Login
- Table of Contents
-
- 03-CLI configuration examples (AC+fit AP)
- 01-HTTPS Login Configuration Examples
- 02-SSH Configuration Examples
- 03-License Management Configuration Examples
- 04-IPv6 URL Redirection Configuration Examples
- 05-AP Association with the AC at Layer 2 Configuration Examples
- 06-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 07-Auto AP Configuration Examples
- 08-AP Association with the AC at Layer 3 Configuration Examples
- 09-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 10-WEP Encryption Configuration Examples
- 11-PSK Encryption Configuration Examples
- 12-WPA3-SAE PSK Encryption Configuration Examples
- 13-WLAN Access (IPv6) Configuration Examples
- 14-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 15-Scheduled Configuration Deployment by AP Group Configuration Examples
- 16-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 17-Service Template and Radio Binding Configuration Examples
- 18-Scheduled WLAN Access Services Configuration Examples
- 19-Local Portal Authentication Configuration Examples
- 20-HTTPS-Based Local Portal Authentication Configuration Examples
- 21-Remote Portal Authentication Configuration Examples
- 22-Local Portal Authentication through LDAP Server Configuration Examples
- 23-Local Portal Authentication and SSID-based Authentication Page Pushing Configuration Examples
- 24-Local Portal MAC-Trigger Authentication Configuration Examples
- 25-Portal MAC-Trigger Authentication Configuration Examples
- 26-Local Forwarding Mode and Local Portal MAC-Trigger Authentication Configuration Examples
- 27-Local Portal Authentication (IPv6) Configuration Examples
- 28-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 29-Remote Portal Authentication (IPv6) Configuration Examples
- 30-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 31-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 32-Portal Fail-Permit Configuration Examples
- 33-Local MAC Authentication Configuration Examples
- 34-MAC Authentication and PSK Authentication Configuration Examples
- 35-Remote MAC and Portal Authentication and Transparent Authentication Configuration Examples
- 36-Remote AP and Remote Portal MAC-Trigger Authentication Configuration Examples
- 37-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 38-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 39-Local MAC-Then-802.1X Authentication Configuration Examples
- 40-Local 802.1X Authentication Configuration Examples
- 41-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 42-Remote 802.1X Authentication Configuration Examples
- 43-Remote 802.1X Authentication (IPv6) Configuration Examples
- 44-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 45-802.1X Authentication with ACL Assignment Through IMC Server Configuration Examples
- 46-802.1X Authentication with User Profile Assignment Through IMC Server Configuration Examples
- 47-EAD Authentication Configuration Examples
- 48-EAD Authentication (IPv6) Configuration Examples
- 49-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 50-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 51-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 52-Local Forwarding Configuration Examples
- 53-Remote AP Configuration Examples
- 54-WIPS Configuration Examples
- 55-WIPS Countermeasures Against All SSIDs Configuration Examples
- 56-IP Source Guard (IPv4) Configuration Examples
- 57-IP Source Guard (IPv6) Configuration Examples
- 58-IRF Setup with Members Directly Connected Configuration Examples
- 59-IRF Setup with Members Not Directly Connected Configuration Examples
- 60-IRF Setup with Members in One Chassis Configuration Examples
- 61-IRF Setup with Members in Different Chassis Configuration Examples
- 62-Dual-Link Backup Configuration Examples
- 63-Remote 802.1X Auth on AC Hierarchy Network with Dual-Link Central AC Backup Configuration Examples
- 64-Remote Portal Auth on AC Hierarchy Network with Dual-Link Central AC Backup Configuration Examples
- 65-OAuth-Based Portal MAC-Trigger Auth on Local-Forwarding Dual-Link Backup Configuration Examples
- 66-Dual-Link Backup OAuth-Based Portal Auth in Local Forwarding Configuration Examples
- 67-Dual-Link Backup Remote Portal MAC-Trigger Auth in Local Forwarding Configuration Examples
- 68-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 69-Dual-Link Backup Remote Portal Auth in Local Forwarding Configuration Examples
- 70-Dual-Link Backup Remote Portal and MAC Auth in Centralized Forward Configuration Examples
- 71-Dual-Link Backup Remote Portal Auth in Centralized Forwarding Configuration Examples
- 72-Dual-Link Backup Lightweight Portal Auth in Centralized Forwarding Configuration Examples
- 73-Dual-Link Backup OAuth-Based Portal Auth in Centralized Forwarding Configuration Examples
- 74-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 75-Remote 802.1X Auth on a Dual-Link AC Backup Network Configuration Examples
- 76-Remote MAC Auth on a Dual-Link AC Backup Network Configuration Examples
- 77-Remote 802.1X Authentication on an AC Hierarchy Network Configuration Examples
- 78-Remote 802.1X Authentication Configuration Examples
- 79-WLAN Probe Configuration Examples
- 80-Multicast Optimization Configuration Examples
- 81-Client Rate Limiting Configuration Examples
- 82-Inter-AC Roaming Configuration Examples
- 83-Inter-AC Roaming (IPv6) Configuration Examples
- 84-WLAN Load Balancing Configuration Examples
- 85-Static Blacklist Configuration Examples
- 86-Client Quantity Control Configuration Examples
- 87-AP License Synchronization Configuration Examples
- 88-iBeacon Management Configuration Examples
- 89-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 90-Mesh Link Establishment Between Fit APs Configuration Examples
- 91-Auto-DFS and Auto-TPC Configuration Examples
- 92-AP Image Downloading Configuration Examples
- 93-Dual-Uplink Interfaces Configuration Guide
- 94-Internal-to-External Access Through NAT Configuration Examples
- 95-Layer 2 Static Aggregation Configuration Examples
- 96-Layer 2 Multicast Configuration Examples
- 97-Static VLAN Allocation Configuration Examples
- 98-URL Redirection Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 65-OAuth-Based Portal MAC-Trigger Auth on Local-Forwarding Dual-Link Backup Configuration Examples | 370.47 KB |
|
|
|
H3C Access Controllers |
|
Comware 7 OAuth-Based Portal MAC-trigger Authentication on a Local-Forwarding Dual-Link Backup Network |
|
Configuration Examples |
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides an example of configuring OAuth-based portal MAC-trigger authentication on a local-forwarding dual-link backup network.
Prerequisites
The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of WLAN high availability, AAA, portal MAC-trigger authentication, and WLAN access.
Example: Configuring OAuth-based portal MAC-trigger authentication on a local-forwarding dual-link backup network
Network configuration
As shown in Figure 1:
· The AP and the client obtain IP addresses from the DHCP server.
· The network deploys an IMC server as the portal authentication server, portal Web server, MAC binding server, and RADIUS server.
Configure the devices to meet the following requirements:
· The ACs operate in active/standby mode. When AC 1 (the master AC) fails, the AP associates with AC 2 (the backup AC). When AC 1 recovers, the AP re-associates with AC 1.
· The ACs use a service template to provide OAuth-based portal MAC-trigger authentication for the client. Before passing the authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources. If the client goes offline and then attempts to come online again, the client does not need to enter the username and password.
· The AP forwards the client traffic locally.
· The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.
· The RADIUS server can dynamically change user authorization information or forcibly disconnect users.
Analysis
To allow a client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.
In local forwarding mode, to ensure that valid clients can perform portal authentication, enable validity check on wireless clients.
To avoid portal authentication failure caused by frequent logins and logouts in a short time, disable the Rule ARP entry feature.
For the RADIUS server to dynamically change user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.
To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the ACs.
For dual-link backup to operate correctly, configure a manual AP or auto AP on the ACs. Make sure that the AP can establish CAPWAP tunnels with each of the ACs.
To implement MAC-trigger authentication by using the OAuth protocol, enable cloud MAC-trigger authentication by using the cloud-binding enable command.
Restrictions and guidelines
Make sure the master and backup ACs have the same portal authentication configuration. The following items in the portal authentication can be different on the master and backup ACs:
· The portal Web server configuration.
· The BAS-IP attribute for portal packets sent to the portal authentication server.
· The specified interface of the AC for portal client access during portal authentication.
If you configure a manual AP on the ACs, make sure the AP name, serial ID, and MAC address of the manual AP are the same on the ACs.
Use the serial ID labeled on the AP's rear panel to specify an AP.
Some endpoints by default use random MAC addresses. For transparent MAC authentication to take effect on such an endpoint, disable the endpoint from using a random MAC address.
You must upload the configuration file of the AP to both the master and backup ACs.
Procedures
Editing the AP configuration file
# Use a text editor to edit the AP's configuration file. Name the configuration file map.txt, and then upload the file to the storage medium of the ACs.
The content of the configuration file is as follows:
system-view
vlan 200
interface gigabitethernet1/0/1
port link-type trunk
port trunk permit vlan 200
Configuring AC 1
1. Configure interfaces:
# Create VLAN 100, create VLAN-interface 100, and then assign the VLAN interface an IP address. The AC will use this IP address to establish CAPWAP control and data tunnels with the AP.
<AC1> system-view
[AC1] vlan 100
[AC1-vlan100] quit
[AC1] interface vlan-interface 100
[AC1-Vlan-interface100] ip address 2.2.1.1 24
[AC1-Vlan-interface100] quit
# Create VLAN 200, create VLAN-interface 200, and then assign the VLAN interface an IP address. This VLAN will be used for wireless client access.
[AC1] vlan 200
[AC1-vlan200] quit
[AC1] interface vlan-interface 200
[AC1-Vlan-interface200] ip address 2.2.2.1 24
[AC1-Vlan-interface200] quit
# Configure GigabitEthernet 1/0/1 that connects AC 1 to the switch as a trunk port, and assign the port to VLANs 100 and 200.
[AC1] interface gigabitethernet 1/0/1
[AC1-GigabitEthernet1/0/1] port link-type trunk
[AC1-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC1-GigabitEthernet1/0/1] quit
2. Configure a static route:
# Configure a static route to the IMC server.
[AC1] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100
3. Configure the DNS server. (Details not shown.)
4. Configure the wireless service:
# Create a service template named st1.
[AC1] wlan service-template st1
# Set the SSID of the service template.
[AC1-wlan-st-st1] ssid service
# Specify VLAN 200 for the service template.
[AC1-wlan-st-st1] vlan 200
# Configure APs to forward client data traffic from all VLANs.
[AC1–wlan-st-st1] client forwarding-location ap
[AC1-wlan-st-st1] quit
# Create an AP named office with model WA5320, and then specify the serial ID of the AP.
[AC1] wlan ap office model WA5320
[AC1-wlan-ap-office] serial-id 219801A0CNC138011454
# Deploy configuration file map.txt to the AP.
[AC1-wlan-ap-office] map-configuration map.txt
# Bind service template st1 to radio 2, and then enable the radio.
[AC1-wlan-ap-office] radio 2
[AC1-wlan-ap-office-radio-2] service-template st1
[AC1-wlan-ap-office-radio-2] radio enable
[AC1-wlan-ap-office-radio-2] quit
5. Configure a backup AC:
# Set the AP connection priority to 7.
[AC1-wlan-ap-office] priority 7
# Enable master CAPWAP tunnel preemption.
[AC1-wlan-ap-office] wlan tunnel-preempt enable
# Specify AC 2 as a backup AC.
[AC1-wlan-ap-office] backup-ac ip 2.2.1.2
[AC1-wlan-ap-office] quit
6. Configure portal authentication:
# Create an ISP domain named dm1.
[AC1] domain dm1
# Configure the AC not to perform AAA on portal users.
[AC1-isp-dm1] authentication portal none
[AC1-isp-dm1] authorization portal none
[AC1-isp-dm1] accounting portal none
[AC1-isp-dm1] quit
# Create a portal Web server named newpt, specify http://192.168.0.111:8080/wsmAuth/protocol as the server's URL, and then configure the server type as OAuth. (Make sure the server' URL is the same as the URL of the actual portal Web server.)
[AC1] portal web-server newpt
[AC1-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol
[AC1-portal-websvr-newpt] server-type oauth
# Enable the optimized captive-bypass feature for iOS users.
[AC1-portal-websvr-newpt] captive-bypass ios optimize enable
[AC1-portal-websvr-newpt] quit
# Create an HTTP-based local portal Web service.
[AC1] portal local-web-server http
[AC1-portal-local-websvr-http] quit
# Configure destination-based portal-free rules 2 and 3 to allow portal users to access the DNS server without authentication.
[AC1] portal free-rule 2 destination ip any udp 53
[AC1] portal free-rule 3 destination ip any tcp 53
# Configure the safe-redirect feature to reduce the redirect workload on the portal server.
[AC1] portal safe-redirect enable
[AC1] portal safe-redirect method get post
[AC1] portal safe-redirect user-agent CaptiveNetworkSupport
[AC1] portal safe-redirect user-agent MicroMessenger
[AC1] portal safe-redirect user-agent Mozilla
[AC1] portal safe-redirect user-agent WeChat
[AC1] portal safe-redirect user-agent iPhone
[AC1] portal safe-redirect user-agent micromessenger
# Specify VLAN-interface 200 as the interface for portal clients to access the AC during portal authentication.
[AC1] portal client-gateway interface Vlan-interface 200
# Set the NAS ID. (Make sure the NAS ID is the same as that in the configuration file iMC\client\conf\wiportal\conf.properties.)
[AC1] wlan global-configuration
[AC1-wlan-global-configuration] nas-id wiportal
[AC1-wlan-global-configuration] quit
# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.
[AC1] portal oauth user-sync interval 60
# Configure destination-based portal-free rules to allow users to access the portal Web server, AC 1, and AC 2 without authentication.
[AC1] portal free-rule 0 destination ip 192.168.0.111 32
[AC1] portal free-rule 1 destination ip 2.2.2.1 32
[AC1] portal free-rule 4 destination ip 2.2.2.2 32
# Enable roaming for portal users.
[AC1] portal roaming enable
# Disable the Rule ARP entry feature.
[AC1] undo portal refresh arp enable
# Enable the RADIUS session-control feature.
[AC1] radius session-control enable
# Enable validity check on wireless portal clients.
[AC1] portal host-check enable
# Enable direct portal authentication on service template st1.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal enable method direct
# Specify ISP domain dm1 as the portal authentication domain.
[AC1-wlan-st-st1] portal domain dm1
# Specify portal Web server newpt on service template st1.
[AC1-wlan-st-st1] portal apply web-server newpt
# Enable portal temporary pass and set the temporary pass period to 300 seconds on service template st1.
[AC1-wlan-st-st1] portal temp-pass period 300 enable
# Configure the BAS-IP as 2.2.2.1 for portal packets sent from service template st1 to the portal authentication server.
[AC1-wlan-st-st1] portal bas-ip 2.2.2.1
[AC1-wlan-st-st1] quit
7. Configure MAC-trigger authentication:
# Create a MAC binding server named mts.
[AC1] portal mac-trigger-server mts
# Specify 192.168.0.111 as the IP address of the MAC binding server.
[AC1-portal-mac-trigger-server-mts] ip 192.168.0.111
# Enable cloud MAC-trigger authentication (using Oauth for authentication).
[AC1-portal-mac-trigger-server-mts] cloud-binding enable
[AC1-portal-mac-trigger-server-mts] quit
# Specify MAC binding server mts on service template st1.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal apply mac-trigger-server mts
# Enable service template st1.
[AC1-wlan-st-st1] service-template enable
[AC1-wlan-st-st1] quit
Configuring AC 2
1. Configure interfaces:
# Create VLAN 100, create VLAN-interface 100, and then assign the VLAN interface an IP address. The AC will use this IP address to establish CAPWAP control and data tunnels with the AP.
<AC2> system-view
[AC2] vlan 100
[AC2-vlan100] quit
[AC2] interface vlan-interface 100
[AC2-Vlan-interface100] ip address 2.2.1.2 24
[AC2-Vlan-interface100] quit
# Create VLAN 200, create VLAN-interface 200, and then assign the VLAN interface an IP address. This VLAN will be used for wireless client access.
[AC2] vlan 200
[AC2-vlan200] quit
[AC2] interface vlan-interface 200
[AC2-Vlan-interface200] ip address 2.2.2.2 24
[AC2-Vlan-interface200] quit
# Configure GigabitEthernet 1/0/1 that connects AC 2 to the switch as a trunk port, and assign the port to VLANs 100 and 200.
[AC2] interface gigabitethernet 1/0/1
[AC2-GigabitEthernet1/0/1] port link-type trunk
[AC2-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC2-GigabitEthernet1/0/1] quit
2. Configure a static route:
# Configure a static route to the IMC server.
[AC2] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100
3. Configure the DNS server. (Details not shown.)
4. Configure the wireless service:
# Create a service template named st1.
[AC2] wlan service-template st1
# Set the SSID of the service template.
[AC2-wlan-st-st1] ssid service
# Specify VLAN 200 for the service template.
[AC2-wlan-st-st1] vlan 200
# Configure APs to forward client data traffic from all VLANs.
[AC2–wlan-st-st1] client forwarding-location ap
[AC2-wlan-st-st1] quit
# Create an AP named office with model WA5320, and then specify the serial ID of the AP.
[AC2] wlan ap office model WA5320
[AC2-wlan-ap-office] serial-id 219801A0CNC138011454
# Deploy configuration file map.txt to the AP.
[AC2-wlan-ap-office] map-configuration map.txt
# Bind service template st1 to radio 2, and then enable the radio.
[AC2-wlan-ap-office] radio 2
[AC2-wlan-ap-office-radio-2] service-template st1
[AC2-wlan-ap-office-radio-2] radio enable
[AC2-wlan-ap-office-radio-2] quit
5. Configure a backup AC:
# Set the AP connection priority to 6.
[AC2-wlan-ap-office] priority 6
# Enable master CAPWAP tunnel preemption.
[AC2-wlan-ap-office] wlan tunnel-preempt enable
# Specify AC 1 as a backup AC.
[AC2-wlan-ap-office] backup-ac ip 2.2.1.1
[AC2-wlan-ap-office] quit
6. Configure portal authentication:
# Create an ISP domain named dm1.
[AC2] domain dm1
# Configure the AC not to perform AAA on portal users.
[AC2-isp-dm1] authentication portal none
[AC2-isp-dm1] authorization portal none
[AC2-isp-dm1] accounting portal none
[AC2-isp-dm1] quit
# Create a portal Web server named newpt, specify http://192.168.0.111:8080/wsmAuth/protocol as the server's URL, and configure the server type as OAuth. (Make sure the server' URL is the same as the URL of the actual portal Web server.)
[AC2] portal web-server newpt
[AC2-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol
[AC2-portal-websvr-newpt] server-type oauth
# Enable the optimized captive-bypass feature for iOS users.
[AC2-portal-websvr-newpt] captive-bypass ios optimize enable
[AC2-portal-websvr-newpt] quit
# Create an HTTP-based local portal Web service and enter its view.
[AC2] portal local-web-server http
[AC2-portal-local-websvr-http] quit
# Configure destination-based portal-free rules 2 and 3 to allow portal users to access the DNS server without authentication.
[AC2] portal free-rule 2 destination ip any udp 53
[AC2] portal free-rule 3 destination ip any tcp 53
# Configure the safe-redirect feature to reduce the redirect workload on the portal server.
[AC2] portal safe-redirect enable
[AC2] portal safe-redirect method get post
[AC2] portal safe-redirect user-agent CaptiveNetworkSupport
[AC2] portal safe-redirect user-agent MicroMessenger
[AC2] portal safe-redirect user-agent Mozilla
[AC2] portal safe-redirect user-agent WeChat
[AC2] portal safe-redirect user-agent iPhone
[AC2] portal safe-redirect user-agent micromessenger
# Specify VLAN-interface 200 as the interface for portal clients to access the AC during portal authentication.
[AC2] portal client-gateway interface Vlan-interface 200
# Set the NAS ID. (Make sure the NAS ID is the same as that in the configuration file iMC\client\conf\wiportal\conf.properties.)
[AC2] wlan global-configuration
[AC2-wlan-global-configuration] nas-id wiportal
[AC2-wlan-global-configuration] quit
# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.
[AC2] portal oauth user-sync interval 60
# Configure destination-based portal-free rules to allow users to access the portal Web server, AC 1, and AC 2 without authentication.
[AC2] portal free-rule 0 destination ip 192.168.0.111 32
[AC2] portal free-rule 1 destination ip 2.2.2.1 32
[AC2] portal free-rule 4 destination ip 2.2.2.2 32
# Enable roaming for portal users.
[AC2] portal roaming enable
# Disable the Rule ARP entry feature.
[AC2] undo portal refresh arp enable
# Enable validity check on wireless portal clients.
[AC2] portal host-check enable
# Enable the RADIUS session-control feature.
[AC2] radius session-control enable
# Enable direct portal authentication on service template st1.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal enable method direct
# Specify ISP domain dm1 as the portal authentication domain.
[AC2-wlan-st-st1] portal domain dm1
# Specify portal Web server newpt on service template st1.
[AC2-wlan-st-st1] portal apply web-server newpt
# Enable portal temporary pass and set the temporary pass period to 300 seconds on service template st1.
[AC2-wlan-st-st1] portal temp-pass period 300 enable
# Configure the BAS-IP as 2.2.2.2 for portal packets sent from service template st1 to the portal authentication server.
[AC2-wlan-st-st1] portal bas-ip 2.2.2.2
[AC2-wlan-st-st1] quit
7. Configure MAC-trigger authentication:
# Create a MAC binding server named mts.
[AC2] portal mac-trigger-server mts
# Specify 192.168.0.111 as the IP address of the MAC binding server.
[AC2-portal-mac-trigger-server-mts] ip 192.168.0.111
# Enable cloud MAC-trigger authentication.
[AC2-portal-mac-trigger-server-mts] cloud-binding enable
[AC2-portal-mac-trigger-server-mts] quit
# Specify MAC binding server mts on service template st1.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal apply mac-trigger-server mts
# Enable service template st1.
[AC2-wlan-st-st1] service-template enable
[AC2-wlan-st-st1] quit
Configuring the switch
# Create VLAN 100. The switch will use this VLAN to forward traffic on CAPWAP tunnels between the ACs and the AP.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.
[Switch] vlan 200
[Switch-vlan200] quit
# Create VLAN 2. The switch will use this VLAN to communicate with the IMC server.
[Switch] vlan 2
[Switch-vlan2] quit
# Assign the port that connects the switch to the IMC server to VLAN 2. (Details not shown.)
# Configure GigabitEthernet 1/0/1 (the port connected to AC 1) as a trunk port, and assign the port to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/4 (the port connected to AC 2) as a trunk port, and assign the port to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/4] quit
# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as a trunk port, set the PVID to 100, and assign the port to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Enable PoE on GigabitEthernet 1/0/2.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 (the port connected to the DHCP server) as a trunk port, set the PVID to 100, and assign the port to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk permit vlan 100 200
# Assign an IP address to VLAN-interface 200.
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0
[Switch-Vlan-interface200] quit
# Assign an IP address to the VLAN-interface 2.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0
[Switch-Vlan-interface2] quit
Configuring the DHCP server
# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port, and assign the port to VLAN 100 and VLAN 200.
[DHCP] interface gigabitethernet 1/0/1
[DHCP-GigabitEthernet1/0/1] port link-type trunk
[DHCP-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DHCP-GigabitEthernet1/0/1] quit
# Assign an IP address to VLAN-interface 100.
[DHCP] interface vlan-interface 100
[DHCP-Vlan-interface100] ip address 2.2.1.200 255.255.255.0
[DHCP-Vlan-interface100] quit
# Assign an IP address to VLAN-interface 200.
[DHCP] interface vlan-interface 200
[DHCP-Vlan-interface200] ip address 2.2.2.200 255.255.255.0
[DHCP-Vlan-interface200] quit
# Enable the DHCP service.
[DHCP] dhcp enable
# Configure DHCP address pool VLAN100. In the address pool, specify 2.2.1.200 as the gateway IP address and 2.2.1.0/24 as the subnet for dynamic allocation, and then exclude IP addresses 2.2.1.1 and 2.2.1.2 from dynamic allocation.
[DHCP] dhcp server ip-pool VLAN100
[DHCP-dhcp-pool-vlan100] gateway-list 2.2.1.200
[DHCP-dhcp-pool-vlan100] network 2.2.1.0 mask 255.255.255.0
[DHCP-dhcp-pool-vlan100] forbidden-ip 2.2.1.1 2.2.1.2
[DHCP-dhcp-pool-vlan100] quit
# Configure DHCP address pool VLAN200. In the address pool, specify 2.2.2.100 as the gateway IP address and 2.2.2.0/24 as the subnet for dynamic allocation, and 8.8.8.8 as the DNS server address, and then exclude IP addresses 2.2.2.100, 2.2.2.1, and 2.2.2.2 from dynamic allocation.
[DHCP] dhcp server ip-pool VLAN200
[DHCP-dhcp-pool-vlan200] gateway-list 2.2.2.100
[DHCP-dhcp-pool-vlan200] network 2.2.2.0 mask 255.255.255.0
[DHCP-dhcp-pool-vlan200] dns-list 8.8.8.8
[DHCP-dhcp-pool-vlan200] forbidden-ip 2.2.2.100 2.2.2.1 2.2.2.2
[DHCP-dhcp-pool-vlan200] quit
Configuring the IMC server
In this example, the IMC server runs IMC PLAT 7.3 (E0605) and IMC IPM 7.3 (E0516).
1. Add an access user:
a. Log in to IMC and click the Service tab.
b. From the navigation tree, select Intelligent Portal Management > User Management > Users.
c. Click Add to open the Add User page.
d. Enter username Client and password admin@123.
e. Use the default settings for other parameters.
f. Click OK.
Figure 2 Adding an access user
2. Add an authentication page template:
a. From the navigation tree, select Intelligent Portal Management > Page Template List.
b. Click Add to open the Add Theme page.
c. Enter template name theme in the Theme Name field.
d. Use the default settings for other parameters.
e. Click OK to open the page for editing the template.
Figure 3 Adding an authentication page template
f. On the theme page, click
the Authentication icon 
in
the Basic Controls area.
g. Click Edit in authentication edit area, select Other and Account in the Authentication Method area, click OK, and then click Save Page.
h. Use the default settings for other configuration.
i. Click Confirm Release.
3. Add an authentication policy:
a. From the navigation tree, select Intelligent Portal Management > Authentication Policies.
b. Click Add to open the Add Authentication Policy page.
c. Enter authentication policy name policy1, and select theme from the Page Template list.
d. Select a transparent authentication period to enable portal transparent authentication (MAC-trigger authentication).
e. Use the default settings for other parameters.
f. Click OK.
Figure 5 Adding an authentication policy
4. Add a site:
a. From the navigation tree, select Intelligent Portal Management > Site Management.
b. Click Add to open the Add Site page.
c. Enter the site name, the site address, the expected number of clients to be supported, and the telephone number.
d. Click OK.
Figure 6 Adding a site
e. In the Associated APs area, click Add to associate an AP.
f. Enter the serial number and MAC address of the AP.
g. Click OK.
Figure 7 Adding an AP
i. In the Bind Authentication Policy area, click Add to bind the AP to an authentication policy.
j. Select authentication policy policy1.
k. Use the default settings for other parameters.
l. Click OK.
Figure 8 Binding the AP to an authentication policy
Verifying the configuration
1. Verify that the AP can come online from AC 1 and AC 2.
# Display AP information on AC 1.
<AC1> display wlan ap all
Total number of APs: 38
Total number of connected APs: 35
Total number of connected manual APs: 35
Total number of connected auto APs: 0
Total number of connected common APs: 9
Total number of connected WTUs: 23
Total number of inside APs: 0
Maximum supported APs: 6144
Remaining APs: 6112
Total AP licenses: 2048
Local AP licenses: 2048
Server AP licenses: 0
Remaining Local AP licenses: 2033.25
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/M WA5320 219801A0CNC138011454
The output shows that the AP has come online from AC 1 and the AP is in the R/M state.
# Display AP information on AC 2.
<AC2> display wlan ap all
Total number of APs: 38
Total number of connected APs: 35
Total number of connected manual APs: 35
Total number of connected auto APs: 0
Total number of connected common APs: 9
Total number of connected WTUs: 23
Total number of inside APs: 0
Maximum supported APs: 6144
Remaining APs: 6112
Total AP licenses: 2048
Local AP licenses: 2048
Server AP licenses: 0
Remaining Local AP licenses: 2033.25
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/B WA5320 219801A0CNC138011454
The output shows that the AP has come online from AC 2 and the AP is in R/B state.
2. Verify that user Client can perform portal authentication through a Web browser on the wireless client. Before passing authentication, all Web accesses are redirected to the portal authentication page (http://192.168.0.111:8080/portal). After passing authentication, the user can access other network resources.
# Display online portal user information on the ACs. This example uses AC 1.
[AC1] display portal user all
Total portal users: 1
Username: Client
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0021-6330-0933 2.2.2.3 200 WLAN-BSS1/0/16
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
The output shows that the user has come online.
# Verify that the user can come online without entering the username and password when attempting to come online again. (Details not shown.)
3. Verify that the local forwarding mode can take effect.
# Display portal filtering rules on the ACs. This example uses AC 1.
[AC1] display portal rule all ap office
Slot 1:
The output shows that AC 1 does not have portal filtering rules, indicating that AC 1 does not forward client data traffic.
# Display portal filtering rules on the AP.
[AP] display portal rule all
IPv4 portal rules on WLAN-BSS1/0/16:
Rule 1:
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : Any
MAC : 0000-0000-0000
Interface : WLAN-BSS1/0/16
VLAN : Any
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2:
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.3
MAC : 0021-6330-0933
Interface : WLAN-BSS1/0/16
VLAN : Any
Rule 3:
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/16
VLAN : Any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 443
Rule 4:
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/16
VLAN : Any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 5:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/16
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
The output shows that the AP has portal filtering rules, indicating that the AP forwards client data traffic.
Configuration files
· AC 1:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ap
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.1
portal apply web-server newpt
portal apply mac-trigger-server mts
portal temp-pass period 300 enable
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
ip route-static 192.168.0.0 16 2.2.2.100
#
radius session-control enable
#
domain dm1
authentication portal none
authorization portal none
accounting portal none
#
portal host-check enable
portal free-rule 0 destination ip 192.168.0.111 255.255.255.255
portal free-rule 1 destination ip 2.2.2.1 255.255.255.255
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
portal free-rule 4 destination ip 2.2.2.2 255.255.255.255
portal safe-redirect enable
portal safe-redirect method get post
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent iPhone
portal safe-redirect user-agent micromessenger
#
portal web-server newpt
url http://192.168.0.111:8080/wsmAuth/protocol
captive-bypass ios optimize enable
service-type oauth
#
portal local-web-server http
#
portal mac-trigger-server mts
ip 192.168.0.111
cloud-binding enable
#
wlan ap office model WA5320
wlan tunnel-preempt enable
priority 7
backup-ac ip 2.2.1.2
serial-id 219801A0CNC138011454
map-configuration flash:/map.txt
radio 1
radio 2
radio enable
service-template st1
#
· AC 2:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ap
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.2
portal apply web-server newpt
portal mac-trigger-server mts
portal temp-pass period 300 enable
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
ip route-static 192.168.0.0 16 2.2.2.100
#
radius session-control enable
#
domain dm1
authentication portal none
authorization portal none
accounting portal none
#
portal host-check enable
portal free-rule 0 destination ip 192.168.0.111 255.255.255.255
portal free-rule 1 destination ip 2.2.2.1 255.255.255.255
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
portal free-rule 4 destination ip 2.2.2.2 255.255.255.255
portal safe-redirect enable
portal safe-redirect method get post
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent iPhone
portal safe-redirect user-agent micromessenger
#
portal web-server newpt
url http://192.168.0.111:8080/wsmAuth/protocol
captive-bypass ios optimize enable
service-type oauth
#
portal mac-trigger-server mts
ip 192.168.0.111
cloud-binding enable
#
wlan ap office model WA5320
wlan tunnel-preempt enable
priority 6
backup-ac ip 2.2.1.1
serial-id 219801A0CNC138011454
map-configuration flash:/map.txt
radio 1
radio 2
radio enable
service-template st1
#
· Switch:
#
vlan 2
#
vlan 100
#
vlan 200
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk permit vlan 100 200
poe enable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 1 100 200
#
· DHCP server:
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
interface vlan-interface 100
ip address 2.2.2.200 255.255.255.0
#
interface vlan-interface 200
ip address 2.2.2.200 255.255.255.0
#
dhcp enable
#
dhcp server ip-pool vlan100
gateway-list 2.2.1.200
network 2.2.1.0 mask 255.255.255.0
forbidden-ip 2.2.1.1
forbidden-ip 2.2.1.2
#
dhcp server ip-pool vlan200
gateway-list 2.2.2.100
network 2.2.2.0 mask 255.255.255.0
dns-list 8.8.8.8
forbidden-ip 2.2.2.1
forbidden-ip 2.2.2.2
forbidden-ip 2.2.2.100
#
Related documentation
· High Availability Configuration Guide in H3C Access Controllers Configuration Guides
· High Availability Command Reference in H3C Access Controllers Command References
· User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides
· User Access and Authentication Command Reference in H3C Access Controllers Command References
· WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN Access Command Reference in H3C Access Controllers Command References
