- Table of Contents
- Related Documents
|03-Remote 802.1X Authentication (Central AC Authentication + AP Forwarding) Configuration Examples||338.55 KB|
H3C Access Controllers
Comware 7 Remote 802.1X Authentication on an AC Hierarchy Network (Central AC Authentication + AP Forwarding)
The following information provides an example of configuring remote 802.1X authentication for clients on a network that deploys an AC hierarchy.
The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of AC hierarchy, 802.1X, WLAN access, and AP management features.
Central ACs on an AC hierarchy network do not support IRF.
As shown in Figure 1:
· The network deploys an AC hierarchy that contains one central AC and one local AC. The central AC is a wireless access controller and the local AC is a unified wired and wireless access controller. In this example, the APs are connected to the local AC through GigabitEthernet 1/0/1.
· The APs are assigned to VLAN 12 and the clients are assigned to VLAN 20.
· The network deploys a RADIUS server that runs IMC for 802.1X authentication.
Configure the devices to meet the following requirements:
· The APs and clients are associated with the local AC.
¡ The APs obtain the IP address of the central AC through DHCP Option 43.
¡ The AC rediscovery feature is configured on the central AC for the APs to discover the local AC.
· The central AC acts as the authenticator and uses the RADIUS server to perform authentication, authorization, and accounting for the clients. 802.1X authentication is enabled in the service template through which the clients access the network.
· The AP locally forwards client data traffic in VLAN 12.
· The local AC acts as a DHCP server to assign IP addresses to the APs and the clients.
For GigabitEthernet 1/0/1 to forward client data traffic in VLAN 12, edit a .txt configuration file and upload the file to the central AC. In the file, the port is added to VLAN 12. Because the clients are assigned to VLAN 20, add the port also to VLAN 20 for the clients to pass RADIUS-based 802.1X authentication and come online.
For an AP to discover the local AC and come online from the local AC, enable the AC rediscovery feature in the view of the manual AP that is created for the AP. In addition, configure the central AC to add the IP address of the local AC to the CAPWAP Control IP Address message element in the discovery responses sent to the AP. If the AC rediscovery feature is not configured for an AP, the central AC will send the IP address of the lightest loaded local AC to the AP. If the lightest loaded local AC is not the local AC in the branch, the AP cannot come online.
This configuration example was created and verified on WX5560H Release 5415P01 on the central AC and WX3510H Release 5415P01 on the local AC.
Use the serial ID labeled on the AP's rear panel to specify an AP.
On the local AC, do not enable the auto AP feature. In addition, create a manual AP for each AP in local AC view on the central AC for the central AC to manage the APs.
Make sure the devices can reach one another.
# Use a text editor to edit the APs' configuration file, and then upload the file to the central AC. In this example, the configuration file name is map.txt.
The following is the AP configuration for this example:
port link-type trunk
port trunk permit vlan 1 12 20
Configuring the central AC
# Create VLAN 11, create VLAN-interface 11, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a management tunnel with the local AC.
<Central AC> system-view
[Central AC] vlan 11
[Central AC-vlan11] quit
[Central AC] interface vlan-interface 11
[Central AC-Vlan-interface11] ip address 188.8.131.52 16
[Central AC-Vlan-interface11] quit
Configuring a local AC for the central AC
# Create local AC 3510h-1 with model WX3510H and enter local AC view.
[Central AC] wlan local-ac name 3510h-1 model WX3510H
# Specify the serial ID of the local AC.
[Central AC-wlan-local-ac-3510h-1] serial-id 210235A1GCH147000017
[Central AC-wlan-local-ac-3510h-1] quit
Configuring RADIUS-based 802.1X authentication
1. Configure a RADIUS scheme:
# Create RADIUS scheme imc and enter its view.
[Central-AC] radius scheme imc
# Specify the IP address of the primary RADIUS authentication server.
[Central AC-radius-imc] primary authentication 184.108.40.206
# Specify the IP address of the primary RADIUS accounting server.
[Central AC-radius-imc] primary accounting 220.127.116.11
# Set the shared key to 12345678 in plaintext form for secure communication with the RADIUS authentication server.
[Central AC-radius-imc] key authentication simple 12345678
# Set the shared key to 12345678 in plaintext form for secure communication with the RADIUS accounting server.
[Central AC-radius-imc] key accounting simple 12345678
# Exclude the domain name from usernames sent to the RADIUS servers.
[Central AC-radius-imc] user-name-format without-domain
# Specify IP address 18.104.22.168 as the source IP address for outgoing RADIUS packets.
[Central AC-radius-imc] nas-ip 22.214.171.124
[Central AC-radius-imc] quit
2. Configure an authentication domain:
# Create ISP domain imc and enter its view.
[Central-AC] domain imc
# Configure the ISP domain to use RADIUS scheme imc for 802.1X user authentication.
[Central-AC-isp-imc] authentication lan-access radius-scheme imc
# Configure the ISP domain to use RADIUS scheme imc for 802.1X user authorization.
[Central-AC-isp-imc] authorization lan-access radius-scheme imc
# Configure the ISP domain to use RADIUS scheme imc for 802.1X user accounting.
[Central-AC-isp-imc] accounting lan-access radius-scheme imc
3. Configure EAP relay as the method for the AC to exchange packets with the RADIUS server.
[Central-AC] dot1x authentication-method eap
Configuring a service template
# Create service template dot1x and set the SSID of the service template.
[Central-AC] wlan service-template dot1x
[Central-AC-wlan-st-dot1x] ssid dot1x
# Assign VLAN 20 to the matching clients.
[Central-AC-wlan-st-dot1x] vlan 20
# Specify the central AC as the authenticator.
[Central-AC-wlan-st-dot1x] client-security authentication-location central-ac
# Configure APs to forward client data traffic from all VLANs.
[Central-AC-wlan-st-dot1x] client forwarding-location ap
# Set the AKM mode to 802.1X.
[Central-AC-wlan-st-dot1x] akm mode dot1x
# Specify the CCMP cipher suite and enable the RSN IE in beacon and probe responses.
[Central-AC-wlan-st-dot1x] cipher-suite ccmp
[Central-AC-wlan-st-dot1x] security-ie rsn
# Set the access authentication mode to 802.1X authentication.
[Central-AC-wlan-st-dot1x] client-security authentication-mode dot1x
# Specify ISP domain imc for authenticating the 802.1X client.
[Central-AC-wlan-st-dot1x] dot1x domain imc
# Enable the service template.
[Central-AC-wlan-st-dot1x] service-template enable
Creating a manual AP
# Create manual AP ap1 and specify the AP model and serial ID.
[Central AC] wlan ap ap1 model WA5620i-ACN
[Central AC-wlan-ap-ap1] serial-id 210235A1SVC15C000028
# Deploy configuration file map.txt to the manual AP.
[Central-AC-wlan-ap-ap1] map-configuration cfa0:/map.txt
# Enable the AC rediscovery feature.
[Central-AC-wlan-ap-ap1] control-address enable
# Specify 126.96.36.199 (an IP address on the local AC) as the IP address to be carried in the CAPWAP Control IP Address message element.
[Central AC-wlan-ap-ap1] control-address ip 188.8.131.52
# Enable radio 1, and then bind service template dot1x to the radio and specify VLAN 20 for the radio.
[Central AC-wlan-ap-ap1] radio 1
[Central AC-wlan-ap-ap1-radio-1] radio enable
[Central AC-wlan-ap-ap1-radio-1] service-template dot1x vlan 20
[Central AC-wlan-ap-ap1-radio-1] quit
1. Configure the local AC feature:
# Enable the local AC feature.
<Local AC> system-view
[Local AC] wlan local-ac enable
# Specify the central AC for the local AC.
[Local AC] wlan central-ac ip 184.108.40.206
# Configure the local AC to use VLAN 11 to establish CAPWAP tunnels with the central AC.
[Local AC] wlan local-ac capwap source-vlan 11
2. Configure IP address pool settings:
# Enable the DHCP service.
[Local AC] dhcp enable
# Configure DHCP address pool ap. In the address pool, specify 220.127.116.11 as the gateway IP address and 18.104.22.168/16 as the subnet for dynamic allocation.
[Local AC] dhcp server ip-pool ap
[Local AC-dhcp-pool-ap] gateway-list 22.214.171.124
[Local AC-dhcp-pool-ap] network 126.96.36.199 mask 255.255.0.0
# Configure Option 43 to specify the central AC address as the AC address in DHCP address pool ap.
[Local AC-dhcp-pool-ap] option 43 hex 80070000010b010101
[Local AC-dhcp-pool-ap] quit
# Configure DHCP address pool client. In the address pool, specify 188.8.131.52 as the gateway IP address and 184.108.40.206/16 as the subnet for dynamic allocation.
[Local AC] dhcp server ip-pool client
[Local AC-dhcp-pool-client] gateway-list 220.127.116.11
[Local AC-dhcp-pool-client] network 18.104.22.168 mask 255.255.0.0
[Local AC-dhcp-pool-client] quit
3. Configure interfaces:
# Create VLAN 11, create VLAN-interface 11, and assign an IP address to the VLAN interface. The local AC will use this IP address to establish CAPWAP tunnels with the central AC.
[Local AC] vlan 11
[Local AC-vlan11] quit
[Local AC] interface vlan-interface 11
[Local AC-Vlan-interface11] ip address 22.214.171.124 255.255.0.0
[Local AC-Vlan-interface11] quit
# Create VLAN 12, create VLAN-interface 12, and assign an IP address to the VLAN interface. The local AC assigns VLAN 12 to an AP when the AP comes online.
[Local AC] vlan 12
[Local AC-vlan12] quit
[Local AC] interface vlan-interface 12
[Local AC-Vlan-interface12] ip address 126.96.36.199 255.255.0.0
[Local AC-Vlan-interface12] dhcp server apply ip-pool ap
[Local AC-Vlan-interface12] quit
# Create VLAN 20, create VLAN-interface 20, and assign an IP address to the VLAN interface. The local AC assigns this VLAN to a wireless client when the client comes online.
[Local AC] vlan 20
[Local AC-vlan20] quit
[Local AC] interface vlan-interface 20
[Local AC-Vlan-interface20] ip address 188.8.131.52 255.255.0.0
[Local AC-Vlan-interface20] dhcp server apply ip-pool client
[Local AC-Vlan-interface20] quit
The RADIUS server runs IMC PLAT 7.2 (E0403p10), IMC EIA 7.2 (E0405), and IMC EIP 7.2 (E0405).
Make sure the RADIUS server has been installed with the EAP-PEAP certificate.
Adding the central AC as an access device to IMC
1. Log in to IMC and click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
3. Click Add.
The Add Access Device page opens.
4. In the Access Configuration area, configure the following parameters, as shown in Figure 2:
¡ Enter 12345678 in the Shared Key and Confirm Shared Key fields. The shared key must be the same as the authentication and accounting shared keys configured on the central AC.
¡ Use the default values for other parameters.
5. In the Device List area, click Select or Add Manually to add the central AC at 184.108.40.206 as an access device.
The IP address must be the source IP address specified for outgoing RADIUS packets in the RADIUS scheme on the central AC.
6. Click OK.
Adding an access policy
1. From the navigation tree, select User Access Policy > Access Policy.
2. Click Add.
3. On the Add Access Policy page, configure the following parameters, as shown in Figure 3:
¡ Enter dot1x in the Access Policy Name field.
¡ Select EAP-PEAP from the Preferred EAP Type list, and select EAP-MSCHAPv2 from the Subtype list.
The certificate subtype on the IMC server must be the same as the identity authentication method configured on the clients.
Adding an access service
1. From the navigation tree, select User Access Policy > Access Service.
2. Click Add.
3. On the Add Access Service page, configure the following parameters, as shown in Figure 4:
¡ Enter dot1x in the Service Name field.
¡ Select dot1x from the Default Access Policy list.
4. Click OK.
Adding an access user
1. From the navigation tree, select Access User > Access User.
The access user list opens.
2. Click Add.
The Add Access User page opens.
3. In the Access Information area, configure the following parameters, as shown in Figure 5:
a. Click Select or Add User to associate the user with IMC Platform user user.
b. Enter user in the Account Name field.
c. Enter dot1x in the Password and Confirm Password fields.
4. In the Access Service area, select dot1x from the list.
5. Click OK.
[Central AC] display wlan local-ac name 3510h-1
Local AC Information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run
AC name ACID State Model Serial ID
3510h-1 2 R/M WX3510H 210235A1GCH147000017
# Verify that the local AC has established a management tunnel with the central AC. The state of an AP changes to R/M (Run/Master) on the central AC after it comes online from the local AC.
[Central AC] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 4096
Remaining APs: 4095
Total AP licenses: 512
Remaining AP licenses: 511
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
ap1 8 R/M WA5620i-ACN 210235A1SVC15C000028
# On the central AC, verify that the AP has associated with the local AC.
Central AC display wlan ap-distribution all
Slot : 1
Total Number of APs: 0
AP name :
Name : 3510h-1
Total Number of APs: 1
AP name : ap1
# Connect a client to the wireless network to verify that the client can pass 802.1X authentication. (Details not shown.)
# On the central AC, display wireless client information to verify that the client has come online.
[Central AC] display wlan client
Total number of clients: 1
MAC address User name AP name RID IP address VLAN
e49a-dc71-a162 N/A ap1 1 220.127.116.11 20
# On the central AC, display online 802.1X information to verify that the client has passed 802.1X authentication.
[Central AC] display dot1x connection
Total connections: 1
User MAC address : e49a-dc71-a162
AP name : ap1
Radio ID : 1
SSID : dot1x
BSSID : 3891-d59a-7960
Username : user
Authentication domain : imc
IPv4 address : 18.104.22.168
Authentication method : EAP
Initial VLAN : 20
Authorization VLAN : 20
Authorization ACL number : N/A
Authorization user profile : N/A
Termination action : Default
Session timeout period : 86400 s
Online from : 2019/05/22 11:31:18
Online duration : 0h 2m 12s
· Central AC:
dot1x authentication-method eap
wlan service-template dot1x
client forwarding-location ap
client-security authentication-location central-ac
akm mode dot1x
client-security authentication-mode dot1x
dot1x domain imc
ip address 22.214.171.124 255.255.0.0
radius scheme imc
primary authentication 126.96.36.199
primary accounting 188.8.131.52
key authentication cipher $c$3$t7x0fIARso0US949SnQS2pq53eIdsgUr6z07
key accounting cipher $c$3$V4YI3sDOEq0VqAIPoaNjQOV3ZalvqTL05GC0
authentication lan-access radius-scheme imc
authorization lan-access radius-scheme imc
accounting lan-access radius-scheme imc
wlan ap ap1 model WA5620i-ACN
control-address ip 184.108.40.206
service-template dot1x vlan 20
wlan local-ac name 3510h-1 model WX3510H
· Local AC:
vlan 11 to 12
dhcp server ip-pool ap
network 220.127.116.11 mask 255.255.0.0
option 43 hex 80070000010b010101
dhcp server ip-pool client
network 18.104.22.168 mask 255.255.0.0
ip address 22.214.171.124 255.255.0.0
ip address 126.96.36.199 255.255.0.0
dhcp server apply ip-pool ap
ip address 188.8.131.52 255.255.0.0
dhcp server apply ip-pool client
wlan local-ac enable
wlan local-ac capwap source-vlan 11
wlan central-ac ip 184.108.40.206
· AP and WT Management Configuration Guide in H3C Access Controllers Configuration Guides
· AP and WT Management Command Reference in H3C Access Controllers Command References
· High Availability Configuration Guide in H3C Access Controllers Configuration Guides
· High Availability Command Reference in H3C Access Controllers Command References
· Network Connectivity Configuration Guide in H3C Access Controllers Configuration Guides
· Network Connectivity Command Reference in H3C Access Controllers Command References
· User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides
· User Access and Authentication Command Reference in H3C Access Controllers Command References
· WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN Access Command Reference in H3C Access Controllers Command References