11-AC hierarchy

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10211-AC hierarchy
04-AC Hierarchy (IPv6) Configuration Examples
Title Size Download
04-AC Hierarchy (IPv6) Configuration Examples 310.75 KB

 

H3C Access Controllers

Comware 7 AC Hierarchy (IPv6)

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an AC hierarchy configuration example.

Prerequisites

This document applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of IPv6, AC hierarchy, portal, WLAN access, and AP management.

Example: Configuring AC hierarchy

Network configuration

As shown in Figure 1, the central AC (an access controller module) is deployed at the headquarters and a local AC (a unified wired and wireless AC) is deployed at the branch. The central AC performs client authentication and the local AC forwards client traffic.

Configure network settings to meet the following requirements:

·     APs obtain the IPv6 address of the central AC through DHCPv6 and establish CAPWAP tunnels with the local AC after AC rediscovery.

·     The IMC server performs portal authentication as a portal server and AAA server.

·     The local AC assigns IPv6 addresses to APs and clients as a DHCPv6 server.

Figure 1 Network diagram

 

Analysis

·     For interface GigabitEthernet1/0/1 on an AP to join the local-forwarding VLAN, use a text editor to create an AP configuration file and upload the file to the central AC.

·     With AC rediscovery enabled, the APs might fail to come online through the local AC in the branch if the local AC is not the lowest-loaded AC. For the central AC to assign the local AC to the APs at AC rediscovery, specify the local AC for APs.

Restrictions and guidelines

When you configure AC hierarchy, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Do not configure any portal settings on the local AC when portal authentication and local forwarding are used in the AC hierarchy network.

·     Do not enable auto AP on the local AC, and do not create APs on the local AC if the APs are to be managed centrally by the central AC.

·     Disable firmware upgrade for the local AC because the S5560 unified wired and wireless AC and the access controller module have different software versions.

·     The URL of the portal Web server redirected to clients does not contain any parameters by default. You must configure the parameters manually.

·     Central ACs do not support IRF.

Procedures

Configuring the central AC

1.     Make sure the devices can reach each other. (Details not shown.)

2.     Create AP configuration file map.txt as follows and then upload the file to the central AC.

system-view

vlan 12

vlan 20

interface GigabitEthernet1/0/1

port link-type trunk

port trunk permit vlan 1 12 20

3.     Create VLAN 11 and VLAN-interface 11, and assign an IPv6 address to the VLAN interface.

<Central AC> system-view

[Central AC] vlan 11

[Central AC-vlan11] quit

[Central AC] interface vlan-interface 11

[Central AC-Vlan-interface11] ipv6 address 1::1:0:0:2/96

[Central AC-Vlan-interface11] quit

4.     Create local AC wx3540h, and specify the serial ID of the local AC.

[Central AC] wlan local-ac name wx3540h model WX3540H

[Central AC-wlan-local-ac-wx3540h] serial-id 210235A1JQB161000013

[Central AC-wlan-local-ac-wx3540h] quit

5.     Configure the RADIUS scheme for portal authentication:

# Create RADIUS scheme imc.

[Central AC] radius scheme imc

# Specify the IPv6 address of the primary authentication server as 1::3:0:0:2.

[Central AC-radius-imc] primary ipv6 authentication 1::3:0:0:2

# Specify the IPv6 address of the primary accounting server as 1::3:0:0:2.

[Central AC-radius-imc] primary ipv6 accounting 1::3:0:0:2

# Set the shared key to 12345678 in plaintext form for secure authentication communication.

[Central AC-radius-imc] key authentication simple 12345678

# Set the shared key to 12345678 in plaintext form for secure accounting communication.

[Central AC-radius-imc] key accounting simple 12345678

# Configure the central AC to remove the domain name from the usernames sent to the RADIUS servers.

[Central AC-radius-imc] user-name-format without-domain

# Specify IPv6 address 8:3::40 as the source IPv6 address of outgoing RADIUS packets.

[Central AC-radius-imc] nas-ip ipv6 8:3::40

[Central AC-radius-imc] quit

6.     Configure the authentication domain for portal authentication:

# Create domain imc and enter its view.

[Central AC] domain imc

# Perform RADIUS authentication for portal users based on scheme imc.

[Central AC-isp-imc] authentication portal radius-scheme imc

# Perform RADIUS authorization for portal users based on scheme imc.

[Central AC-isp-imc] authorization portal radius-scheme imc

# Perform RADIUS accounting for portal users based on scheme imc.

[Central AC-isp-imc] accounting portal radius-scheme imc

[Central AC-isp-imc] quit

7.     Configure the portal authentication server:

# Create portal authentication server imc and enter its view.

[Central AC] portal server imc

# Configure the IPv6 address of the portal authentication server as 1::3:0:0:2 and the plaintext key as 12345678.

[Central AC-portal-server-imc] ipv6 1::3:0:0:2 key simple 12345678

8.     Configure the portal Web server:

# Create portal Web server imc and enter its view.

[Central AC-portal-server-imc] portal web-server imc

# Configure the URL for the portal Web server as http://[1::3:0:0:2]:8080/portal.

[Central AC-portal-server-imc] url http://[1::3:0:0:2]:8080/portal

# Configure the parameters carried in the URL of the portal Web server.

[Central AC-portal-server-imc] url-parameter apmac ap-mac

[Central AC-portal-server-imc] url-parameter ssid ssid

[Central AC-portal-server-imc] url-parameter userip source-address

[Central AC-portal-server-imc] url-parameter usermac source-mac

[Central AC-portal-server-imc] quit

9.     Configure wireless services:

# Create service template portal.

[Central AC] wlan service-template portal

# Set the SSID for the service template to portal.

[Central AC-wlan-st-portal] ssid portal

# Assign clients coming online through the service template to VLAN 20.

[Central AC-wlan-st-portal] vlan 20

# Enable APs to forward client traffic.

[Central AC-wlan-st-portal] client forwarding-location ap

# Enable direct IPv6 portal authentication on the service template.

[Central AC-wlan-st-portal] portal ipv6 enable method direct

# Specify the authentication domain as imc for IPv6 portal users on the service template.

[Central AC-wlan-st-portal] portal ipv6 domain imc

# Configure the BAS-IPv6 attribute as 8:3::40 for portal packets sent to the portal authentication server.

[Central AC-wlan-st-portal] portal bas-ipv6 8:3::40

# Enable snooping ND packets and snooping DHCPv6 packets.

[Central AC-wlan-st-portal] client ipv6-snooping nd-learning enable

[Central AC-wlan-st-portal] client ipv6-snooping dhcpv6-learning enable

# Apply IPv6 portal Web server imc on the service template for portal authentication.

[Central AC-wlan-st-portal] portal ipv6 apply web-server imc

# Enable the service template.

[Central AC-wlan-st-portal] service-template enable

[Central AC-wlan-st-portal] quit

# Create AP ap1 and set the serial ID to 219801A18R8176E00659.

[Central AC] wlan ap ap1 model WA5320-C-EI

[Central AC-wlan-ap-ap1] serial-id 219801A18R8176E00659

# Deploy configuration file map.txt to AP ap1.

[Central AC-wlan-ap-ap1] map-configuration cfa0:/map.txt

# Enable AC rediscovery.

[Central AC-wlan-ap-ap1] control-address enable

# Specify the local AC with IPv6 address 1::1:0:0:104 for the AP.

[Central AC-wlan-ap-ap1] control-address ipv6 1::1:0:0:104

# Bind service template portal to radio 1 of AP ap1.

[Central AC-wlan-ap-ap1] radio 1

[Central AC-wlan-ap-ap1-radio-1] radio enable

[Central AC-wlan-ap-ap1-radio-1] service-template portal

[Central AC-wlan-ap-ap1-radio-1] quit

Configuring the local AC

1.     Configure the local AC feature:

# Enable the local AC feature.

<Local AC> system-view

[Local AC] wlan local-ac enable

# Specify the central AC with IPv6 address 1::1:0:0:2 for the local AC.

[Local AC] wlan central-ac ipv6 1::1:0:0:2

# Configure the local AC to use VLAN 11 to establish a tunnel with the central AC.

[Local AC] wlan local-ac capwap source-vlan 11

2.     Configure DHCP:

# Enable DHCP.

[Local AC] dhcp enable

# Create DHCPv6 address pool ap and specify the subnet for dynamic allocation as 12:1:1::/64.

[Local AC] ipv6 dhcp pool ap

[Local AC-dhcp-pool-ap] network 12:1:1::/64

# Configure Option 52 that specifies the AC's IPv6 address.

[Local AC-dhcp-pool-ap] option 52 hex 00010000000000000001000000000001

[Local AC-dhcp-pool-ap] quit

# Create DHCPv6 address pool client and specify the subnet for dynamic allocation as 2003::/64.

[Local AC] ipv6 dhcp pool client

[Local AC-dhcp-pool-ap] network 2003::/64

[Local AC-dhcp-pool-ap] quit

3.     Configure VLAN interfaces:

# Create VLAN 11 and VLAN-interface 11, and assign an IPv6 address to the interface. The local AC uses this interface to associate with the central AC.

[Local AC] vlan 11

[Local AC-vlan11] quit

[Local AC] interface Vlan-interface11

[Local AC-Vlan-interface11] ipv6 address 1::1:0:0:104/96

[Local AC-Vlan-interface11] quit

# Create VLAN 12 and VLAN-interface 12, and assign an IPv6 address to the interface. The local AC uses this interface to associate with APs.

[Local AC] vlan 12

[Local AC-vlan12] quit

[Local AC] interface Vlan-interface12

[Local AC-Vlan-interface12] ipv6 address 12:1:1::1/64

# Disable RA message suppression, and set both the M flag and O flag to 1 in in RA advertisements to be sent.

[Local AC-Vlan-interface12] undo ipv6 nd ra halt

[Local AC-Vlan-interface12] ipv6 nd autoconfig managed-address-flag

[Local AC-Vlan-interface12] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 server, and apply address pool ap to the VLAN-interface 12.

[Local AC-Vlan-interface12] ipv6 dhcp select server

[Local AC-Vlan-interface12] ipv6 dhcp server apply pool ap

[Local AC-Vlan-interface12] quit

# Create VLAN 20 and VLAN-interface 20, and assign an IPv6 address to the interface. The local AC uses this interface to provide access to clients.

[Local AC] vlan 20

[Local AC-vlan20] quit

[Local AC] interface Vlan-interface20

[Local AC-Vlan-interface20] ipv6 address 2003::1/64

# Disable RA message suppression, and set both the M flag and O flag to 1 in in RA advertisements to be sent.

[Local AC-Vlan-interface20] undo ipv6 nd ra halt

[Local AC-Vlan-interface20] ipv6 nd autoconfig managed-address-flag

[Local AC-Vlan-interface20] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 server, and apply address pool client to the VLAN-interface 20.

[Local AC-Vlan-interface20] ipv6 dhcp select server

[Local AC-Vlan-interface20] ipv6 dhcp server apply pool client

[Local AC-Vlan-interface20] quit

Configuring the IMC server

This example uses the IMC server to describe the RADIUS server and portal server configuration. The IMC server runs on IMC PLAT 7.2 (E0403p10), IMC EIA 7.2 (E0405), and IMC EIP 7.2 (E0405).

To configure the IMC server:

1.     Click the User tab.

2.     Create an IP group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

b.     Click Add.

c.     Configure the following parameters:

-     IP Group NameEnter the IP group name.

-     Start IP—Enter the start IP address of the IP group. Make sure the client IP address is in the IP group.

-     End IP—Enter the end IP address of the IP group. Make sure the client IP address is in the IP group.

-     Service Group—Select a service group. This example uses the default value Ungrouped.

d.     Click OK.

Figure 2 Adding an IP group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add.

c.     Configure the following parameters:

-     Device Name—Enter the device name.

-     IP Address—Enter the IP address of the AC's interface connected to the client.

-     Support Server HeartbeatSelect whether to support the portal server heartbeat function. In this example, select No.

-     Support User HeartbeatSelect whether to support the portal user heartbeat function. In this example, select No.

-     Key—Enter the key. The key must be the same as that configured on the AC.

-     VersionSelect Portal 3.0. Only portal 3.0 supports IPv6.

-     Access Method—Select layer 3.

Use the default settings for other parameters.

d.     Click OK.

Figure 3 Adding a portal device

 

4.     Associate the portal device with the IP group:

a.     Click the Port Group icon  in the Operation field for device NAS to open the port group configuration page.

Figure 4 Device list

 

b.     Click Add.

c.     Configure the following parameters:

-     Port Group NameEnter the port group name.

-     IP GroupSelect the configured IP group. The IP address used by the user to access the network must be within this IP address group.

Use the default settings for other parameters.

d.     Click OK.

Figure 5 Adding a port group

 

5.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add.

c.     Configure the following parameters:

-     Access Policy Name—Enter the access policy name.

-     Service Group—Select a service group. This example uses the default value Ungrouped.

Use the default settings for other parameters.

d.     Click OK.

Figure 6 Adding an access policy

 

6.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add.

c.     In the page that opens, enter the service name, and use the default settings for other parameters.

d.     Click OK.

Figure 7 Adding an access service

 

7.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add.

c.     Select an existing access user or click Add User to add a new access user, and set the password. Use the default settings for other parameters.

d.     Click OK.

Figure 8 Adding an access user

 

Verifying the configuration

# Verify that the local AC is in R/M state on the central AC. This state indicates that the local AC has come online on the central AC.

[Central AC] display wlan local-ac all

Total number of local ACs: 1

Total number of connected local ACs: 1

                             

                                Local AC Information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run

AC name                        ACID  State Model           Serial ID

wx3540h                        2     R/M   WX3540H         210235A1JQB161000013

# Verify that the AP is in R/M state on the central AC. This state indicates that the local AC has established a management tunnel with the central AC after AC rediscovery.

[Central AC] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 1536

Remaining APs: 1535

Total AP licenses: 1024

Local AP licenses: 1024

Server AP licenses: 0

Remaining Local AP licenses: 1023

Sync AP licenses: 0

                       

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

      

AP name                        APID  State Model           Serial ID

ap1                            4     R/M   WA5320-C-EI     219801A18R8176E00659

# Verify that the AP has associated with the local AC.

[Central AC] display wlan ap-distribution all

Central AC                       Slot 2                Total Number of APs: 0

                                      

                             

Local AC                         wx3540h               Total Number of APs: 1

AP name                          AP ID AP IP           AC IP

ap1                              4     12:1:1::4       12:1:1::1

# Verify that a client has come online.

[Central AC] display wlan client ipv6

MAC address    AP name              IPv6 address                            VLAN

e49a-dc71-a162 ap1                  2003::3                                 20

# Verify that the client has passed portal authentication.

[Central AC] display portal user all

Total portal users: 1

Username: qucf

  AP name: ap1

  Radio ID: 1

  SSID: qucf-portal

  Portal server: imc

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  e49a-dc71-a162  2003::3               20      WLAN-BSS2/0/2

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     Central AC:

#

vlan 11

#

wlan service-template portal

 ssid portal

 vlan 20

 client forwarding-location ap

 client ipv6-snooping nd-learning enable

 client ipv6-snooping dhcpv6-learning enable

 portal ipv6 enable method direct

 portal ipv6 domain imc

 portal bas-ipv6 8:3::40

 portal ipv6 apply web-server imc

 service-template enable

#

interface Vlan-interface11

 ipv6 address 1::1:0:0:2/96

#

radius scheme imc

 primary authentication ipv6 1::3:0:0:2

 primary accounting ipv6 1::3:0:0:2

 key authentication cipher $c$3$hpDUnHfwXg6gyIvCDstC9zAc8UJueLbLTt/i

 key accounting cipher $c$3$UzY7a5vF6zEHEdxpnfv+NBQ2UAhUEbjM+8sZ

 user-name-format without-domain

 nas-ip ipv6 8:3::40

#

domain imc

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

#

portal web-server imc

 url http://[1::3:0:0:2]:8080/portal

 url-parameter apmac ap-mac

 url-parameter ssid ssid

 url-parameter userip source-address

 url-parameter usermac source-mac

#

portal server imc

 ipv6 1::3:0:0:2 key cipher $c$3$G0fWl7UQ9AqnAdOJEnlECL+tSwqQbmV2SuRe

#

wlan ap ap1 model WA5320-C-EI

 serial-id 219801A18R8176E00659

 control-address enable

 control-address ipv6 1::1:0:0:104

 vlan 1

 radio 1

  radio enable

  service-template portal

 radio 2

 gigabitethernet 1

 gigabitethernet 2

#

wlan local-ac name wx3540h model WX3540H

 serial-id 210235A1JQB161000013

#

·     Local AC:

#

 dhcp enable

#

vlan 11 to 12

#

vlan 20

#

ipv6 dhcp pool ap

 network 12:1:1::/64

 option 52 hex 00010000000000000001000000000001

#

ipv6 dhcp pool client

 network 2003::/64

#

interface Vlan-interface11

 ipv6 address 1::1:0:0:104/96

#

interface Vlan-interface12

 ipv6 dhcp select server

 ipv6 dhcp server apply pool ap

 ipv6 address 12:1:1::1/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

#

interface Vlan-interface20

 ipv6 dhcp select server

 ipv6 dhcp server apply pool client

 ipv6 address 2003::1/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

#

 wlan local-ac enable

 wlan local-ac capwap source-vlan 11

#

 wlan central-ac ipv6 1::1:0:0:2

#

Related documentation

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Advanced Features Command Reference in H3C Access Controllers Command References

·     WLAN Advanced Features Configuration Guide in H3C Access Controllers Configuration Guides