Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN access configuration | 424.95 KB |
Whitelist- and blacklist-based access control
Configuring a service template
Configuring a description for a service template
Setting the maximum number of associated clients for a radio or a service template
Binding a service template to a radio interface
Configuring client data forwarding
Specifying the method for APs to process traffic from unknown clients
Specifying the Web server to which client information is reported
Enabling generation of client logs in the specified format
Setting the idle period before client reauthentication
Configuring client maintenance
Setting the client idle timeout
Performing a wireless link quality test
Configuring client association ratio optimization
Enabling beacon frames and probe responses to carry the BSS Load IE
Configuring client access control
Adding a client to the whitelist
Adding a client to the static blacklist
Configuring the dynamic blacklist
Configuring ACL-based access control
Enabling an AP to respond to specific broadcast probe requests
Disconnecting the client-mode AP from the associated wireless service
Connecting the client-mode AP to a wireless service
Enabling roaming for the client-mode AP
Enabling enhanced roaming for the onboard client-mode AP
Setting the roaming RSSI threshold and RSSI gap threshold for the client-mode AP
Setting the roaming calibration interval for the client-mode AP
Setting the roaming scanning interval for the client-mode AP
Setting the roaming scanning aging count for the client-mode AP
Enabling beacon keepalive for the client-mode AP
Enabling probe keepalive for the client-mode AP
Setting the minimum recording RSSI for the client-mode AP to record detected wireless services
Setting the link hold RSSI for the client-mode AP
Display and maintenance commands for WLAN access
WLAN access configuration examples
Example: Configuring WLAN access
Example: Configuring whitelist-based access control
Example: Configuring static blacklist-based access control
Example: Configuring the client-mode AP
Example: Configuring enhanced roaming for the client-mode AP
Configuring WLAN access
About WLAN access
Wireless access is provided by APs deployed at the edge of a wired network. The APs connect to the uplink through wired connections and provide wireless access services to downlink clients.
WLAN access process
A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.
For more information about data link layer authentication, see WLAN Security Configuration Guide. For more information about WLAN authentication, see User Access and Authentication Configuration Guide.
Figure 1 WLAN access process
Scanning
Active scanning
A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:
· Active scanning of all wireless networks.
As shown in Figure 2, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information. The client associates with the optimal AP.
Figure 2 Scanning all wireless networks
· Active scanning of a specific wireless network.
As shown in Figure 3, the client periodically sends a probe request carrying the specified SSID or the SSID of the wireless network it has been associated with. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.
Figure 3 Scanning a specific wireless network
Passive scanning
As shown in Figure 4, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.
Association
A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.
Client access control
The following client access control methods are available:
· Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control client access.
· ACL-based access control—Uses ACL rules bound to APs or service templates to control client access.
Whitelist- and blacklist-based access control
You can configure the whitelist or blacklists to filter frames from clients for client access control.
Whitelist-based access control
The whitelist contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.
Blacklist-based access control
The following blacklists are available for access control:
· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.
· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging time expires. For more information about WIPS, see WLAN Security Configuration Guide. For more information about WLAN MAC authentication, see User Access and Authentication Configuration Guide.
Working mechanism
When the AP receives an association request, the AP performs the following operations to determine whether to permit the client:
1. Searches the whitelist:
¡ If the client MAC address does not match any entry in the whitelist, the client is rejected.
¡ If a match is found, the client is permitted.
2. Searches the static and dynamic blacklists if no whitelist entries exist:
¡ If the client MAC address matches an entry in either blacklist, the client is rejected.
¡ If no match is found, or no blacklist entries exist, the client is permitted.
Figure 5 Whitelist- and blacklist-based access control
ACL-based access control
This feature controls client access by using ACL rules bound to an AP or a service template.
Upon receiving an association request from a client, the device performs the following actions:
· Allows the client to access the WLAN if a match is found and the rule action is permit.
· Denies the client's access to the WLAN if no match is found or the matched rule has a deny statement.
Client mode
After enabling the client mode for a radio interface on an AP, you can connect the AP as a wireless client to a wireless network to provide public wireless NIC functions for devices not equipped with wireless NICs.
As shown in Figure 6, enable the client mode on radio 1 of AP 2, and connect the PC and printer to the wired ports of AP 2. The PC and printer can access the wireless network through AP 2. Radio 2 of AP 2 can still provide wireless access services.
WLAN access tasks at a glance
To configure WLAN access, perform the following tasks:
1. Configuring wireless services
¡ Configuring a service template
¡ (Optional.) Configuring a description for a service template
¡ (Optional.) Setting the maximum number of associated clients for a radio or a service template
¡ Binding a service template to a radio interface
2. (Optional.) Specifying the method for APs to process traffic from unknown clients
3. (Optional.) Configuring client management
¡ Specifying the Web server to which client information is reported
¡ Enabling generation of client logs in the specified format
¡ Setting the idle period before client reauthentication
4. (Optional.) Configuring client maintenance
¡ Setting the client idle timeout
¡ Configuring client keepalive
¡ Performing a wireless link quality test
¡ Configuring client association ratio optimization
5. (Optional.) Configuring client access control
¡ Adding a client to the whitelist
¡ Adding a client to the static blacklist
¡ Configuring the dynamic blacklist
¡ Configuring ACL-based access control
6. (Optional.) Enabling an AP to respond to specific broadcast probe requests
7. (Optional.) Configuring the client mode
Configuring wireless services
Configuring a service template
About this task
A service template defines a set of wireless service attributes, such as SSID and authentication method.
Procedure
1. Enter system view.
system-view
2. Create a service template.
wlan service-template service-template-name
By default, no service template exists.
3. (Optional.) Assign clients coming online through the service template to the specified VLAN.
vlan vlan-id
By default, clients are assigned VLAN 1 after coming online through a service template.
Configuring a description for a service template
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Configure a description for the service template.
description text
By default, no description is configured for a service template.
Setting an SSID
About this task
APs broadcast SSIDs in beacon frames for clients to discover them. When a BSS is unavailable or when you do not want clients to discover the BSS, you can enable SSID-hidden. With SSID-hidden enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.
When the number of clients associated with an AP reaches the upper limit, the AP automatically hides its SSIDs in beacon frames, and other clients cannot discover and associate with the AP. For these clients to discover the AP, you can configure the SSID broadcast feature. However, these clients still cannot associate with the AP.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Set an SSID for the service template.
ssid ssid-name
By default, no SSID is set for a service template.
4. (Optional.) Enable SSID-hidden in beacon frames.
beacon ssid-hide
By default, SSIDs are not hidden in beacon frames.
5. (Optional.) Enable SSID broadcast in beacon frames.
beacon ssid-advertise
By default, an AP hides SSIDs in beacon frames when the maximum number of associated clients is reached.
Setting the maximum number of associated clients for a radio or a service template
About this task
Perform this task to limit the associated client quantity to avoid overload. With this feature configured, new clients cannot access the WLAN and the SSID is hidden when the maximum number is reached.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Set the maximum number of associated clients for a radio or the service template.
client max-count max-number
By default, the number of associated clients for a radio or a service template is not limited.
Enabling a service template
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable the service template.
service-template enable
By default, a service template is disabled.
Binding a service template to a radio interface
Restrictions and guidelines
You can bind a maximum of 16 service templates to a radio interface.
Procedure
1. Enter system view.
system-view
2. Enter WLAN-Radio interface view.
interface wlan-radio interface-number
3. Bind a service template to the radio interface.
service-template service-template-name
By default, no service template is bound to a radio interface.
Configuring client data forwarding
Specifying the method for APs to process traffic from unknown clients
About this task
Perform this task to configure APs using the specified service template to drop data packets from unknown clients and deauthenticate these clients or to drop the packets only.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Specify the method for APs to process traffic from unknown clients.
unknown-client [ deauthenticate | drop ]
By default, APs drop packets from unknown clients and deauthenticate these clients.
Configuring client management
Enabling quick association
About this task
Enabling load balancing or band navigation might affect client association efficiency. For delay-sensitive services or in an environment where load balancing and band navigation are not needed, you can enable quick association for a service template.
Quick association disables load balancing or band navigation on clients associated with the service template. The device will not balance traffic or perform band navigation even if these two features are enabled in the WLAN.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable quick association.
quick-association enable
By default, quick association is disabled.
Specifying the Web server to which client information is reported
About this task
Perform this task to enable the device to report client information, such as client MAC address, associated AP, and association time, to the specified Web server through HTTP. The Web server accepts client information only when the server's host name, port number, and path are specified.
Procedure
1. Enter system view.
system-view
2. Specify the host name and port number of the Web server.
wlan web-server host host-name port port-number
By default, the host name and port number of the Web server are not specified.
3. Specify the path of the Web server.
wlan web-server api-path path
By default, the path of the Web server is not specified.
4. (Optional.) Set the maximum number of client entries that can be reported at a time.
wlan web-server max-client-entry number
By default, a maximum of ten client entries can be reported at a time.
Enabling generation of client logs in the specified format
About this task
The device supports client logs in the following formats:
· H3C—Logs AP name, radio ID, client MAC address, SSID, BSSID, and client online status. By default, the device generates client logs only in H3C format.
· Normal—Logs AP MAC address, AP name, client IP address, client MAC address, SSID, and BSSID.
· Sangfor—Logs AP MAC address, client IP address, and client MAC address.
This feature enables the device to generate client logs in normal or sangfor format and send the logs to the information center. Log destinations are determined by the information center settings. For more information about the information center, see System Management Configuration Guide.
This feature does not affect generation of client logs in the H3C format.
Procedure
1. Enter system view.
system-view
2. Enable the device to generate client logs in the specified format.
customlog format wlan { normal | sangfor }
By default, the device generates client logs only in the H3C format.
Setting the idle period before client reauthentication
About this task
When URL redirection for WLAN MAC authentication is enabled, an AP redirects clients whose information is not recorded on the RADIUS server to the specified URL for Web authentication. Clients passing Web authentication are logged off and must perform MAC reauthentication to come online. However, MAC reauthentication fails if the IP addresses assigned to the clients have not expired.
Perform this task to add these clients to the dynamic blacklist for the specified idle period after they pass Web authentication to reduce reauthentication failures.
Procedure
1. Enter system view.
system-view
2. Set the idle period before client reauthentication.
wlan client reauthentication-period [ period-value ]
By default, the idle period is 10 seconds.
Configuring client maintenance
Setting the client idle timeout
About this task
If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.
Procedure
1. Enter system view.
system-view
2. Set the client idle timeout.
wlan client idle-timeout timeout
By default, the client idle timeout is 3600 seconds.
Configuring client keepalive
About this task
This feature enables an AP to send keepalive packets to clients at the specified interval to determine whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.
Procedure
1. Enter system view.
system-view
2. Enable client keepalive.
wlan client keep-alive enable
By default, client keepalive is disabled.
3. Set the client keepalive interval.
wlan client keep-alive interval interval
By default, the client keepalive interval is 300 seconds.
Performing a wireless link quality test
About this task
This feature enables an AP to test the quality of the link to a wireless client. The AP sends empty data frames to the client at each supported rate. Then it calculates link quality information such as RSSI, packet retransmissions, and RTT based on the responses from the client.
The timeout for a wireless link quality test is 10 seconds. If the wireless link test is not completed before the timeout expires, test results cannot be obtained.
Procedure
To perform a wireless link quality test, execute the wlan link-test mac-address command in user view.
Setting the NAS ID
About this task
A network access server identifier (NAS ID) or network access server port identifier (NAS port ID) identifies the network access server of a client and differentiates the source of client traffic.
Restrictions and guidelines
If you specify a NAS ID when binding a service template to a radio, the radio uses the NAS ID specified for the service template.
Procedure
1. Enter system view.
system-view
2. Set the format of NAS port IDs for wireless clients.
wlan nas-port-id format { 2 | 4 }
By default, clients use format 2 to generate NAS port IDs.
3. Enter global configuration view.
wlan global-configuration
4. Set the NAS ID.
nas-id nas-id
By default, no NAS ID is set.
Setting the NAS port type
About this task
RADIUS requests carry the NAS port type attribute to indicate type of the access port for 802.1X and MAC authentication clients.
Restrictions and guidelines
Make sure the service template is disabled before you perform this task.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template
3. Set the NAS port type.
nas-port-type value
By default, the NAS port type is WLAN-IEEE 802.11 with a code value of 19.
Configuring client association ratio optimization
About this task
This feature enables the device to recalculate the client association success ratio, association congestion ratio, and abnormal disassociation ratio by using the specified index to get smaller ratio values.
The client association success ratio is the number of successful client associations divided by the total number of client association attempts. The client association congestion ratio is the number of failed client associations caused by AP overloading divided by the total number of client association attempts. The client abnormal disassociation ratio is the number of abnormal disassociations divided by the sum of successful associations and online clients.
Procedure
1. Enter system view.
system-view
2. Enter global configuration view.
wlan association optimization value
By default, the index is 0. The device does not optimize client association ratios.
Enabling beacon frames and probe responses to carry the BSS Load IE
About this task
With this feature enabled, the beacon frames and probe responses send by the device carry the BSS Load IE. The IE contains the number of clients in each BSS on the radio, the channel usage, and the remaining media time.
Restrictions and guidelines
In a roaming or Hotspot 2.0 network, enable this feature as a best practice for clients to use the BSS Load IE to select the optimal network.
Procedure
1. Enter system view.
system-view
2. Enable beacon frames and probe responses to carry the BSS Load IE.
wlan client bss-load-ie enable [ update-interval interval ]
By default, beacon frames and probe responses do not carry the BSS Load IE.
Configuring client access control
Adding a client to the whitelist
Restrictions and guidelines
When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.
Procedure
1. Enter system view.
system-view
2. Add a client to the whitelist.
wlan whitelist mac-address mac-address
Adding a client to the static blacklist
Restrictions and guidelines
You cannot add a client to both the whitelist and the static blacklist.
If the whitelist and blacklists are configured, only the whitelist takes effect.
Procedure
1. Enter system view.
system-view
2. Add a client to the static blacklist.
wlan static-blacklist mac-address mac-address
Configuring the dynamic blacklist
About this task
The AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients.
Entries in the dynamic blacklist are removed when the aging timer expires.
Restrictions and guidelines
The configured aging timer takes effect only on entries newly added to the dynamic blacklist.
If the whitelist and blacklists are configured, only the whitelist takes effect.
Procedure
1. Enter system view.
system-view
2. Set the aging timer for dynamic blacklist entries.
wlan dynamic-blacklist lifetime lifetime
By default, the aging timer is 300 seconds.
The aging timer for dynamic blacklist entries takes effect only on rogue client entries.
Configuring ACL-based access control
Restrictions and guidelines
The ACL-based access control configuration takes precedence over the whitelist and blacklist configuration. As a best practice, do not configure both ACL-based access control and whitelist- and blacklist-based access control on the same device.
If the specified ACL contains a deny statement, configure a permit statement for the ACL to permit all clients. If you do not do so, no clients can come online.
This feature supports only Layer 2 ACLs and can only use source MAC address as the match criterion. If you specify an ACL of another type, the configuration does not take effect.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Specify an ACL.
access-control acl acl-number
By default, no ACL is specified.
Enabling an AP to respond to specific broadcast probe requests
About this task
Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.
By default, an AP responds to all broadcast probe requests, which might threat network security and decrease AP performance. However, disabling responding to broadcast probe requests might forbid clients from roaming to the optimal AP in time, affecting client access.
You can perform this task to enable an AP to respond to broadcast requests from a specific frequency band with strong signal strength.
Procedure
1. Enter system view.
system-view
2. Enable the AP to respond to specific broadcast probe requests.
wlan broadcast-probe reply [ rssi-threshold rssi-value ] [ frequency-band { 2.4 | 5 } ]
By default, the AP responds to broadcast probe requests from clients operating at any frequency band.
Configuring the client mode
Tasks at a glance
To configure the client mode, perform the following tasks:
1. Configure client mode connection
b. Disconnecting the client-mode AP from the associated wireless service
c. Connecting the client-mode AP to a wireless service
2. (Optional.) Configure client-mode AP roaming
Roaming and enhance roaming cannot be enabled at the same time for a client-mode AP.
¡ Enabling roaming for the client-mode AP
¡ Enabling enhanced roaming for the onboard client-mode AP
3. (Optional.) Configure parameters for the client-mode AP
¡ Setting the roaming RSSI threshold and RSSI gap threshold for the client-mode AP
¡ Setting the roaming calibration interval for the client-mode AP
¡ Setting the roaming scanning interval for the client-mode AP
¡ Setting the roaming scanning aging count for the client-mode AP
¡ Enabling beacon keepalive for the client-mode AP
¡ Enabling probe keepalive for the client-mode AP
¡ Setting the minimum recording RSSI for the client-mode AP to record detected wireless services
¡ Setting the link hold RSSI for the client-mode AP
Enabling the client mode
Restrictions and guidelines
You cannot enable wireless access or WDS for a radio interface enabled with the client mode.
Do not bind a wireless service template to a radio interface enabled with the client mode. If you do so, the client mode loses effect after the AP saves configuration and restarts. For the client mode to take effect on a radio bound with a service template, first use the undo command to cancel the client mode and wireless service template configurations, and then re-enable the client mode.
You can enable the client mode only on one radio interface of an AP.
A radio interface has similar attributes as a Layer 2 Ethernet interface of the access type and can send only untagged packets from one VLAN. Therefore, make sure the VLAN ID specified for a client-mode radio interface is the same as the service template VLAN ID specified for the other radios and the VLAN ID of the AP's Ethernet interface. If the VLAN IDs are different, devices unequipped with a wireless NIC and wireless clients cannot access the wireless network through the client-mode AP.
To modify the authentication method, cipher suite, or preshared key of a client-mode AP, first execute the client-mode disconnect command to disconnect the client-mode AP from the wireless service. After the modification, use the client-mode connect or client-mode ssid ssid command to reconnect the AP.
To connect a client-mode AP to an encrypted wireless service, make sure the wireless service uses the RSN security IE and the PSK mode.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Enable the client mode.
client-mode enable
By default, the client mode is disabled.
4. (Optional.) Specify the authentication method for the client-mode radio interface.
client-mode authentication-method { open-system | shared-key | wpa2-psk }
By default, the authentication method is open-system.
Make sure the authentication method is the same as the authentication method of the wireless service to associate.
5. (Optional.) Specify the cipher suite and preshared key for the client-mode radio interface.
client-mode cipher-suite { ccmp | tkip | { wep40 | wep104 | wep128 } [ key-id key-id ] } key [ cipher | simple ] string
By default, no cipher suite and preshared key are configured.
Make sure the cipher suite and preshared key are the same as the cipher suite and preshared key of the wireless service to associate.
6. (Optional.) Specify a VLAN for the client-mode radio interface.
client-mode vlan vlan-id
By default, a client-mode radio interface belongs to VLAN 1.
7. (Optional.) Specify an SSID for the client-mode radio interface.
client-mode ssid ssid
By default, no SSID is specified for a client-mode radio interface to associate.
Disconnecting the client-mode AP from the associated wireless service
Restrictions and guidelines
To modify the authentication method, cipher suite, or preshared key of a client-mode AP, you must first disconnect the client-mode AP from the wireless service.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Disconnect the client-mode AP from the associated wireless service.
client-mode disconnect
This operation disconnects terminal access to the wireless network. You can use client-mode connect or client-mode ssid ssid to reconnect the client-mode AP to the wireless service.
Connecting the client-mode AP to a wireless service
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Connect the client-mode AP to a wireless service.
client-mode connect
To connect a client-mode AP to an encrypted wireless service, make sure the wireless service uses the RSN security IE and the PSK mode.
Enabling roaming for the client-mode AP
About this task
This feature enables the client-mode AP to roam to a better wireless service in the same ESS to provide high-quality wireless access.
The following roaming modes are available:
· Quick roaming—Allows the client-mode AP to perform roaming as long as the RSSI gap between the associated service and a better service exceeds the gap threshold
· Slow roaming—Allows the client-mode to perform roaming only when the RSSI of the associated service is below the roaming RSSI threshold and the RSSI gap between the associated service and a better service exceeds the gap threshold.
Restrictions and guidelines
Before performing this task, first enable the client mode.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Enable roaming for the client-mode AP and set the roaming mode.
client-mode roam { quick | slow }
By default, roaming is disabled for a client-mode AP.
Enabling enhanced roaming for the onboard client-mode AP
About this task
As shown in Figure 7, in an Automated Guided Vehicle (AGV) wireless network, the network contains onboard devices deployed on vehicles and network-side devices. Network-side devices (AC+fit AP architecture) provide wireless access for onboard client-mode APs, while the client-mode APs act as wireless clients to provide wireless NIC functions for onboard devices without wireless NICs.
During vehicle operation, roaming must be enabled for an onboard client-mode AP, which might cause packet loss if the client-mode radio interface provides connection to the uplink wireless network and performs roaming scanning at the same time. To resolve this issue, you can enable enhanced roaming for the 2.4GHz radio of the client-mode AP to perform scanning and the 5GHz radio to provide uplink connection.
Enhanced roaming supports two roaming modes. For more information, see "Enabling roaming for the client-mode AP."
Figure 7 Enhanced roaming for the client-mode AP
Restrictions and guidelines
This feature is configurable only on the 2.4 GHz radio of an onboard client-mode AP, and cannot be configured on the same radio where the client mode is enabled.
Enable the client mode on the 5GHz radio of the onboard AP and connect the radio to the wireless network. Do not specify a manual channel on the 5GHz radio.
Do not configure the 2.4GHz radio to provide wireless access services because the 2.4GHz radio will be used for scanning and cannot provide stable wireless services.
If roaming is enabled on the 5GHz radio, do not enable enhanced roaming on the 2.4GHz radio. If enhanced roaming is enabled on the 2.4GHz radio, do not enable roaming on the 5GHz radio.
If you enable enhanced roaming for a client-mode AP, the AP goes offline from the associated wireless service and comes online again.
To use the client-mode disconnect command to disconnect the client-mode AP from the associated wireless service, first disable enhanced roaming.
To use this feature, make sure you enable enhanced roaming on both the onboard client-mode APs and trackside ACs.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Enable enhanced roaming for the client-mode AP and set the roaming mode.
client-mode roam-enhance { quick | slow }
By default, enhanced roaming is disabled for a client-mode AP.
Setting the roaming RSSI threshold and RSSI gap threshold for the client-mode AP
Restrictions and guidelines
This feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the roaming RSSI threshold and RSSI gap threshold for the client-mode AP.
client-mode roam rssi-threshold rssi-value [ gap gap-value ]
By default, both the RSSI threshold and RSSI gap threshold are 20.
Setting the roaming calibration interval for the client-mode AP
About this task
The client-mode AP determines whether to perform roaming at the specified calibration intervals. If the interval is too short, the AP might switch the associated wireless service frequently, which affects network stability. If the interval is too long, the AP might fail to switch to the optimal wireless service in time, which affects service quality.
Restrictions and guidelines
This feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the roaming calibration interval for the client-mode AP.
client-mode roam calibration-interval interval
By default, the roaming calibration interval is 1000 milliseconds for a client-mode AP.
Setting the roaming scanning interval for the client-mode AP
About this task
If enhanced roaming is disabled, setting a short scanning interval might cause the client-mode AP to scan the network frequently, leading to severe packet loss and affecting service quality.
If the roaming scanning interval is too long, the AP might fail to detect the optimal service in time.
Restrictions and guidelines
If enhanced roaming is disabled, this feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
If enhanced roaming is enabled, this feature is configurable only on a radio interface enabled with enhanced roaming. Disabling enhanced roaming removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the roaming scanning interval for the client-mode AP.
client-mode roam scan-interval interval
By default, the roaming scanning interval is 5000 milliseconds for a client-mode AP.
Setting the roaming scanning aging count for the client-mode AP
About this task
The client-mode AP generates a BSS entry for each BSS detected during scanning. If the aging count is reached but the BSS cannot be detected again, the AP deletes the BSS entry. If the BSS is the currently associated BSS of the AP, the AP goes offline and then attempts to come online from another BSS.
Restrictions and guidelines
This feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the roaming scanning aging count for the client-mode AP.
client-mode roam scan-aging count
By default, the roaming scanning aging count is 5 for a client-mode AP.
Enabling beacon keepalive for the client-mode AP
About this task
With this feature enabled, if the maximum number of keepalive attempts is reached but the client-mode AP fails to receive a beacon frame from the associated wireless service, the AP disconnects from the service.
As a best practice, set the beacon keepalive interval to a value twice the beacon sending interval or larger.
Restrictions and guidelines
This feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Enable beacon keepalive for the client-mode AP.
client-mode beacon-keepalive interval interval count count
By default, beacon keepalive is disabled for a client-mode AP.
Enabling probe keepalive for the client-mode AP
About this task
With probe keepalive enabled, if the maximum number of retransmissions is reached but the client-mode AP fails to receive a probe response from the associated wireless service, the AP disconnects from the service. Then, the AP attempts to associate with another wireless service.
Restrictions and guidelines
This feature is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Enable probe keepalive for the client-mode AP.
client-mode probe-keepalive [ interval interval retry retries ]
By default, probe keepalive is enabled for a client-mode AP. The probe request sending interval is 1000 milliseconds and the number of retransmissions is 5.
Setting the minimum recording RSSI for the client-mode AP to record detected wireless services
About this task
The client-mode AP generates a BSS entry for each BSS detected during scanning. If the RSSI of a BSS is lower than the minimum recording RSSI, the AP does not update the BSS entry and reduces the roaming scanning aging count by one.
Restrictions and guidelines
If enhanced roaming is disabled, this feature is configuration only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
If enhanced roaming is enabled, this feature is configurable only on a radio interface enabled with enhanced roaming. Disabling enhanced roaming removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the minimum recording RSSI for the client-mode AP to record detected wireless services.
client-mode min-record-rssi rssi
By default, the minimum recording RSSI is 15.
Setting the link hold RSSI for the client-mode AP
About this task
With this feature enabled, if the RSSI of the associated wireless service drops below the link hold RSSI, the client-mode AP disconnects from the current service and associates with a better one.
Restrictions and guidelines
This command is configurable only on a radio interface enabled with the client mode.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the link hold RSSI for the client-mode AP.
client-mode link-hold-rssi rssi
By default, the client-mode link hold RSSI is 0 and active link disconnection is disabled.
Setting the maximum number of retransmissions for authentication and association requests and the response timeout for the client-mode AP
About this task
With this feature configured, the client-mode AP retransmits the authentication or association request after the timeout timer expires during wireless service association. If the maximum number of retransmissions is reached but no response is received, the AP attempts to associate with another BSS.
Restrictions and guidelines
This command is configurable only on a radio interface enabled with the client mode. Disabling the client mode removes the configuration.
Procedure
1. Enter system view.
system-view
2. Enter radio interface view.
interface wlan-radio interface-number
3. Set the maximum number of retransmissions for authentication and association requests and the response timeout for the client-mode AP.
client-mode access-retransmit interval interval [ count count ]
By default, the authentication and association response timeout is 300 milliseconds and a client-mode AP does not retransmit authentication or association requests during wireless service association.
Enabling smart client access
About smart client access
This feature enables H3C wireless clients to access the WLAN automatically when the AKM mode is set to PSK or when the radio is bound to an empty service template.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable smart client access.
client smart-access enable
By default, smart client access is disabled.
Display and maintenance commands for WLAN access
Execute display commands in any view and the reset command in user view.
|
Task |
Command |
|
Display WLAN radio interface information. |
display interface wlan-radio [ interface-number ] [ brief ] |
|
Display the number of online clients at the 2.4 GHz band and the 5 GHz band. |
display wlan ap all client-number |
|
Display the number of online clients and channel information for each radio. |
display wlan ap all radio client-number |
|
Display blacklist entries. |
display wlan blacklist { dynamic | static } |
|
Display basic service set (BSS) information. |
display wlan bss { all | bssid bssid } [ verbose ] |
|
Display client information. |
display wlan client [ interface wlan-radio interface-number | mac-address mac-address | service-template service-template-name ] [ verbose ] |
|
Display information about client IPv6 addresses. |
display wlan client ipv6 |
|
Display client online duration. |
display wlan client online-duration [ verbose ] |
|
Display client status information. |
display wlan client status [ mac-address mac-address ] [ verbose ] |
|
Display packet statistics on the client-mode AP. |
display wlan client-mode packet-statistics radio radio-id |
|
Display information about BSSs detected by the client-mode AP. |
display wlan client-mode roam-enhance bss |
|
Display roaming state information for the client-mode AP. |
display wlan client-mode roaming-state |
|
Display service template information. |
display wlan service-template [ service-template-name ] [ verbose ] |
|
Display client statistics. |
display wlan statistics client [ mac-address mac-address ] |
|
Display client connection history. |
display wlan statistics connect-history service-template service-template-name |
|
Display service template statistics. |
display wlan statistics service-template service-template-name |
|
Display whitelist entries. |
display wlan whitelist |
|
Log off the specified client or all clients. |
reset wlan client { all | mac-address mac-address } |
|
Remove the specified client or all clients from the dynamic blacklist. |
reset wlan dynamic-blacklist [ mac-address mac-address ] |
|
Clear client statistics. |
reset wlan statistics client { all | mac-address mac-address } |
|
Clear service template statistics. |
reset wlan statistics service-template service-template-name |
WLAN access configuration examples
Example: Configuring WLAN access
Network configuration
As shown in Figure 8, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with SSID trade-off.
Procedure
# Create service template service1, set the SSID to trade-off, and enable the service template.
<AP> system-view
[AP] wlan service-template service1
[AP-wlan-st-service1] ssid trade-off
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
# Bind service template service1 to WLAN-Radio 1/0/1.
[AP] interface wlan-radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that the SSID is trade-off, and the service template is enabled.
[AP] display wlan service-template verbose
Service template name : service1
Description : Not configured
SSID : trade-off
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
VLAN ID : 3
AKM mode : Not configured
Security IE : Not configured
Cipher suite : Not configured
TKIP countermeasure time : 0 sec
PTK life time : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Disabled
WPA3 status : Disabled
Enhance-open status : Enabled
Enhanced-open transition-mode service-template : N/A
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
Critical VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : my-domain
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
# Associate the client with the fat AP. (Details not shown.)
# Verify that the client can access the WLAN.
[AP] display wlan client service-template service1
Total number of clients: 1
MAC address Username RID IP address IPv6 address VLAN
0023-8933-223b N/A 1 3.0.0.3 3
Example: Configuring whitelist-based access control
Network configuration
As shown in Figure 9, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.
Procedure
# Add MAC address 0000-000f-1211 to the whitelist.
<AP> system-view
[AP] wlan whitelist mac-address 0000-000f-1211
Verifying the configuration
# Verify that MAC address 0000-000f-1211 is in the whitelist.
<AP> display wlan whitelist
Total number of clients: 1
MAC addresses:
0000-000f-1211
Example: Configuring static blacklist-based access control
Network configuration
As shown in Figure 10, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.
Procedure
# Add MAC address 0000-000f-1211 to the static blacklist.
<AP> system-view
[AP] wlan static-blacklist mac-address 0000-000f-1211
Verifying the configuration
# Verify that MAC address 0000-000f-1211 is in the static blacklist.
<AP> display wlan blacklist static
Total number of clients: 1
MAC addresses:
0000-000f-1211
Example: Configuring the client-mode AP
Network configuration
As shown in Figure 11, Radio 1 of AP 2 operates in client mode and accesses the wireless service that uses SSID service1. The printer and PC connect to the Ethernet interfaces of AP 2 and access the wireless network through AP 2.
Procedure
1. Configure AP 1:
# Create service template service.
<AP1> system-view
[AP1] wlan service-template service
# Specify the SSID as service1.
[AP1-wlan-st-service] ssid service1
# Specify the PSK AKM mode, and specify plaintext string 12345678 as the preshared key.
[AP1-wlan-st-service] akm mode psk
[AP1-wlan-st-service] preshared-key pass-phrase simple 12345678
# Specify the CCMP cipher suite and the RSN security IE.
[AP1-wlan-st-service] cipher-suite ccmp
[AP1-wlan-st-service] security-ie rsn
# Enable the service template.
[AP1-wlan-st-service] service-template enable
[AP1-wlan-st-service] quit
# Bind the service template to WLAN-Radio 1/0/1.
[AP1] interface wlan-radio 1/0/1
[AP1-WLAN-Radio1/0/1] undo shutdown
[AP1-WLAN-Radio1/0/1] service-template service
[AP1-WLAN-Radio1/0/1] quit
2. Configure AP 2:
# Create VLAN 2, and add GigabitEthernet 1/0/1 to VLAN 2.
<AP2> system-view
[AP2] vlan 2
[AP2-vlan2] port gigabitethernet 1/0/1
[AP2-vlan2] quit
# Specify an IP address for VLAN-interface 2. Make sure the IP address can be pinged successfully from the subnet of AP 1.
[AP2] interface vlan-interface 2
[AP2-Vlan-interface2] ip address 192.1.1.2 24
[AP2-Vlan-interface2] quit
# Enter radio interface view of WLAN-Radio 1/0/1.
[AP2] interface wlan-radio 1/0/1
# Enable the client mode.
[AP2-WLAN-Radio1/0/1] client-mode enable
# Specify the WPA2-PSK authentication method.
[AP2-WLAN-Radio1/0/1] client-mode authentication-method wpa2-psk
# Specify the CCMP cipher suite and set a plaintext preshared key.
[AP2-WLAN-Radio1/0/1] client-mode cipher-suite ccmp key simple 12345678
# Specify VLAN 2 for the client-mode radio interface.
[AP2-WLAN-Radio1/0/1] client-mode vlan 2
# Specify SSID service1 for the client-mode radio interface.
[AP2-WLAN-Radio1/0/1] client-mode ssid service1
[AP2-WLAN-Radio1/0/1] quit
3. Configure the switch:
# Create VLAN 2, and add GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to the VLAN.
<switch> system-view
[switch] vlan 2
[switch-vlan2] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[switch-vlan2] quit
Verifying the configuration
# Verify that Radio 1 is in client mode and is associated with SSID service1.
<Sysname> display wlan client-mode radio
Radio : 1
Mode : 802.11g
Authentication method : WPA2-PSK
Cipher suite : AES-CCMP
Key (simple) : ********
WEP key ID : N/A
SSID : service1
BSSID : 6CF0-49CD-30BB
Status : Connected
Received data packets : 1324939
Received management packets : 34876
Sent data packets : 46365
Discarded packets : 38272
Rate(Rx/Tx) : 1 2 5.5 6 9 11 12 18 24 36 48 54
Online time : 0 days 0 hours 45 minutes 5 seconds
# Ping AP 1 from a wired device, such as the PC, and verify that AP 1 can be reached.
Example: Configuring enhanced roaming for the client-mode AP
Network configuration
As shown in Figure 12, AP 1 and AP 2 connect to the AC through Switch 1 to provide wireless access and enhanced roaming for client-mode AP 3. The client-mode 5GHz radio (Radio 1) of AP 3 accesses SSID agv and the 2.4GHz radio (Radio 2) is enabled with enhanced roaming. At the same time, the Ethernet interfaces of AP 3 are connected to wired devices through Switch 2 to provide wireless NIC functions for devices not equipped with wireless NICs. Enhanced roaming is configured to reduce packet loss during the roaming of AP 3.
Procedure
1. Configure the AC:
# Create service template agv, set the SSID to agv, and enable the service template to provide wireless access for the client-mode AP (AP 3).
<AC> system-view
[AC] wlan service-template agv
[AC-wlan-st-agv] ssid agv
[AC-wlan-st-agv] service-template enable
[AC-wlan-st-agv] quit
# Create service template service, set the SSID to service, and enable the service template to provide wireless access for wireless clients, such as cellphones and iPads and to provide enhanced roaming services.
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# Create manual AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA6526E
[AC-wlan-ap-ap1] serial-id 219801A28N819CE00021T
# Configure radio 1 to operate on channel 36 and bind service template agv to radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 36
[AC-wlan-ap-ap1-radio-1] service-template agv
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
# Configure radio 2 to operate on channel 1 and bind service template service to radio 2.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] channel 1
[AC-wlan-ap-ap1-radio-2] service-template service
[AC-wlan-ap-ap1-radio-2] roam-enhance ssid agv
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create manual AP ap2 and specify the AP model and serial ID.
[AC] wlan ap ap2 model WA6526E
[AC-wlan-ap-ap2] serial-id 219801A28N819CE0002T
# Configure radio 1 to operate on channel 40, and bind service template agv to radio 1.
[AC-wlan-ap-ap2] radio 1
[AC-wlan-ap-ap2-radio-1] channel 40
[AC-wlan-ap-ap2-radio-1] service-template agv
[AC-wlan-ap-ap2-radio-1] radio enable
[AC-wlan-ap-ap2-radio-1] quit
# Configure radio 2 to operate on channel 6, and bind service template service to radio 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] channel 6
[AC-wlan-ap-ap2-radio-2] service-template service
[AC-wlan-ap-ap2-radio-2] roam-enhance ssid agv
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
2. Configure AP 3:
# Enter radio interface view of WLAN-Radio 1/0/1.
[AP3] interface wlan-radio 1/0/1
# Enable the client mode.
[AP3-WLAN-Radio1/0/1] client-mode enable
# Specify SSID agv for AP 3.
[AP3-WLAN-Radio1/0/1] client-mode ssid agv
[AP3-WLAN-Radio1/0/1] quit
# Enter radio interface view of WLAN-Radio 1/0/2.
[AP3] interface wlan-radio 1/0/2
# Set the channel scanning whitelist.
[AP3-WLAN-Radio1/0/2] scan channel whitelist 1 6 11
# Enable enhanced roaming and set the roaming mode to quick.
[AP3-WLAN-Radio1/0/2] client-mode roam-enhance quick
[AP3-WLAN-Radio1/0/2] quit
Verifying the configuration
# Verify that you can view information about BSSs detected by the client-mode AP on AP 3.
<AP3> display wlan client-mode roam-enhance bss
Total number of BSSs: 2
BSSID Time MSec RSSI AVER CHL AGE SSID
84d9-3100-4b00 16:51:09 0244 37 36 36 5 agv
16:51:08 0834 37
16:51:08 0732 36
16:51:08 0642 37
16:51:09 0253 36
50da-00df-33e0 16:51:08 0802 45 45 40 5 agv
16:51:08 0699 44
16:51:08 0597 46
16:51:08 0261 46
16:51:09 0251 45
