] quit

5.     Configure authentication domains:

# Create domain dm2 and enter its view.

[AC1] domain dm2

# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[AC1-isp-dm2] authentication lan-access radius-scheme rs1

[AC1-isp-dm2] authorization lan-access radius-scheme rs1

[AC1-isp-dm2] accounting lan-access radius-scheme rs1

[AC1-isp-dm2] quit

# Create domain dm1 and enter its view.

[AC1] domain dm1

# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[AC1-isp-dm1] authentication portal radius-scheme rs1

[AC1-isp-dm1] authorization portal radius-scheme rs1

[AC1-isp-dm1] accounting portal radius-scheme rs1

# Set the client idle timeout to 15 minutes and set the minimum threshold to 1024 bytes for clients in ISP domain dm1.

[AC1-isp-dm1] authorization-attribute idle-cut 15 1024

[AC1-isp-dm1] quit

6.     Configure portal authentication:

# Create the portal authentication server newpt, specify the server IP address as 173.18.4.100, and set the destination UDP port number to 50100 for the AC to send unsolicited portal packets to the portal authentication server.

[AC1] portal server newpt

[AC1-portal-server-newpt] ip 173.18.4.100 key simple portal

[AC1-portal-server-newpt] port 50100

# Set the server type to CMCC.

[AC1-portal-server-newpt] server-type cmcc

[AC1-portal-server-newpt] quit

# Configure the URL for the portal Web server newpt as http://173.18.4.100:8080/portal.

[AC1] portal web-server newpt

[AC1-portal-websvr-newpt] url http://173.18.4.100:8080/portal

# Configure URL parameters ssid, wlanuserip, and wlanacname for the portal Web server. The three parameters are required by CMCC.

[AC1-portal-websvr-newpt] url-parameter ssid ssid

[AC1-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC1-portal-websvr-newpt] url-parameter wlanacname value AC

# Set the portal Web server type to CMCC.

[AC1-portal-websvr-newpt] server-type cmcc

[AC1-portal-websvr-newpt] quit

# Configure an IPv4-based portal-free rule to permit portal Web server traffic.

[AC1] portal free-rule 0 destination ip 173.18.4.100 24

# Configure IPv4-based portal-free rules to permit DNS server traffic.

[AC1] portal free-rule 1 destination ip any udp 53

[AC1] portal free-rule 2 destination ip any tcp 53

# Enable intra-VLAN roaming for portal users.

[AC1] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC1] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC1] portal host-check enable

# Enable direct IPv4 portal authentication for service template st1.

[AC1] wlan service-template st1

[AC1-wlan-st-st1] portal enable method direct

# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.

[AC1-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1 to redirect portal user HTTP or HTTPS requests to the server.

[AC1-wlan-st-st1] portal apply web-server newpt

# Specify the BAS IP as the IP address of VLAN-interface 200, from which clients come online from AC 1.

[AC1-wlan-st-st1] portal bas-ip 2.2.2.1

# Configure MAC authentication and configure the AC to ignore MAC authentication failures.

[AC1-wlan-st-st1] client-security authentication-mode mac

[AC1-wlan-st-st1] client-security ignore-authentication

# Specify ISP domain dm2 as the authentication domain for MAC authentication clients in service template st1.

[AC1-wlan-st-st1] mac-authentication domain dm2

# Enable the service template.

[AC1-wlan-st-st1] service-template enable

[AC1-wlan-st-st1] quit

Configuring AC 2

1.     Configure AC interfaces:

# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC2> system-view

[AC2] vlan 100

[AC2-vlan100] quit

[AC2] interface vlan-interface 100

[AC2-Vlan-interface100] ip address 2.2.1.48 24

[AC2-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. The client will use this VLAN to access the WLAN.

[AC2] vlan 200

[AC2-vlan200] quit

[AC2] interface vlan-interface 200

[AC2-Vlan-interface200] ip address 2.2.2.36 24

[AC2-Vlan-interface200] quit

# Create AP office, and specify the AP name and serial ID.

[AC2] wlan ap office model WA5320

[AC2-wlan-ap-office] serial-id 219801A0CNC138011454

# Set the AP connection priority to 5.

[AC2-wlan-ap-office] priority 5

# Specify AC 1 as the backup AC for AC 2. Set the backup AC address as the IP address of VLAN-interface 100 on AC 1.

[AC2-wlan-ap-office] backup-ac ip 2.2.1.1

# Enable master CAPWAP tunnel preemption.

[AC2-wlan-ap-office] wlan tunnel-preempt enable

[AC2-wlan-ap-office] quit

# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port, and assign it to VLAN 1, VLAN 100, and VLAN 200.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-type trunk

[AC1-GigabitEthernet1/0/1] port trunk permit vlan 1 100 200

[AC1-GigabitEthernet1/0/1] quit

2.     Configure a static route to the IMC server.

[AC2] ip route-static 173.18.4.0 255.255.255.0 2.2.2.100

3.     Configure wireless services:

# Create service template st1 and enter its view.

[AC2] wlan service-template st1

# Specify the SSID as service.

[AC2-wlan-st-st1] ssid service

# Assign clients coming online through the service template to VLAN 200.

[AC2-wlan-st-st1] vlan 200

[AC2-wlan-st-st1] quit

# Enter AP view of AP office.

[AC2] wlan ap office

# Enter radio view of radio 2.

[AC2-wlan-ap-office] radio 2

# Bind service template st1 to radio 2 and enable the radio.

[AC2-wlan-ap-office-radio-2] service-template st1

[AC2-wlan-ap-office-radio-2] radio enable

[AC2-wlan-ap-office-radio-2] quit

[AC2-wlan-ap-office] quit

4.     Configure a RADIUS scheme:

# Create RADIUS scheme rs1.

[AC2] radius scheme rs1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[AC2-radius-rs1] primary authentication 173.18.4.100

[AC2-radius-rs1] primary accounting 173.18.4.100

# Specify shared keys for RADIUS authentication and accounting.

[AC2-radius-rs1] key authentication simple radius

[AC2-radius-rs1] key accounting simple radius

# Configure AC 2 to remove the ISP domain name from the usernames sent to the RADIUS servers.

[AC2-radius-rs1] user-name-format without-domain

# Specify IP address 2.2.2.1 as the source address for outgoing RADIUS packets.

[AC2-radius-rs1] nas-ip 2.2.2.36

[AC2-radius-rs1] quit

# Enable RADIUS session-control.

[AC2] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC2] radius dynamic-author server

# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

[AC2-radius-da-server] client ip 173.18.4.100 key simple radius

[AC2-radius-da-server] quit

5.     Configure authentication domains:

# Create domain dm2 and enter its view.

[AC2] domain dm2

# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[AC2-isp-dm2] authentication lan-access radius-scheme rs1

[AC2-isp-dm2] authorization lan-access radius-scheme rs1

[AC2-isp-dm2] accounting lan-access radius-scheme rs1

[AC2-isp-dm2] quit

# Create domain dm1 and enter its view.

[AC2] domain dm1

# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[AC2-isp-dm1] authentication portal radius-scheme rs1

[AC2-isp-dm1] authorization portal radius-scheme rs1

[AC2-isp-dm1] accounting portal radius-scheme rs1

# Set the client idle timeout to 15 minutes and set the minimum threshold to 1024 bytes for clients in ISP domain dm1.

[AC2-isp-dm1] authorization-attribute idle-cut 15 1024

[AC2-isp-dm1] quit

6.     Configure portal authentication:

# Create the portal authentication server newpt, specify the server IP address as 173.18.4.100, and set the destination UDP port number to 50100 for the AC to send unsolicited portal packets to the portal authentication server.

[AC2] portal server newpt

[AC2-portal-server-newpt] ip 173.18.4.100 key simple portal

[AC2-portal-server-newpt] port 50100

# Set the server type to CMCC.

[AC2-portal-server-newpt] server-type cmcc

[AC2-portal-server-newpt] quit

# Configure the URL for the portal Web server newpt as http://173.18.4.100:8080/portal.

[AC2] portal web-server newpt

[AC2-portal-websvr-newpt] url http://173.18.4.100:8080/portal

# Configure URL parameters ssid, wlanuserip, and wlanacname for the portal Web server. The three parameters are required by CMCC.

[AC2-portal-websvr-newpt] url-parameter ssid ssid

[AC2-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC2-portal-websvr-newpt] url-parameter wlanacname value AC

# Set the portal Web server type to CMCC.

[AC2-portal-websvr-newpt] server-type cmcc

[AC2-portal-websvr-newpt] quit

# Configure an IPv4-based portal-free rule to permit portal Web server traffic.

[AC2] portal free-rule 0 destination ip 173.18.4.100 24

# Configure IPv4-based portal-free rules to permit DNS server traffic.

[AC2] portal free-rule 1 destination ip any udp 53

[AC2] portal free-rule 2 destination ip any tcp 53

# Enable intra-VLAN roaming for portal users.

[AC2] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC2] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC2] portal host-check enable

# Enable direct IPv4 portal authentication for service template st1.

[AC2] wlan service-template st1

[AC2-wlan-st-st1] portal enable method direct

# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.

[AC2-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1 to redirect portal user HTTP or HTTPS requests to the server.

[AC2-wlan-st-st1] portal apply web-server newpt

# Specify the BAS IP as the IP address of VLAN-interface 200, from which clients come online from AC 2.

[AC2-wlan-st-st1] portal bas-ip 2.2.2.36

# Configure MAC authentication and configure the AC to ignore MAC authentication failures.

[AC2-wlan-st-st1] client-security authentication-mode mac

[AC2-wlan-st-st1] client-security ignore-authentication

# Specify ISP domain dm2 as the authentication domain for MAC authentication clients in service template st1.

[AC2-wlan-st-st1] mac-authentication domain dm2

# Enable the service template.

[AC2-wlan-st-st1] service-template enable

[AC2-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100 for forwarding CAPWAP tunnel traffic between AC and AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200 for forwarding client traffic.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2 for connecting to the IMC server.

[Switch] vlan 2

[Switch-vlan2] quit

# Add the interface that connects the switch to the IMC server to VLAN 2. (Details not shown.)

# Configure GigabitEthernet 1/0/1 that connects the switch to AC 1 as a trunk port, and assign it to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/3 that connects the switch to AC 2 as a trunk port, and assign it to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/3

[Switch-GigabitEthernet1/0/3] port link-type trunk

[Switch-GigabitEthernet1/0/3] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/3] quit

# Configure GigabitEthernet 1/0/2 that connects the switch to the AP as a trunk port, and assign it to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/4 that connects the switch to the DHCP server as a trunk port, and assign it to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/4

[Switch-GigabitEthernet1/0/4] port link-type trunk

[Switch-GigabitEthernet1/0/4] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/4] quit

# Assign an IP address to VLAN-interface 200.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Assign an IP address to VLAN-interface 2. This address will be used as the gateway address for the IMC server.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 173.18.4.101 255.255.255.0

[Switch-Vlan-interface2] quit

Configuring the IMC server

In this example, the IMC server runs IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configure the RADIUS server

1.     Add AC 1 as an access device:

a.     Log in to IMC at 173.18.4.100:8080/imc and click the User tab.

b.     From the navigation pane, select User Access Policy > Access Device Management > Access Device.

c.     Click Add.

The Add Access Device page opens.

d.     In the Access Configuration area, configure the following parameters:

-     Enter radius in the Shared Key and Confirm Shared Key fields. Make sure the key is the same as the key configured on the ACs.

-     Use the default values for other parameters.

e.     In the Device List area, click Select or Add Manually to add AC 1 at 2.2.2.1 as an access device.

f.     Click OK.

Figure 2 Adding an access device

 

2.     Repeat the previous step to add AC 2 as an access device.

The IP address of AC 2 is 2.2.2.36.

Configure the portal server

1.     Configure portal authentication:

a.     Click the User tab.

b.     Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page.

c.     Configure the portal server parameters as needed.

This example uses the default settings.

d.     Click OK.

Figure 3 Portal authentication server configuration

 

2.     Configure the IP address group:

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter the IP group name. In this example, the name is Portal_user.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default group Ungrouped.

f.     Select Normal from the Action list.

g.     Click OK.

Figure 4 Adding an IP address group

 

3.     Add AC 1 as a portal device:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 5.

c.     Enter the device name.

d.     Specify the version as Portal 2.0.

e.     Enter the portal BAS-IP configured on AC 1 as the IP address.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected from the Access Method list.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 5 Adding a portal device

 

4.     Repeat the previous step to add AC 2 as a portal device.

5.     Associate AC 1 with the IP address group:

a.     As shown in Figure 6, click the Port Group Information Management icon  for the device to open the port group configuration page.

b.     Click Add to open the page as shown in Figure 7.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Select Supported for Transparent Authentication.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 6 Device list

 

Figure 7 Adding a port group

 

6.     Repeat the previous step to associate AC 2 with the IP address group.

Configuring access settings

1.     Add an access policy:

a.     Select User Access Policy > Access Policy from the navigation tree to open the access policy page.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the access policy name. In this example, the name is AccessPolicy.

d.     Select Ungrouped from the service group list.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 8 Adding an access policy

 

2.     Add an access service:

a.     Select User Access Policy > Access Service from the navigation tree to open the access service page.

b.     Click Add to open the page as shown in Figure 9.

c.     Enter the service name. In this example, the service name is MAC_server.

d.     Select the Transparent Authentication on Portal Endpoints option.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 9 Adding an access service

 

3.     Add an access user:

a.     Select Access User > All Access Users from the navigation tree to open the access user page.

b.     Click Add to open the page as shown in Figure 10.

c.     Select or add an access user.

d.     Specify the account name. In this example, the name is client.

e.     Set the password. In this example, the password is 1234567.

f.     Select service MAC_server.

g.     Retain the default settings for other parameters.

h.     Click OK.

Figure 10 Adding an access user

 

4.     Configure system parameters:

a.     Select User Access Policy > Service Parameters > System Settings from the navigation tree to open the system settings page.

b.     Click the Configure icon 2013-07-29_144255.png for User Endpoint Settings to open the page as shown in Figure 11.

c.     Enable Transparent MAC Authentication.

d.     Select whether to enable transparent portal authentication on non-smart devices.

In this example, select Enable for Non-Terminal Authentication.

e.     Click OK.

f.     Click the Configure icon 2013-07-29_144255.png for Endpoint Aging Time to open the page as shown in Figure 12.

g.     Set the endpoint aging time as needed.

This example uses the default value.

Figure 11 Configuring user endpoint settings

 

Figure 12 Setting the endpoint aging time

 

Verifying the configuration

# Make the AP come online.

# Verify that the AP first associates with AC 1. Shut down VLAN-interface 100 on AC 1, wait 3 minutes, and verify that the AP associates with AC 2 and the AP state on AC 2 is R/M.

# Bring up VLAN-interface 100 on AC 1. Verify that the AP state becomes R/M on AC 1 and R/B on AC 2.

# If user and client MAC address information is not recorded on the RADIUS server, MAC authentication fails. Verify that the AC ignores the authentication failure and triggers portal authentication.

[AC1] display portal user all

Total portal users: 1

Username: client

  AP name: office

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.2               200     WLAN-BSS1/0/2

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

         Outbound CAR: N/A

After portal authentication, the RADIUS server records user and client MAC address information. At next associations, the client can pass MAC authentication and access network resources without being portal reauthenticated.

# Display MAC-authenticated user information.

[AC1] display mac-authentication connection

User MAC address              : 0021-6330-0933

AP name                       : office

Radio ID                      : 2

SSID                          : service

BSSID                         : 70ba-efaf-ddb0

Username                      : 002163300933

Authentication domain         : dm2

Initial VLAN                  : 200

Authorization VLAN            : 200

Authorization ACL number      : N/A

Authorization user profile    : N/A

Termination action            : Default

Session timeout period        : 86401 s

Online from                   : 2016/04/22 18:56:20

Configuration files

·     AC 1:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client-security authentication-mode mac

 client-security ignore-authentication

 mac-authentication domain dm2

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.1

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ip route-static 173.18.4.0 24 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 173.18.4.100

 primary accounting 173.18.4.100

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

 nas-ip 2.2.2.1

#

radius dynamic-author server

 client ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

domain dm2

 authorization-attribute idle-cut 15 1024

 authentication lan-access radius-scheme rs1

 authorization lan-access radius-scheme rs1

 accounting lan-access radius-scheme rs1

#

 portal host-check enable

portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

portal free-rule 1 destination ip any udp 53

portal free-rule 2 destination ip any tcp 53

#

portal web-server newpt

 url http://173.18.4.100:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 173.18.4.100 key cipher $c$3$jiLQ5VIGG4TF7R3sHTT07bmv9rtiSQYBzQ==

 server-type cmcc

#

wlan ap office model WA5320

 serial-id 219801A0CNC138011454

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     AC 2:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client-security authentication-mode mac

 client-security ignore-authentication

 mac-authentication domain dm2

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.36

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.48 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.36 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ip route-static 173.18.4.0 24 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 173.18.4.100

 primary accounting 173.18.4.100

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

 nas-ip 2.2.2.36

#

radius dynamic-author server

 client ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

domain dm2

 authorization-attribute idle-cut 15 1024

 authentication lan-access radius-scheme rs1

 authorization lan-access radius-scheme rs1

 accounting lan-access radius-scheme rs1

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

portal free-rule 1 destination ip any udp 53

portal free-rule 2 destination ip any tcp 53

#

portal web-server newpt

 url http://173.18.4.100:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 173.18.4.100 key cipher $c$3$jiLQ5VIGG4TF7R3sHTT07bmv9rtiSQYBzQ==

 server-type cmcc

#

wlan ap office model WA5320

 serial-id 219801A0CNC138011454

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 173.18.4.101 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

 poe enable

#

interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/4

 port link-type trunk

 port trunk permit vlan 1 100 200

Related documentation

·     AAA Management Command Reference in H3C Access Controllers Command References

·     AAA Management Configuration Guide in H3C Access Controllers Configuration Guides

·     AP Management Command Reference in H3C Access Controllers Command References

·     AP Management Configuration Guide in H3C Access Controllers Configuration Guides

·     Portal Authentication Command Reference in H3C Access Controllers Command References

·     Portal Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN High Availability Command Reference in H3C Access Controllers Command References

·     WLAN High Availability Configuration Guide in H3C Access Controllers Configuration Guides