11-AC hierarchy

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10211-AC hierarchy
01-AC Hierarchy Configuration Examples
Title Size Download
01-AC Hierarchy Configuration Examples 428.57 KB

 

H3C Access Controllers

Comware 7 AC Hierarchy

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an AC hierarchy configuration example.

Prerequisites

This document applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AC hierarchy, portal, WLAN access, and AP management.

Example: Configuring AC hierarchy

Network configuration

As shown in Figure 1, the central AC (an access controller module) is deployed at the headquarters and a local AC (a unified wired and wireless AC) is deployed at the branch. The central AC performs client authentication and the local AC forwards client traffic.

Configure network settings to meet the following requirements:

·     APs obtain the IP address of the central AC through DHCP Option 43 and establish CAPWAP tunnels with the local AC after AC rediscovery.

·     The IMC server acts as the portal server and AAA server to perform client portal authentication.

·     The local AC acts as the DHCP server to assign IP addresses to APs and clients.

Figure 1 Network diagram

 

Analysis

·     For the AP to discover the AC across the Internet, configure Option 43 and manually specify the IP address of the AC on Router A.

·     For interface GigabitEthernet1/0/1 on an AP to join the local-forwarding VLAN, use a text editor to create an AP configuration file and upload the file to the central AC.

·     With AC rediscovery enabled, the APs might fail to come online through the local AC in the branch if the local AC does not have the lowest workload. For the central AC to assign the local AC to the APs at AC rediscovery, specify the local AC for APs.

Software versions used

This configuration example was created and verified on central AC version Release 5204P02 and local AC version ESS 1206. The central AC is an LSUM1WCMX40RT access controller module and the local AC is an S5560-30S-EI unified wired and wireless AC.

Restrictions and guidelines

When you configure AC hierarchy, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Do not configure any portal settings on the local AC when portal authentication and local forwarding are used in the AC hierarchy network.

·     Do not enable auto AP on the local AC, and do not create APs on the local AC if the APs are to be managed centrally by the central AC.

·     Disable firmware upgrade for the local AC because the S5560 unified wired and wireless AC and the access controller module have different software versions.

·     The URL of the portal Web server redirected to clients does not carry parameters by default. You must configure the parameters manually.

·     Central ACs do not support IRF.

Procedures

Configuring the central AC

1.     Make sure the devices can reach each other. (Details not shown.)

2.     Create AP configuration file map.txt as follows and then upload the file to the central AC.

system-view

vlan 12

vlan 20

interface GigabitEthernet1/0/1

port link-type trunk

port trunk permit vlan 1 12 20

3.     Create VLAN 11 and VLAN-interface 11, and assign an IP address to the VLAN interface.

<Central AC> system-view

[Central AC] vlan 11

[Central AC-vlan11] quit

[Central AC] interface vlan-interface 11

[Central AC-Vlan-interface11] ip address 11.1.1.3 16

[Central AC-Vlan-interface11] quit

4.     Create local AC 55ng-1, and specify the serial ID of the local AC.

[Central AC] wlan local-ac name 55ng-1 model S5560

[Central AC-wlan-local-ac-55ng-1] serial-id 210235A1GCH147000017

[Central AC-wlan-local-ac-55ng-1] quit

5.     Configure the RADIUS scheme for portal authentication:

# Create RADIUS scheme imc.

[Central AC] radius scheme imc

# Specify the IP address of the primary authentication server as 8.1.1.231.

[Central AC-radius-imc] primary authentication 8.1.1.231

# Specify the IP address of the primary accounting server as 8.1.1.231.

[Central AC-radius-imc] primary accounting 8.1.1.231

# Set the shared key to 12345678 in plaintext form for secure authentication communication.

[Central AC-radius-imc] key authentication simple 12345678

# Set the shared key to 12345678 in plaintext form for secure accounting communication.

[Central AC-radius-imc] key accounting simple 12345678

# Configure the central AC to remove the domain name from the usernames sent to the RADIUS servers.

[Central AC-radius-imc] user-name-format without-domain

# Specify IP address 11.1.1.3 as the source IP address of outgoing RADIUS packets.

[Central AC-radius-imc] nas-ip 11.1.1.3

[Central AC-radius-imc] quit

6.     Configure the authentication domain for portal authentication:

# Create domain imc and enter its view.

[Central AC] domain imc

# Perform RADIUS authentication for portal users based on scheme imc.

[Central AC-isp-imc] authentication portal radius-scheme imc

# Perform RADIUS authorization for portal users based on scheme imc.

[Central AC-isp-imc] authorization portal radius-scheme imc

# Perform RADIUS accounting for portal users based on scheme imc.

[Central AC-isp-imc] accounting portal radius-scheme imc

[Central AC-isp-imc] quit

7.     Configure the portal authentication server:

# Create portal authentication server imc and enter its view.

[Central AC] portal server imc

# Configure the IP address of the portal authentication server as 8.1.1.231 and the plaintext key as 12345678.

[Central AC-portal-server-imc] ip 8.1.1.231 key simple 12345678

8.     Configure the portal Web server:

# Create portal Web server imc and enter its view.

[Central AC-portal-server-imc] portal web-server imc

# Configure the URL for the portal Web server as http://8.1.1.231:8080/portal.

[Central AC-portal-server-imc] url http://8.1.1.231:8080/portal

# Configure the parameters carried in the URL of the portal Web server.

[Central AC-portal-server-imc] url-parameter apmac ap-mac

[Central AC-portal-server-imc] url-parameter ssid ssid

[Central AC-portal-server-imc] url-parameter userip source-address

[Central AC-portal-server-imc] url-parameter usermac source-mac

[Central AC-portal-server-imc] quit

# Enable validity check on wireless portal clients.

[Central AC] portal host-check enable

9.     Configure wireless services:

# Create service template portal.

[Central AC] wlan service-template portal

# Set the SSID for the service template to portal.

[Central AC-wlan-st-portal] ssid portal

# Assign clients coming online through the service template to VLAN 20.

[Central AC-wlan-st-portal] vlan 20

# Enable APs to forward client traffic.

[Central AC-wlan-st-portal] client forwarding-location ap

# Enable direct IPv4 portal authentication on the service template.

[Central AC-wlan-st-portal] portal enable method direct

# Specify the authentication domain as imc for IPv4 portal users on the service template.

[Central AC-wlan-st-portal] portal domain imc

# Configure the BAS-IP attribute as 11.1.1.3 for portal packets sent to the portal authentication server.

[Central AC-wlan-st-portal] portal bas-ip 11.1.1.3

# Apply IPv4 portal Web server imc on the service template for portal authentication.

[Central AC-wlan-st-portal] portal apply web-server imc

# Enable the service template.

[Central AC-wlan-st-portal] service-template enable

[Central AC-wlan-st-portal] quit

# Create AP ap1 and set the serial ID to 210235A1SVC15C000028.

[Central AC] wlan ap ap1 model WA5620i-ACN

[Central AC-wlan-ap-ap1] serial-id 210235A1SVC15C000028

# Deploy configuration file map.txt to AP ap1.

[Central AC-wlan-ap-ap1] map-configuration cfa0:/map.txt

# Enable AC rediscovery.

[Central AC-wlan-ap-ap1] control-address enable

# Specify the local AC with IP address 11.1.1.104 for the AP.

[Central AC-wlan-ap-ap1] control-address ip 11.1.1.104

# Bind service template portal to radio 1 of AP ap1.

[Central AC-wlan-ap-ap1] radio 1

[Central AC-wlan-ap-ap1-radio-1] radio enable

[Central AC-wlan-ap-ap1-radio-1] service-template portal

[Central AC-wlan-ap-ap1-radio-1] quit

Configuring the local AC

1.     Configure the local AC feature:

# Enable the local AC feature.

<Local AC> system-view

[Local AC] wlan local-ac enable

# Specify the central AC with IP address 11.1.1.3 for the local AC.

[Local AC] wlan central-ac ip 11.1.1.3

# Configure the local AC to use VLAN 11 to establish a tunnel with the central AC.

[Local AC] wlan local-ac capwap source-vlan 11

2.     Configure DHCP:

# Enable DHCP.

[Local AC] dhcp enable

# Create DHCP address pool ap, specify the gateway address as 12.0.0.1, and specify the subnet for dynamic allocation as 12.0.0.0/16.

[Local AC] dhcp server ip-pool ap

[Local AC-dhcp-pool-ap] gateway-list 12.0.0.1

[Local AC-dhcp-pool-ap] network 12.0.0.0 mask 255.255.0.0

# Configure Option 43 that specifies a DNS server address 11.1.1.3 in the DHCP address pool.

[Local AC-dhcp-pool-ap] option 43 hex 80070000010b010101

[Local AC-dhcp-pool-ap] quit

# Create DHCP address pool client, specify the gateway address as 20.0.0.1, and specify the subnet for dynamic allocation as 20.0.0.0/16.

[Local AC] dhcp server ip-pool client

[Local AC-dhcp-pool-ap] gateway-list 20.0.0.1

[Local AC-dhcp-pool-ap] network 20.0.0.0 mask 255.255.0.0

[Local AC-dhcp-pool-ap] quit

3.     Configure VLAN interfaces:

# Create VLAN 11 and VLAN-interface 11, and assign an IP address to the interface. The local AC uses this interface to associate with the central AC.

[Local AC] vlan 11

[Local AC-vlan11] quit

[Local AC] interface Vlan-interface11

[Local AC-Vlan-interface11] ip address 11.1.1.104 255.255.0.0

[Local AC-Vlan-interface11] quit

# Create VLAN 12 and VLAN-interface 12, and assign an IP address to the interface. The local AC uses this interface to associate with APs.

[Local AC] vlan 12

[Local AC-vlan12] quit

[Local AC] interface Vlan-interface12

[Local AC-Vlan-interface12] ip address 12.0.0.1 255.255.0.0

[Local AC-Vlan-interface12] dhcp server apply ip-pool ap

[Local AC-Vlan-interface12] quit

# Create VLAN 20 and VLAN-interface 20, and assign an IP address to the interface. The local AC uses this interface to provide access to clients.

[Local AC] vlan 20

[Local AC-vlan20] quit

[Local AC] interface Vlan-interface20

[Local AC-Vlan-interface20] ip address 20.0.0.1 255.255.0.0

[Local AC-Vlan-interface20] dhcp server apply ip-pool client

[Local AC-Vlan-interface20] quit

Configuring the IMC server

This example uses the IMC server to describe the RADIUS server and portal server configuration. The IMC server runs on IMC PLAT 7.2 (E0403p10), IMC EIA 7.2 (E0405), and IMC EIP 7.2 (E0405).

To configure the IMC server:

1.     Click the User tab.

2.     Create an IP group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

b.     Click Add.

c.     Configure the following parameters:

-     IP Group NameEnter the IP group name.

-     Start IP—Enter the start IP address of the IP group. Make sure the client IP address is in the IP group.

-     End IP—Enter the end IP address of the IP group. Make sure the client IP address is in the IP group.

-     Service Group—Select a service group. This example uses the default value Ungrouped.

-     Action—Select Normal.

d.     Click OK.

Figure 2 Adding an IP group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add.

c.     Configure the following parameters:

-     Device Name—Enter the device name.

-     VersionSelect CMCC 1.0.

-     IP Address—Enter the IP address of the AC's interface connected to the client.

-     Support Server HeartbeatSelect whether to support the portal server heartbeat function. In this example, select No.

-     Support User HeartbeatSelect whether to support the portal user heartbeat function. In this example, select No.

-     Key—Enter the key. The key must be the same as that configured on the AC.

-     Access Method—Select layer 3.

Use the default settings for other parameters.

d.     Click OK.

Figure 3 Adding a portal device

 

4.     Associate the portal device with the IP group:

a.     Click the Port Group icon  in the Operation field for device NAS to open the port group configuration page.

Figure 4 Device list

 

b.     Click Add.

c.     Configure the following parameters:

-     Port Group NameEnter the port group name.

-     IP GroupSelect the configured IP group. The IP address used by the user to access the network must be within this IP address group.

Use the default settings for other parameters.

d.     Click OK.

Figure 5 Adding a port group

 

5.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add.

c.     Configure the following parameters:

-     Access Policy Name—Enter the access policy name.

-     Service Group—Select a service group. This example uses the default value Ungrouped.

Use the default settings for other parameters.

d.     Click OK.

Figure 6 Adding an access policy

 

6.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add.

c.     In the page that opens, enter the service name, and use the default settings for other parameters.

d.     Click OK.

Figure 7 Adding an access service

 

7.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add.

c.     Select an existing access user or click Add User to add a new access user, and set the password. Use the default settings for other parameters.

d.     Click OK.

Figure 8 Adding an access user

 

Verifying the configuration

# Verify that the local AC is in R/M state on the central AC. This state indicates that the local AC has come online on the central AC.

[Central AC] display wlan local-ac name 55ng-1

                                Local AC Information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run

AC name                        ACID  State Model           Serial ID

55ng-1                         2     R/M   S5560           210235A1GCH147000017

# Verify that the AP is in R/M state on the central AC.

[Central AC] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 4096

Remaining APs: 4095

Total AP licenses: 512

Remaining AP licenses: 511

 

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

 

AP name                        APID  State Model           Serial ID

ap1                            8     R/M   WA5620i-ACN     210235A1SVC15C000028

# Verify that the AP has associated with the local AC.

[Central AC] display wlan ap-distribution all

Central AC

Slot               : 1

Total Number of APs: 0

AP name            :

 

Local AC

Name               : 55ng-1

Total Number of APs: 1

AP name            : ap1

# Verify that a client has come online.

[Central AC] display wlan client

Total number of clients: 1

 

MAC address    User name  AP name        RID IP address      IPv6 address   VLAN

c81e-e738-016a N/A        ap1            1   20.0.0.3                       20

# Verify that the client has passed portal authentication.

[Central AC] display portal user all

Total portal users: 1

Username: qcf

  AP name: ap1

  Radio ID: 1

  SSID: portal

  Portal server: imc

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  c81e-e738-016a  20.0.0.3              20      WLAN-BSS1/0/10

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     Central AC:

#

vlan 11

#

wlan service-template portal

 ssid portal

 vlan 20

 client forwarding-location ap

 portal enable method direct

 portal domain imc

 portal bas-ip 11.1.1.3

 portal apply web-server imc

 service-template enable

#

interface Vlan-interface11

 ip address 11.1.1.3 255.255.0.0

#

radius scheme imc

 primary authentication 8.1.1.231

 primary accounting 8.1.1.231

 key authentication cipher $c$3$t7x0fIARso0US949SnQS2pq53eIdsgUr6z07

 key accounting cipher $c$3$V4YI3sDOEq0VqAIPoaNjQOV3ZalvqTL05GC0

 user-name-format without-domain

 nas-ip 11.1.1.3

#

domain imc

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

#

 portal host-check enable

#

portal web-server imc

 url http://8.1.1.231:8080/portal

 url-parameter apmac ap-mac

 url-parameter ssid ssid

 url-parameter userip source-address

 url-parameter usermac source-mac

#

portal server imc

 ip 8.1.1.231 key cipher $c$3$76rxh0Qxgg0I1zWtzrlr2r0ch76JC+3IZK2A

#

wlan ap ap1 model WA5620i-ACN

 serial-id 210235A1SVC15C000028

 map-configuration cfa0:/map.txt

 control-address enable

 control-address ip 11.1.1.104

 radio 1

  radio enable

  service-template portal

#

wlan local-ac name 55ng-1 model S5560

 serial-id 210235A1GCH147000017

#

·     Local AC:

#

 dhcp enable

#

vlan 11 to 12

#

vlan 20

#

dhcp server ip-pool ap

 gateway-list 12.0.0.1

 network 12.0.0.0 mask 255.255.0.0

 option 43 hex 80070000010b010103

#

dhcp server ip-pool client

 gateway-list 20.0.0.1

 network 20.0.0.0 mask 255.255.0.0

#

interface Vlan-interface11

 ip address 11.1.1.104 255.255.0.0

#

interface Vlan-interface12

 ip address 12.0.0.1 255.255.0.0

 dhcp server apply ip-pool ap

#

interface Vlan-interface20

 ip address 20.0.0.1 255.255.0.0

 dhcp server apply ip-pool client

#

  wlan local-ac enable

 wlan local-ac capwap source-vlan 11

#

 wlan central-ac ip 11.1.1.3