0% found this document useful (0 votes)

148 views

WLAN Product Interoperation Configuration Guide

Uploaded by

gurunge

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

148 views

WLAN Product Interoperation Configuration Guide

Uploaded by

gurunge

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 558

WLAN Product Interoperation

Configuration Guide

Issue 03
Date 2017-04-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://e.huawei.com

Issue 03 (2017-04-20) Huawei Proprietary and Confidential i

About This Document

Intended Audience
This document describes how to configure interoperation between Huawei WLAN products
and other authentication servers in different scenarios.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.

Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

Indicates a potentially hazardous situation

which, if not avoided, may result in minor
or moderate injury.

Indicates a potentially hazardous situation

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential ii

Symbol Description

NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n

times.

# A line starting with the # sign is comments.

NOTE

The interface types, command outputs, and device models provided in this manual vary according to
device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed on the
command line editor to 132 or higher.

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential iii

Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, do not disable password complexity check, and change the password
periodically.
When you configure a password in cipher text that starts and ends with %^%#......%^%#
(the password can be decrypted by the device), the password is displayed in the same
manner as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA-2, MD5 and SMS4. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
– For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or
more.
– For the hash algorithm, use SHA2 with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios)
have a low security, which may bring security risks. If protocols allowed, using
more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/
SHA2/HMAC-SHA2, is recommended.
– SHA1, SHA2, and MD5 are irreversible encryption algorithm. The irreversible
encryption algorithm must be used for the administrator password.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.

Configuration Conventions
Large-scale or batch service configuration using scripts may cause high CPU usage,
preventing the system from processing regular services.

Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.

Changes in Issue 03 (2017-04-20)

This version has the following updates:

Issue 03 (2017-04-20) Huawei Proprietary and Confidential iv

The following information is added:

l 1 Typical Configuration for Interconnection Between AC and Huawei Agile
Controller-Campus Server
l 2.9 Example for Configuring External Portal Authentication
l 2.10 Example for Configuring External Portal Authentication (Web)

Changes in Issue 02 (2017-01-20)

This version has the following updates:
The following information is added:
l Typical Configuration for Interconnection Between AC and Cisco ISE Server
– 2.2 Example for Configuring 802.1x Authentication (Web)
– 2.4 Example for Configuring MAC Address Authentication (Web)
– 2.6 Example for Configuring User Authorization Based on ACL Numbers or
Dynamic VLANs (Web)
– 2.8 Example for Configuring User Authorization Based on User Groups (Web)
l Typical Configuration for Interconnection Between AC and Aruba ClearPass Server
– 3.2 Example for Configuring 802.1x Authentication (Web)
– 3.4 Example for Configuring MAC Address Authentication (Web)
– 3.6 Example for Configuring User Authorization Based on ACL Numbers or
Dynamic VLANs (Web)
– 3.8 Example for Configuring User Authorization Based on User Groups (Web)

Changes in Issue 01 (2016-08-18)

Initial commercial release.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential v

Contents

About This Document.....................................................................................................................ii

1 Typical Configuration for Interconnection Between AC and Huawei Agile Controller-
Campus Server.................................................................................................................................. 1
1.1 Example for Configuring Wireless 802.1X Authentication........................................................................................... 3
1.2 Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users.................................................................................................................................................................... 15
1.3 Example for Configuring Wireless MAC Address Authentication.............................................................................. 50
1.4 Example for Configuring Wireless Network Access Using a Terminal Running the Android, iOS, or Windows OS
............................................................................................................................................................................................ 63
1.5 Example for Configuring Guests to Obtain Passwords Through Mobile Phones to Pass Authentication Quickly..... 76
1.6 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts)
............................................................................................................................................................................................ 86
1.7 Example for Configuring Guests Connect to Networks by Scanning Public QR Codes........................................... 109
1.8 Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB Environment.......................125
1.9 Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB Environment.........................147
1.10 Example for Configuring Portal Authentication for Wireless Users in an AC Dual-Link Backup Environment....181
1.11 Example for Configuring Portal Authentication for Wireless Users in an AC N+1 Environment...........................208
1.12 Appendix.................................................................................................................................................................. 239
1.12.1 Common Page Customization Operations Using the Editor................................................................................. 239
1.12.2 Customizing Pages................................................................................................................................................ 250
1.12.3 Defining a Redirection Rule for the Portal Page................................................................................................... 251
1.12.4 Example: Adding Language Templates.................................................................................................................254
1.12.5 Configuring MAC Address Authentication...........................................................................................................256
1.12.6 Deploying a CA Certificate Server........................................................................................................................261
1.12.7 Server Certificate Importing Tool..........................................................................................................................268
1.12.8 How Do I Continue to Access the Original Page After Successful Portal Authentication?..................................270
1.12.9 What Should I Do Before Connecting a GPRS Modem to the AC-Campus?.......................................................271

2 Typical Configuration for Interconnection Between AC and Cisco ISE Server........... 275
2.1 Example for Configuring 802.1x Authentication (CLI)............................................................................................. 276
2.2 Example for Configuring 802.1x Authentication (Web)............................................................................................ 290
2.3 Example for Configuring MAC Address Authentication (CLI).................................................................................305
2.4 Example for Configuring MAC Address Authentication (Web)................................................................................ 319
2.5 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (CLI)........................332

Issue 03 (2017-04-20) Huawei Proprietary and Confidential vi

2.6 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)....................... 348
2.7 Example for Configuring User Authorization Based on User Groups (CLI).............................................................366
2.8 Example for Configuring User Authorization Based on User Groups (Web)............................................................ 382
2.9 Example for Configuring External Portal Authentication.......................................................................................... 400
2.10 Example for Configuring External Portal Authentication (Web)............................................................................. 414

3 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server

.......................................................................................................................................................... 428
3.1 Example for Configuring 802.1x Authentication (CLI)............................................................................................. 429
3.2 Example for Configuring 802.1x Authentication (Web)............................................................................................ 443
3.3 Example for Configuring MAC Address Authentication (CLI).................................................................................458
3.4 Example for Configuring MAC Address Authentication (Web)................................................................................ 470
3.5 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (CLI)........................483
3.6 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)....................... 498
3.7 Example for Configuring User Authorization Based on User Groups (CLI).............................................................516
3.8 Example for Configuring User Authorization Based on User Groups (Web)............................................................ 532

Issue 03 (2017-04-20) Huawei Proprietary and Confidential vii

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1 Typical Configuration for Interconnection

Between AC and Huawei Agile Controller-
Campus Server

About This Chapter

1.1 Example for Configuring Wireless 802.1X Authentication

This section describes how to configure wireless 802.1X authentication for mobile terminals
to access networks.
1.2 Example for Configuring Portal Authentication (Including MAC Address-Prioritized
Portal Authentication) for Wireless Users
This example illustrates how to configure Portal authentication on a wireless network to
ensure that only authenticated wireless terminals can connect to the network.
1.3 Example for Configuring Wireless MAC Address Authentication
This section describes how to configure wireless MAC address authentication for dumb
terminals such as IP phones, printers, and cameras to access networks in wireless mode.
1.4 Example for Configuring Wireless Network Access Using a Terminal Running the
Android, iOS, or Windows OS
Before accessing a network in wireless mode using a terminal running the Android, iOS, or
Windows OS, you need to associate the terminal with the initialization SSID to download the
network configuration tool or configuration file. After the terminal automatically completes
network configuration, the user can access the network through 802.1X.
1.5 Example for Configuring Guests to Obtain Passwords Through Mobile Phones to Pass
Authentication Quickly
Guests can obtain passwords through mobile phones to connect to networks quickly.
1.6 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus,
Facebook, or Twitter Accounts)
The Service Manager can interconnect with the Google, Facebook, and Twitter authentication
servers so that end users can use their social media accounts and passwords to complete
authentication on the Service Manager. Authenticated users then can connect to the network.
1.7 Example for Configuring Guests Connect to Networks by Scanning Public QR Codes

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 1

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

After guests connect to a Wi-Fi network using their mobile phones, they can scan QR codes
posted in public areas for authentication to easily access a network.
1.8 Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB
Environment
The two-node cluster environment includes the AC (VRRP) and RADIUS server two-node
clusters. Deploying two-node clusters on WLANs improve network reliability.
1.9 Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB
Environment
This example illustrates how to configure Portal authentication on a hot standby (HSB)
wireless network. VRRP-enabled ACs, RADIUS servers, and Portal servers on the network
are deployed in HSB mode, improving network reliability.
1.10 Example for Configuring Portal Authentication for Wireless Users in an AC Dual-Link
Backup Environment
This example illustrates how to configure AC dual-link backup to improve network reliability.
1.11 Example for Configuring Portal Authentication for Wireless Users in an AC N+1
Environment
This example illustrates how to configure Portal authentication on an AC N+1 network. The
RADIUS server and Portal server are both deployed in a two-node cluster, improving network
access reliability.
1.12 Appendix

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 2

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.1 Example for Configuring Wireless 802.1X

Authentication
This section describes how to configure wireless 802.1X authentication for mobile terminals
to access networks.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Networking Requirements
A company maintains user accounts and organizations on the AD server, and wants to provide
wireless access for mobile office in its campus. Wireless 802.1X authentication can be used to
ensure security.
Authenticated users can access Internet resources.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 3

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-1 Networking diagram

Data Plan

Table 1-1 Wireless VLAN plan

VLAN ID Function

10 mVLAN for wireless access

100 Service VLAN for wireless access

Table 1-2 Wireless network data plan

Item Data Description

Access switch S2750EI GE 0/0/2 The uplink and downlink

VLAN 10 interfaces allow packets
only from the mVLAN to
pass through. The service

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 4

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

GE 0/0/3 VLAN is encapsulated in

VLAN 10 the packets tagged with the
mVLAN ID.

Aggregation switch GE 0/0/1 This downlink interface

S5720HI VLAN 10 allows packets only from the
mVLAN to pass through.
The service VLAN is
encapsulated in the packets
tagged with the mVLAN ID.

GE 0/0/2 This uplink interface allows

VLAN 100 packets only from the
service VLAN to pass
through.

GE 0/0/3 The AC communicates with

VLAN 10 and VLAN 100 the uplink device through
the service VLAN and with
the downlink device through
the mVLAN.

AC6605 GE 0/0/1 The AC communicates with

VLAN 10 and VLAN 100 the uplink device through
the service VLAN and with
VLANIF 10: the downlink device through
10.10.10.254/24 the mVLAN.
Gateway for APs.

Core router GE 1/0/1 Gateway for end users.

172.16.21.254/24

Server l AC-Campus: -
192.168.11.10
l AD server:
192.168.11.100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 5

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Table 1-3 802.1X service data plan

Item Data Description

RADIUS l RADIUS server: AC- The access control device

Campus server and AC-Campus function as
l Authentication key: the RADIUS client and
Admin@123 server respectively. The
authentication,
l Accounting key: authorization, and
Admin@123 accounting keys and the
l Real-time accounting accounting interval must be
interval: 15 minutes the same on the access
l Authentication port: control device and AC-
1812 Campus.
l Accounting port: 1813 The AC-Campus
functioning as the RADIUS
server uses ports 1812 and
1813 for authentication and
accounting respectively.

Pre-authentication domain AC-Campus server -

Post-authentication domain Internet -

Configuration Roadmap
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and wireless access service parameters on the
AC to implement wireless 802.1X authentication.
3. Add the AC on the AC-Campus, and configure authentication and authorization.
NOTE

In this example, AD accounts have been synchronized to the basic configuration on the AC-Campus.
In this example, the gateway for end users is deployed on the core router. If the gateway for end users is
deployed on the AC, you only need to configure dhcp select interface in the service VLAN on the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.

Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
1. Configure the access switch.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 6

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10

[S2700-GigabitEthernet0/0/3] quit
[S2700] interface gigabitethernet 0/0/2
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/2] quit

2. Configure the aggregation switch.

<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 10 100
[S5700] interface gigabitethernet 0/0/1
[S5700-GigabitEthernet0/0/1] port link-type trunk
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2
[S5700-GigabitEthernet0/0/2] port link-type trunk
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3
[S5700-GigabitEthernet0/0/3] port link-type trunk
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100
[S5700-GigabitEthernet0/0/3] quit

3. Configure the AC.

# Configure the AC's interface to allow packets from the service VLAN and mVLAN to
pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 10 100
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100
[AC-GigabitEthernet0/0/1] quit

# Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to

the APs. If the AC is used as the gateway for end users, configure the gateway IP address
and enable DHCP on the AC's interface in the service VLAN.
[AC] dhcp enable
[AC] interface vlanif 10
[AC-Vlanif10] ip address 10.10.10.254 24
[AC-Vlanif10] dhcp select interface
[AC-Vlanif10] quit

# Configure the default route with the core router as the next hop.
[AC] ip route-static 0.0.0.0 0 172.16.21.254

Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE

If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the
DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address
for the AC.

# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 7

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Configure the AC's source interface.

[AC] capwap source interface vlanif 10 //Configure an mVLAN interface.

# Import the AP offline on the AC and add the AP to the AP group ap-group1. This example
assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP
area_1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1

Step 3 [Device] Configure 802.1X authentication parameters to enable 802.1X authentication.

The following figure shows the process of configuring wireless 802.1X authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 8

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1. Configure a RADIUS server template, an authentication scheme, and an accounting

scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10 1812
source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813
source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original //Configure the
AC to send the user names entered by users to the RADIUS server.
[AC-radius-radius_template] quit
[AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the
authentication scheme to RADIUS.
[AC-aaa-authen-auth_scheme] quit
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
[AC-aaa-accounting-acco_scheme] quit
[AC-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time
accounting interval requires high performance of the device and RADIUS server. Set a real-time
accounting interval based on the user quantity.

Table 1-4 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 9

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

User Quantity Real-Time Accounting Interval

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

2. Configure an access profile.

NOTE

An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC] dot1x-access-profile name acc_dot1x
[AC-dot1x-access-profile-acc_dot1x] quit

3. Configure an authentication profile.

Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC-authentication-profile-auth_dot1x] radius-server radius_template
[AC-authentication-profile-auth_dot1x] quit

4. Set wireless 802.1X authentication parameters.

# Create the security profile security_dot1x and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security_dot1x
[AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC-wlan-sec-prof-security_dot1x] quit

# Create the SSID profile wlan-ssid and set the SSID name to dot1x_access.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC-wlan-vap-prof-wlan-vap] quit

# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 10

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 4 [Device] Configure resources that authenticated users can access.

The AC-Campus can authorize authenticated users using static ACL, dynamic ACL, or
VLAN. In this example, a static ACL is used.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip
[AC-acl-adv-3001] quit

Step 5 [Device] Configure the escape function, so services are not affected when the AC-Campus
becomes faulty.
[AC] user-group server_down
[AC-user-group-server_down] acl-id 3001 //Specify resources end users can access
after the escape function is enabled.
[AC-user-group-server_down] quit
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] authentication event authen-server-down
action authorize user-group server_down
[AC-authentication-profile-auth_dot1x] quit

Step 6 [AC-Campus] Add the SC server to the AD domain. (AD domain accounts are used for
authentication.)
If 802.1X authentication using the MSCHAPv2 protocol is performed on AD domain
accounts, add the SC server to the AD domain.
By default, the AnyOffice and the built-in 802.1X client of the operating system use the
MSCHAPv2 protocol.
Step 7 [AC-Campus] Add an access control device and connect it to the AC-Campus through
RADIUS.
Choose Resource > Device > Device Management, and add the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 11

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

AC-Campus Parameters Command

Authentication/Accounting key radius-server shared-key cipher

Admin@123

Authorization key radius-server authorization 192.168.11.10

shared-key cipher Admin@123

Real-time accounting interval (minute) accounting realtime 15

Step 8 [AC-Campus] Configure authentication and authorization rules. End users match the rules
based on specified conditions.
1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 12

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Add the AD server to Data Source. By default, an authentication rule takes effect only
on the local data source. If the AD server is added as a data source, AD accounts will fail
to be authenticated.

2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 13

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
users after successful authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 14

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Verification
1. Use a mobile phone to associate with the SSID dot1x_access, and enter an AD domain
user name and password.
2. Obtain an IP address on the 172.16.21.0/24 network segment after successful
authentication, and access Internet resources using this IP address.
3. Run the display access-user and display access-user user-id user-id commands on the
AC to view detailed online user information.
4. Choose Resource > User > RADIUS Log on the AC-Campus to view RADIUS logs.

1.2 Example for Configuring Portal Authentication

(Including MAC Address-Prioritized Portal
Authentication) for Wireless Users
This example illustrates how to configure Portal authentication on a wireless network to
ensure that only authenticated wireless terminals can connect to the network.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 15

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Networking Requirements
A company has about 1000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The authentication operations must be simple. The authentication system only performs
access authorization and does not require any client software on user terminals.
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees can connect only to public servers (such as the DHCP and DNS servers) of
the company before authentication, and can connect to both the intranet and Internet after
being authenticated.
l If authenticated employees move out of the wireless coverage area and move in again
within a certain period (60 minutes for example), they can connect to the wireless
network directly, without entering their user names and passwords again. This ensures a
good network access experience of employees.
l Guests can connect only to public servers (such as the DHCP and DNS servers) of the
company before authentication, and can connect only to the Internet after being
authenticated.
l Different authentication pages are pushed to employees and guests.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 16

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-2 Networking of Portal authentication for wireless users

Requirement Analysis
l The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals.
Considering the networking and requirements of the company, Portal authentication can
be used on the campus network.
l Tunnel forwarding is recommended for packets exchanged between the AC and APs,
because this mode can ensure that all traffic of wireless users will be pass through the
AC for unified control.
l To implement interworking on the network, configure VLANs according to the
following plan:
– Add employees to VLAN 100 and guests to VLAN 101 to isolate employees from
guests.
– Use VLAN 10 as the mVLAN of the APs.
– Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch S2750EI to VLAN 10 so
that these interfaces can transparently transmit packets of APs' mVLAN.
– On the aggregation switch S5700HI, add GE0/0/1 to mVLAN 10, GE0/0/3 to
mVLAN 10 and service VLANs 100 and 101, and GE0/0/2 service VLANs 100 and
101. In this way, these interfaces can transparently transmit packets of the
corresponding VLANs as required.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 17

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

– Add GE0/0/1 of the AC to mVLAN 10 and service VLANs 100 and 101 so that the
AC can transparently transmit packets of these VLANs.
l Employees and guests are all authenticated on the web pages pushed by the Portal server.
You need to configure different ACL rules to control access rights of employees and
guests.
l Different SSIDs need to be configured for employees and guests so that different
authentication pages can be pushed to them based on their SSIDs.
l Enable MAC address-prioritized Portal authentication to allow employees to connect the
wireless network without entering user names and passwords when they move in and out
of the wireless coverage area repeatedly within a period (60 minutes for example).
MAC address-prioritized Portal authentication is a function provided by an AC. When
the Portal server needs to authenticate a user, the AC first sends the user terminal's MAC
address to the Portal server for identity authentication. If the authentication fails, the
Portal server pushes the Portal authentication page to the terminal. The user then enters
the account and password for authentication. The RADIUS server caches a terminal's
MAC address and associated MAC address during the first authentication for the
terminal. If the terminal is disconnected and then connected to the network within the
MAC address validity period, the RADIUS server searches for the SSID and MAC
address of the terminal in the cache to authenticate the terminal.

VLAN Plan

Table 1-5 Wireless VLAN plan

VLAN ID Function

10 mVLAN for wireless access

100 Service VLAN for employees

101 Service VLAN for guests

Network Data Plan

Table 1-6 Wireless network data plan

Item Data Description

Access switch S2750EI GE0/0/1 Connected to the AP in the

VLAN 10 guest area.

GE0/0/2 Connected to the S5720HI.

VLAN 10

GE0/0/3 Connected to the AP in the

VLAN 10 employee area.

Aggregation switch GE0/0/1 Connected to the access

S5720HI VLAN 10 switch.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 18

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

GE0/0/2 Uplink interface that is

VLAN 100 and VLAN 101 connected to the core router
and allows packets only
from the service VLAN to
pass through.

GE0/0/3 Connected to the AC. The

VLAN 10, VLAN 100, and AC communicates with the
VLAN 101 uplink device through the
service VLAN and with the
downlink device through the
mVLAN.

AC6605 GE0/0/1 The AC communicates with

VLAN 10, VLAN 100, and the uplink device through
VLAN 101 the service VLAN and with
the downlink device through
VLANIF 10: the mVLAN.
10.10.10.254/24
Gateway for APs.

Core router GE1/0/1 The sub-interface GE1/0/1.1

172.16.21.254/24 functions as the gateway for
employees.
Sub-interface number:
GE1/0/1.1 The sub-interface GE1/0/1.2
functions as the gateway for
Sub-interface IP address: guests.
172.20.0.1/16
Sub-interface number:
GE1/0/1.2
Sub-interface IP address:
172.21.0.1/16

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 19

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

Server l DNS server: -

192.168.11.1
l AC-Campus:
192.168.11.10
l AD server:
192.168.11.100
l DHCP server:
192.168.11.2
– Employee: IP address
pool (172.20.0.0/16);
DNS server
(192.168.11.1)
– Guest: IP address
pool (172.21.0.0/16);
DNS server
(192.168.11.1)
l Service system:
192.168.11.200

Service Data Plan

Table 1-7 Portal service data plan

Item Data Description

RADIUS l RADIUS server: AC- The access control device

Campus server and AC-Campus function as
l RADIUS client: AC the RADIUS client and
server respectively. The
l Authentication key: authentication,
Admin@123 authorization, and
l Accounting key: accounting keys and the
Admin@123 accounting interval must be
l Real-time accounting the same on the access
interval: 15 minutes control device and AC-
Campus.
l Authentication port:
1812 The AC-Campus
functioning as the RADIUS
l Accounting port: 1813 server uses ports 1812 and
1813 for authentication and
accounting respectively.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 20

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

Portal l Portal server: AC- When Portal pages are

Campus server with pushed using a domain
domain name name, the AC-Campus
access.example.com server's domain name is
l Portal key: Admin@123 required.
l Portal server port: 50200 The AC-Campus
functioning as the Portal
l Port of the authentication server uses port 50200 as
control device for the Portal server port.
associating with the
Portal server: 2000 When a Huawei switch or
AC functions as the
authentication control
device to provide Portal
authentication, the switch or
AC uses port 2000 by
default to associate with the
Portal server.

Pre-authentication domain DNS server, AC-Campus, -

AD server, and DHCP
server

Post-authentication domain Service system and Internet -

for employees

Post-authentication domain Internet -

for guests

Configuration Roadmap
1. Configure the access switch, aggregation switch, and AC to implement interworking on
the network.
2. On the AC, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the AC can communicate with the RADIUS server and Portal server
to perform MAC address-prioritized Portal authentication for employees.
3. Add the AC to the Service Manager and configure parameters for the AC to ensure that
the AC-Campus can manage the AC.
4. Configure authentication and authorization rules to grant different network access rights
to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and configure Portal
page push rules to ensure that different web pages are pushed to employees and guests.

Prerequisites
You have configured a sub-interface, assigned an IP address to the sub-interface, and enabled
DHCP relay on the core router to enable terminals to automatically obtain IP addresses from
the DHCP server on a different network segment.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 21

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Procedure
Step 1 [Device] Configure the access switch to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/3] quit
[S2700] interface gigabitethernet 0/0/1
[S2700-GigabitEthernet0/0/1] port link-type trunk
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/2] quit

Step 2 [Device] Configure the aggregation switch to ensure network connectivity.

<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 10 100 101
[S5700] interface gigabitethernet 0/0/1
[S5700-GigabitEthernet0/0/1] port link-type trunk
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2
[S5700-GigabitEthernet0/0/2] port link-type trunk
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3
[S5700-GigabitEthernet0/0/3] port link-type trunk
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100 101
[S5700-GigabitEthernet0/0/3] quit

Step 3 [Device] Configure the AC to ensure network connectivity.

# Add GE0/0/1 connected to the aggregation switch to mVLAN 10 and service VLANs 100
and 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 10 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 101
[AC-GigabitEthernet0/0/1] quit

# Configure the AC to assign IP addresses to APs from an interface address pool.

[AC] dhcp enable
[AC] interface vlanif 10
[AC-Vlanif10] ip address 10.10.10.254 24
[AC-Vlanif10] dhcp select interface
[AC-Vlanif10] quit

# Configure a default route that the AC uses to communicate with the server. Packets are
forwarded to the core router by default.
[AC] ip route-static 0.0.0.0 0 172.16.21.254

Step 4 [Device] Configure the AP to go online.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 22

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

NOTE

# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name employee //Configure an AP group for employees.
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest //Configure an AP group for guests.
[AC-wlan-ap-group-guest] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 10

# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, the MAC address of AP_0 serving the employee area is
60de-4476-e360, and the MAC address of AP_1 serving the guest area is 60de-4476-e380.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name ap_0
[AC-wlan-ap-0] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name ap_1
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
Total AP information:

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 23

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

nor : normal [2]

----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 employee 10.10.10.252 AP6010DN-AGN nor 0 10S
1 60de-4476-e380 ap_1 guest 10.10.10.253 AP6010DN-AGN nor 0 20S
----------------------------------------------------------------------------------
---
Total: 2

Step 5 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.

Figure 1-3 Configuration flow for Portal authentication service

# Configure a RADIUS server template, and configure authentication, accounting, and

authorization schemes in the template.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10 1812
source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 24

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC-radius-radius_template] quit
[AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC-aaa-authen-auth_scheme] quit
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
[AC-aaa-accounting-acco_scheme] quit
[AC-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

Table 1-8 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.

# Configure the Portal server.

1. Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast
page pushing. Before configuring the URL using a domain name, you must first
configure the mapping between the domain name and IP address of the AC-Campus
server on the DNS server.
[AC] url-template name huawei
[AC-url-template-huawei] url http://access.example.com:8080/portal //
access.example.com is the host name of the Portal server.

2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC-url-template-huawei] url-parameter ssid ssid redirect-url url //Specify
the names of the parameters included in the URL. The parameter names must the
same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 25

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC-url-template-huawei] quit
3. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the AC-Campus.
[AC] web-auth-server listening-port 2000
4. Configure a Portal server template, including configuring the IP address and port number
of the Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC] web-auth-server portal_huawei
[AC-web-auth-server-portal_huawei] server-ip 192.168.11.10 //IP address for
the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 10.10.10.254 //The IP address
that the AC uses to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
5. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC-web-auth-server-portal_huawei] url-template huawei //Bind the URL
template to the Portal server profile.
6. Enable the Portal server detection function.
After the Portal server detection function is enabled in the Portal server template, the
device detects all Portal servers configured in the Portal server template. If the number of
times that the device fails to detect a Portal server exceeds the upper limit, the status of
the Portal server is changed from Up to Down. If the number of Portal servers in Up state
is less than the minimum number (specified by the critical-num parameter), the device
performs the corresponding operation to allow the administrator to obtain the real-time
Portal server status. The detection interval cannot be shorter than 15s, and the
recommended value is 100s. The AC only supports Portal server detection but not Portal
escape.
[AC-web-auth-server-portal_huawei] server-detect interval 100 max-times 5
critical-num 1 action log
7. (Optional) Enable user information synchronization.
The user-sync command enables user information synchronization so that user
information on the device and Portal server is synchronized at intervals to ensure user
information consistency. Therefore, user information on the device and on the Portal
server may be inconsistent and accounting may be inaccurate. The user information
synchronization interval must be greater than 300s. (The AC-Campusresponds to probe
packets of a switch or AC at an interval of 5 minutes.) If the synchronization interval is
shorter than 300s, users may go offline after passing authentication. You are advised to
set the user information synchronization interval to 500s, that is, set interval to 100 and
max-times to 5.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 26

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC-web-auth-server-portal_huawei] user-sync interval 100 max-times 5

[AC-web-auth-server-portal_huawei] quit

# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC] portal quiet-period
[AC] portal quiet-times 5 //Set the maximum number of authentication failures in
60 seconds before a Portal authentication is set to quiet state.
[AC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

# Create a Portal access profile, and bind the Portal server template to it.
In this example, different Portal survival solutions need to be configured for employees and
guests respectively. Therefore, configure two Portal access profiles.
[AC] portal-access-profile name acc_portal_employee //Create a Portal access
profile for employees.
[AC-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei
direct //Configure the Portal server template used by the Portal access profile.
If the network between end users and the AC is a Layer 2 network, configure the
direct mode; if the network is a Layer 3 network, configure the layer3 mode.
[AC-portal-access-profile-acc_portal_employee] quit
[AC] portal-access-profile name acc_portal_guest //Create a Portal access
profile for guests.
[AC-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct
[AC-portal-access-profile-acc_portal_guest] quit

# Create a MAC access profile so that MAC address-prioritized Portal authentication is

performed on employees.
[AC] mac-access-profile name acc_mac
[AC-mac-access-profile-acc_mac] quit

# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.100 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the AD server before authentication.
[AC-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.2 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DHCP server before authentication.
[AC-free-rule-default_free_rule] quit
[AC] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC-acl-adv-3001] rule 5 permit ip
[AC-acl-adv-3001] quit
[AC] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //
192.168.11.200 is the service system IP address and cannot be accessed by guests.
[AC-acl-adv-3002] rule 10 permit ip
[AC-acl-adv-3002] quit

# Configure different authentication profiles for employees and guests respectively because
MAC address-prioritized Portal authentication needs to be enabled for employees.
[AC] authentication-profile name auth_portal_employee
[AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac //
Enable MAC address-prioritized authentication for employees.
[AC-authentication-profile-auth_portal_employee] portal-access-profile
acc_portal_employee
[AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 27

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme

[AC-authentication-profile-auth_portal_employee] radius-server radius_template
[AC-authentication-profile-auth_portal_employee] free-rule-template
default_free_rule
[AC-authentication-profile-auth_portal_employee] quit
[AC] authentication-profile name auth_portal_guest
[AC-authentication-profile-auth_portal_guest] portal-access-profile
acc_portal_guest
[AC-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme
[AC-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme
[AC-authentication-profile-auth_portal_guest] radius-server radius_template
[AC-authentication-profile-auth_portal_guest] free-rule-template default_free_rule
[AC-authentication-profile-auth_portal_guest] quit

# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC] dhcp snooping enable
[AC] device-sensor dhcp option 12 55 60

# Configure Portal survival. Configure the device to grant network access rights of a user
group to users when the Portal server is Down so that the users can access the post-
authentication domain. In addition, configure the device to re-authenticate users when the
Portal server goes Up.
[AC] user-group group1
[AC-user-group-group1] acl 3001 //Employees' post-authentication domain
corresponding to group1.
[AC-user-group-group1] quit
[AC] portal-access-profile name acc_portal_employee
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
down action authorize user-group group1 //Configure the network access
permission of employees when the Portal server is Down.
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
up action re-authen //Enable the device to re-authenticate users when the Portal
server state changes from Down to Up.
[AC-portal-access-profile-acc_portal_employee] quit
[AC] user-group group2
[AC-user-group-group2] acl 3002 //Guests' post-authentication domain
corresponding to group1.
[AC-user-group-group2] quit
[AC] portal-access-profile name acc_portal_guest
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-
down action authorize user-group group2 //Configure the network access
permission of guests when the Portal server is Down.
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up
action re-authen
[AC-portal-access-profile-acc_portal_guest] quit

Step 6 [Device] Set WLAN service parameters.

# Create the security profile security_portal and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security_portal
[AC-wlan-sec-prof-security_portal] quit

# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC-wlan-view] ssid-profile name wlan-ssid-employee
[AC-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid-employee] quit
[AC-wlan-view] ssid-profile name wlan-ssid-guest
[AC-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid-guest] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 28

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap-employee
[AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC-wlan-vap-prof-wlan-vap-employee] authentication-profile
auth_portal_employee //Bind the authentication profile of employees.
[AC-wlan-vap-prof-wlan-vap-employee] quit
[AC-wlan-view] vap-profile name wlan-vap-guest
[AC-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest //
Bind the authentication profile of guests.
[AC-wlan-vap-prof-wlan-vap-guest] quit

# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
[AC-wlan-ap-group-guest] quit

Step 7 [AC-Campus] Add the AC to the Service Manager to enable the AC-Campus to manage the
AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 29

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 30

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name AC -

IP address 10.10.10.254 The AC1 interface with this IP address must be

able to communicate with the AC-Campus.

Authenticatio Admin@123 It must be the same as the shared key of the

n key RADIUS authentication server configured on the
AC.

Accounting Admin@123 It must be the same as the shared key of the

key RADIUS accounting server configured on the
AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 31

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Real-time 15 It must be the same as the real-time accounting

accounting interval configured on the AC.
interval
(minute)

Port 2000 This is the port that the AC uses to communicate

with the Portal server. Retain the default value.

Portal key Admin@123 It must be the same as the Portal key configured
on the AC.

Access 172.20.0.0/16; You need to add the IP addresses of all the

terminal IP 172.21.0.0/16 terminals that go online through Portal
list authentication to the access terminal IP list.
After the Portal server receives the account and
password submitted by an end user, it searches
for an access control device based on the
terminal's IP address and allows the terminal to
go online from the target access control device.
If the IP address pool of the access control
device does not include the terminal IP address,
the Portal server cannot find an access control
device to grant network access permission to the
terminal, causing the terminal login failure.

Enable Select The Portal server can send heartbeat packets to

heartbeat the access device only when Enable heartbeat
between between access device and Portal server is
access device selected and the Portal server's IP address has
and Portal been added to Portal server IP list. The access
server device then periodically detects heartbeat
packets of the Portal server to determine the
Portal server 192.168.11.10 Portal server status and synchronize user
IP list information from the Portal server. The server-
detect and user-sync commands must have been
configured in the Portal server view on the
access device.

4. Click OK.
Step 8 [AC-Campus] Add SSIDs on the AC-Campus, so that the AC-Campus can authorize users
through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add and add SSIDs for employees and guests.
The SSIDs must be the same as those configured on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 32

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 9 [AC-Campus] Configure authentication and authorization.

1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.
Add the AD server to Data Source. By default, an authentication rule takes effect only
on the local data source. If the AD server is added as a data source, AD accounts will fail
to be authenticated.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 33

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 34

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 35

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 36

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 37

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

4. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 38

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 10 [AC-Campus] Customize a Portal authentication page for employees.

1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.

Parameter Value Description

Customize page Authentication page for -

name employee

Page Title Web This web title will be displayed on the

authentication page.

Self Register Deselected -

4. Select an authentication page template for employee authentication at the bottom of the
page, and click Next.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 39

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

5. Click Next, select an authentication page template for employee authentication, and
select English from the Choose the language template drop-down list box.

6. Click Next.
Employees do not need to log in using mobile phones and can therefore skip this step.
7. Click Next. Set Authentication Page, Authentication Success Page, and User Notice
Page.

8. After completing the configuration, click Publish.

Step 11 [AC-Campus] Customize a Portal authentication page for guests.
1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 40

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Customize page Authentication page for -

name guest

Page title Web This web title will be displayed on the

authentication page.

Self Register Selected -

Guest account Self- -

policy registration_approval
free_valid for 8 hours

4. Click Next, select an authentication page template for guest authentication, and select
English from the Choose the language template drop-down list box.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 41

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

5. Click Next. Set Authentication Page, Authentication Success Page, User Notice
Page, Registration Page, and Registration Success Page.

6. Click Next to set the PC authentication pages.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 42

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

7. After completing the configuration, click Publish.

Step 12 [AC-Campus] Configure Portal page push rules to ensure that different authentication pages
are pushed to employees and guests.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
2. Click Add.
3. Configure a Portal page push rule for employees and click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 43

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name push rule for employee -

User-defined ssid=employee For details about User-defined

parameters parameters, see 1.12.3 Defining a
Redirection Rule for the Portal
Page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 44

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Pushed page Select the authentication The Service Manager automatically

page configured in Step saves each page in an independent
10. folder.

First page to Authentication -

push

URL Retain the default value. -

Page displayed Continue to visit the The original page before

after successful original page authentication is automatically
authentication displayed after authentication
succeeds.

4. Configure push rules for guests in a similar way and click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 45

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

5. Click OK.
Step 13 [AC-Campus] Enable MAC address-prioritized Portal authentication on the AC-Campus.
1. Choose System > Terminal Configuration > Global Parameters.
2. On the MAC Address-prioritized Portal Authentication tab page, enable MAC
Address-prioritized Portal Authentication and set Mac Address-Prioritized Portal
Authentication to 60 minutes.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 46

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Click OK.

----End

Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 47

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 48

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Expected Result

Employee l Employee can only access the AC-Campus server, DNS server, AD
authenticatio server and DHCP server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet or service system, the
employee authentication page is pushed to the user. After the employee
enters the correct user name and password, the authentication succeeds
and the requested web page is displayed automatically.
l After employees are successfully authenticated, they can access the
Internet and service system.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the employee account is
online.
l On the Service Manager, choose Resource > User > Online User
Management, and the employee account is displayed on the list of
online users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the employee account.

Guest l Guest can only access the AC-Campus server, DNS server, and DHCP
authenticatio server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the Mobile Phone authentication
page is pushed to the mobile phone. After the guest enters the correct
user name and password, the authentication succeeds and the requested
web page is displayed automatically.
l When the guest connects to the Wi-Fi hotspot guest using a laptop or
tablet, the PC/Pad authentication page is pushed to the laptop or tablet.
After the guest enters the correct user name and password, the
authentication succeeds and the requested web page is displayed
automatically.
l After guests are successfully authenticated using the accounts registered
by their mobile numbers, they can access the Internet but not the service
system.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the guest account is online.
l On the Service Manager, choose Resource > User > Online User
Management, and the guest account is displayed on the list of online
users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the guest account.

Summary and Suggestions

l The authentication key, accounting key, and Portal key must be kept consistent on the
AC and AC-Campus. The accounting interval set on the AC-Campus must also be the
same as those on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 49

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition
of a user matches a rule, the AC-Campus does not check the subsequent rules. Therefore,
it is recommended that you set higher priorities for the rules defining more precise
conditions and set lower priorities for the rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the AC to enable the AC-Campus to
obtain online user information by exchanging accounting packets with the AC. The AC-
Campus does not support the real accounting function. If accounting is required, use a
third-party accounting server.

1.3 Example for Configuring Wireless MAC Address

Authentication
This section describes how to configure wireless MAC address authentication for dumb
terminals such as IP phones, printers, and cameras to access networks in wireless mode.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Networking Requirements
As shown in Figure 1-4, dumb terminals such as printers and IP phones in the confidential
service office of a company associate with the AP through the mac_access SSID, and connect
to the intranet through the access switch S2750EI, aggregation switch S5720HI, and core
router. If unauthorized terminals access the intranet, the business system of the company may
be attacked or key information may leak. The administrator requests to control network access
permission of users on the AC to ensure intranet security. In addition, the AC functions as a
DHCP server to assign IP addresses on the 10.10.10.0/24 network segment to APs, and
centrally manages all users.
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
AnyOffice cannot be installed on dumb terminals such as printers and IP phones in the
confidential service office. Therefore, wireless MAC address authentication can be used so
that the AC can send MAC addresses of the terminals as user information to the RADIUS
server for authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 50

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-4 Networking of MAC address authentication

Data Plan

Table 1-9 Wireless VLAN plan

VLAN ID Function

10 mVLAN for wireless access

100 Service VLAN for wireless access

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 51

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Table 1-10 Wireless network data plan

Item Data Description

Access switch S2750EI GE0/0/2 The uplink and downlink

VLAN 10 interfaces allow packets
only from the mVLAN to
GE0/0/3 pass through. The service
VLAN 10 VLAN is encapsulated in
the packets tagged with the
mVLAN ID.

Aggregation switch GE0/0/1 This downlink interface

S5720HI VLAN 10 allows packets only from the
mVLAN to pass through.
The service VLAN is
encapsulated in the packets
tagged with the mVLAN ID.

GE0/0/2 This uplink interface allows

VLAN 100 packets only from the
service VLAN to pass
through.

GE0/0/3 The AC communicates with

VLAN 10 and VLAN 100 the uplink device through
the service VLAN and with
the downlink device through
the mVLAN.

AC6605 GE0/0/1 The AC communicates with

VLAN 10 and VLAN 100 the uplink device through
the service VLAN and with
VLANIF 10: the downlink device through
10.10.10.254/24 the mVLAN.
Gateway for APs.

Core router GE1/0/1 Gateway for dumb terminals

172.16.21.254/24

Server l DNS server: -

192.168.11.1
l AC-Campus:
192.168.11.10

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 52

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Table 1-11 Service data plan for wireless MAC address authentication
Item Data Description

RADIUS l RADIUS server: AC- The access control device

Pre-authentication domain DNS server and AC- -

Campus

Post-authentication domain Internet -

Configuration Roadmap
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and MAC address authentication parameters on
the AC to implement wireless MAC address authentication.
3. Add the AC on the AC-Campus, and configure authentication and authorization.
NOTE

In this example, the gateway for dumb terminals is deployed on the core router. If the gateway for dumb
terminals is deployed on the AC, you only need to configure dhcp select interface in the service VLAN on
the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 53

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S2700] interface gigabitethernet 0/0/2

[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/2] quit

2. Configure the aggregation switch.

3. Configure the AC.

# Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to

the APs. If the AC is used as the gateway for dumb terminals, configure the gateway IP
address and enable DHCP on the AC's interface in the service VLAN.
[AC] dhcp enable
[AC] interface vlanif 10
[AC-Vlanif10] ip address 10.10.10.254 24
[AC-Vlanif10] dhcp select interface
[AC-Vlanif10] quit

# Configure the default route with the core router as the next hop.
[AC] ip route-static 0.0.0.0 0 172.16.21.254

Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE

# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 54

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC-wlan-view] regulatory-domain-profile name domain1

[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 10 //Configure an mVLAN interface.

Step 3 [Device] Configure MAC address authentication parameters to enable MAC address
authentication for dumb terminals.
The following figure shows the process of configuring wireless MAC address authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 55

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1. Configure a RADIUS server template, an authentication scheme, and an accounting

NOTE

Table 1-12 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 56

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

User Quantity Real-Time Accounting Interval

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

2. Configure an access profile.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.
[AC] mac-access-profile name mac
[AC-mac-access-profile-mac] quit

3. Configure an authentication profile.

Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC] authentication-profile name mac
[AC-authentication-profile-mac] mac-access-profile mac
[AC-authentication-profile-mac] authentication-scheme auth_scheme
[AC-authentication-profile-mac] accounting-scheme acco_scheme
[AC-authentication-profile-mac] radius-server radius_template
[AC-authentication-profile-mac] quit

4. Set wireless MAC authentication parameters.

# Create the security profile security-mac and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security-mac
[AC-wlan-sec-prof-security-mac] quit

# Create the SSID profile wlan-ssid and set the SSID name to mac-access.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security-mac
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile mac
[AC-wlan-vap-prof-wlan-vap] quit

Step 4 [AC-Campus] Add an access control device and connect it to the AC-Campus through
RADIUS.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 57

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Choose Resource > Device > Device Management, and add the AC.

AC-Campus Parameters Command

Authentication/Accounting key radius-server shared-key cipher

Admin@123

Authorization key radius-server authorization 192.168.11.10

shared-key cipher Admin@123

Real-time accounting interval (minute) accounting realtime 15

Step 5 [AC-Campus] Configure authentication and authorization rules. End users match the rules
based on specified conditions.
1. Add authentication rules.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 58

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule.
# Click Add.
# Set the parameters of authentication rules.
– Service Type: MAC Bypass Authentication Service

# Click OK.
2. Add the devices that require MAC authentication.
# Choose Resource > Terminal > Terminal List.
# Select the first node in the Device Group list and click Add in the right-side window
to create a device group for MAC authentication, such as device group MAC.
# Select MAC in the Device Group list. On the Device List tab page in the right-side
window, click Add and enter the MAC address of the device, such as
00-11-22-33-44-55.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 59

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Click OK.
# Repeat the preceding steps to add all devices that require MAC authentication to
device group MAC. The AC-Campus supports batch import of device MAC addresses.
For details, see Example in 1.12.5 Configuring MAC Address Authentication.
3. Add authorization rules.
# Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule.
# Click Add.
# Set the parameters of authorization rules.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 60

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

– Service Type: MAC Bypass Authentication Service

– Terminal Group: MAC
– Authorization Result: Permit Access

# Click OK.
# Repeat the preceding operations to create authorization rules. If MAC authentication is
not performed for the device that attempts to access the network, the device is not
allowed to access the network.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 61

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Result
l After the configuration is complete, run the display mac-authen command on the AC to
view the MAC address authentication configuration.
l After a dumb terminal associates with the WLAN with the SSID mac_access, the AC
automatically obtains the dumb terminal's MAC address as the user name and password
for authentication. After successful authentication, the dumb terminal can access the
Internet.
l After the dumb terminal goes online, run the display access-user access-type mac-
authen command on the AC to view information about the online MAC address
authentication user.
l Choose Resource > User > RADIUS Log on the AC-Campus to view RADIUS logs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 62

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.4 Example for Configuring Wireless Network Access

Using a Terminal Running the Android, iOS, or Windows
OS
Before accessing a network in wireless mode using a terminal running the Android, iOS, or
Windows OS, you need to associate the terminal with the initialization SSID to download the
network configuration tool or configuration file. After the terminal automatically completes
network configuration, the user can access the network through 802.1X.

Involved Products and Versions

Item Product Version

AP AP6010DN-AGN V200R006C20

AC AC6605 V200R006C20

Portal server AC-Campus V100R002C10

RADIUS server

Windows CA server Windows Server 2008 R2 Windows Server 2008 R2

Enterprise Enterprise

Networking Requirements
To ensure network access security, an enterprise requests users to pass 802.1X certificate
authentication before they access the network. To access the network through 802.1X
certificate authentication, users need to complete complex configurations on terminals.
The Boarding deployment scheme simplifies operations and enables user terminals to
automatically complete configurations. As shown in Figure 1-5, the Boarding deployment
scheme provides two SSIDs. One is used for initializing the network and uses Portal
authentication. The other one is used for service access and uses 802.1X authentication.
When accessing a network, a user needs to associate with the initialization SSID first to
download the network configuration tool or configuration file. After the configuration is
automatically completed on the terminal, the user is automatically associated with the service
access SSID to access the network through 802.1X.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 63

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-5 Networking diagram

Patch
server Portal
server

AP AC Router
RADIUS
server
GE 0/0/1 GE 0/0/2
VLAN100 VLAN 100,
101, and 102
Portal CA
802.1X
server

Data Planning

Table 1-13 Network data planning

Item Data

AC Interface number: GE 0/0/1

VLAN: 100
IP address of VLANIF 100: 192.168.3.2/24

Interface number: GE 0/0/2

VLANs: 100, 101, and 102
IP address of VLANIF 101:
10.20.210.254/24
IP address of VLANIF 102:
10.20.211.254/24

Router IP address of the interface connected to the

AC: 192.168.3.254/24

AC-Campus (Portal server and RADIUS 192.168.1.210

server)

Windows CA server 192.168.1.211

Table 1-14 Service data planning

Item Data

VLAN VLAN 100: Management VLAN

VLAN 101: Portal service VLAN

VLAN 102: 802.1X service VLAN

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 64

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data

DHCP The AC functions as the DHCP server to

allocate IP addresses for APs and terminals
from the following address pools:
l IP address pool for APs: 192.168.3.0/24
l Portal service IP address pool for
terminals: 10.20.210.0/24
l 802.1X service IP address pool for
terminals: 10.20.211.0/24

Pre-authentication domain Patch server: 192.168.1.200

Post-authentication domain 192.168.2.0/24

Authentication and accounting key, Admin@123

authorization key, and Portal key

Accounting interval (minutes) 15

Configuration Roadmap
1. Configure network interworking and enable APs to go online on the AC.
2. Configure a RADIUS server template and 802.1X authentication on the AC.
3. Configure Portal authentication on the AC.
4. Configure post-authentication domain resources on the AC for users to access after
passing authentication.
5. Configure the Boarding on the AC-Campus.
6. Configure authentication and authorization on the AC-Campus.

Procedure
Step 1 Optional: Deploy the Windows CA server.
For details, see 1.12.6 Deploying a CA Certificate Server.
Step 2 [Device] Configure network interworking and enable APs to go online.
1. In this example, tunnel forwarding is used between the AC and APs. Configure the
downlink interface on the AC to allow packets from the management VLAN to pass
through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 to 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit

2. Configure the uplink interface on the AC to allow packets from VLAN 100, VLAN 101,
and VLAN 102 to pass through so that the AC can communicate with upper-layer
network devices.
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 65

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102

[AC-GigabitEthernet0/0/2] quit

3. Configure IP addresses for VLANIF interfaces, and configure the AC to function as the
DHCP server to allocate IP addresses for APs, Portal services, and 802.1X services.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.3.2 255.255.255.0
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.20.210.254 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.20.211.254 255.255.255.0
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit

4. Configure the default route, with the next hop pointing to the IP address of the router
interface.
[AC] ip route-static 0.0.0.0 0.0.0.0 192.168.3.254

5. Configure the APs to go online.

NOTE

If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on
the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the
AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP
address for the AC.

# Create the AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the APs offline on the AC. Add APs to AP group ap-group1. Configure names
for the APs based on the APs' deployment locations, so that you can know where the
APs are deployed from their names. For example, if the AP with MAC address
60de-4474-9640 is deployed in area 1, name the AP area_1.

NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 66

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation maybe cause AP reset, Whether to continue? [Y/N]y
[AC-wlan-ap-0] quit

# After an AP is powered on, run the display ap all command to check the AP state. If
the State field displays nor, the AP has gone online.

[AC-wlan-view] display ap all

Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
---------
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
---------
0 60de-4476-e360 area_1 ap-group1 192.168.3.200 AP6010DN-AGN nor 0
5M:2S
------------------------------------------------------------------------------
---------
Total: 1
6. Define post-authentication resources in an ACL with the same number as that specified
in the authorization result on the AC-Campus.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 192.168.2.0 24 //Post-
authentication domain resources
[AC-acl-adv-3001] rule 2 deny ip
[AC-acl-adv-3001] quit

Step 3 [Device] Configure a RADIUS server template and 802.1X authentication.

1. Configure a RADIUS server template, as well as authentication and accounting schemes.
[AC] radius-server template radius_huawei //RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.1.210 1812
source ip-address 192.168.3.2
[AC-radius-radius_huawei] radius-server accounting 192.168.1.210 1813 source
ip-address 192.168.3.2
[AC-radius-radius_huawei] radius-server shared-key cipher Admin@123
[AC-radius-radius_huawei] quit
[AC] radius-server authorization 192.168.1.210 shared-key cipher Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //RADIUS authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa-authen-auth_scheme] quit
[AC-aaa] accounting-scheme acc_scheme //RADIUS accounting scheme
[AC-aaa-accounting-acc_scheme] accounting-mode radius
[AC-aaa-accounting-acc_scheme] accounting realtime 15
[AC-aaa-accounting-acc_scheme] quit
[AC-aaa] quit
2. Configure the 802.1X access profile dot1x_access.
NOTE

By default, an 802.1X access profile uses the EAP authentication mode. The authentication protocol
must be the same as that configured in the authentication rule on the AC-Campus.
[AC] dot1x-access-profile name dot1x_access
[AC-dot1x-access-profile-dot1x_access] quit
3. Configure the authentication profile dot1x_auth, and import the authentication scheme,
accounting scheme, and RADIUS server template.
[AC] authentication-profile name dot1x_auth
[AC-authentication-profile-dot1x_auth] dot1x-access-profile dot1x_access

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 67

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC-authentication-profile-dot1x_auth] authentication-scheme auth_scheme

[AC-authentication-profile-dot1x_auth] accounting-scheme acc_scheme
[AC-authentication-profile-dot1x_auth] radius-server radius_huawei
[AC-authentication-profile-dot1x_auth] quit

4. Configure WLAN service parameters.

# Create security profile dot1x-security and set the security policy in the profile. A
security policy must be configured for 802.1X authentication. The default open system
authentication is not allowed.
[AC] wlan
[AC-wlan-view] security-profile name dot1x-security
[AC-wlan-sec-prof-dot1x-security] security wpa2 dot1x aes
[AC-wlan-sec-prof-dot1x-security] quit

# Create the SSID profile dot1x-ssid, and set the SSID name to 802.1X.

[AC-wlan-view] ssid-profile name dot1x-ssid

[AC-wlan-ssid-prof-dot1x-ssid] ssid 802.1X
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-dot1x-ssid] quit

# Create the VAP profile dot1x-vap, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name dot1x-vap
[AC-wlan-vap-prof-dot1x-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-dot1x-vap] service-vlan vlan-id 102
[AC-wlan-vap-prof-dot1x-vap] security-profile dot1x-security
[AC-wlan-vap-prof-dot1x-vap] ssid-profile dot1x-ssid
[AC-wlan-vap-prof-dot1x-vap] authentication-profile dot1x_auth
[AC-wlan-vap-prof-dot1x-vap] quit

# Bind the VAP profile dot1x-vap to an AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile dot1x-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit

Step 4 [Device] Configure Portal authentication.

1. Configure a URL template to specify the URL of the pushed page and user terminal's
MAC address.
NOTE

If terminals running the iOS system need to be registered or claimed missing, the url-parameter user-
mac usermac command must be configured. This command is not required in other cases. Terminals
running the iOS system do not initiate Portal authentication when downloading configuration files, so
they are redirected to the Portal pushed page, but cannot send terminals' MAC addresses through Portal
login packets.
[AC] url-template name url_temp
[AC-url-template-url_temp] url http://192.168.1.210:8080/portal
[AC-url-template-url_temp] url-parameter user-mac usermac
[AC-url-template-url_temp] quit

2. Configure a Portal server profile and specify information about the Portal server.
[AC] web-auth-server portal_server
[AC-web-auth-server-portal_server] server-ip 192.168.1.210
[AC-web-auth-server-portal_server] source-ip 192.168.3.2
[AC-web-auth-server-portal_server] port 50200
[AC-web-auth-server-portal_server] shared-key cipher Admin@123
[AC-web-auth-server-portal_server] url-template url_temp
[AC-web-auth-server-portal_server] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 68

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Configure the Portal access profile portal_access.

[AC] portal-access-profile name portal_access
[AC-portal-access-profile-portal_access] web-auth-server portal_server direct
[AC-portal-access-profile-portal_access] quit

4. Configure an authentication-free rule profile. Add the resources (patch server) that users
can access before authentication to the profile.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.1.200
mask 32
[AC-free-rule-default_free_rule] quit

5. Configure the authentication profile portal_auth.

[AC] authentication-profile name portal_auth
[AC-authentication-profile-portal_auth] portal-access-profile portal_access
[AC-authentication-profile-portal_auth] free-rule-template default_free_rule
[AC-authentication-profile-portal_auth] authentication-scheme auth_scheme
[AC-authentication-profile-portal_auth] authentication-scheme acc_scheme
[AC-authentication-profile-portal_auth] radius-server radius_huawei
[AC-authentication-profile-portal_auth] quit

6. Configure WLAN service parameters.

# Create security profile portal-security and set the security policy in the profile. By
default, the security policy is open system. Use the default security policy for Portal
authentication.
[AC] wlan
[AC-wlan-view] security-profile name portal-security
[AC-wlan-sec-prof-portal-security] quit

# Create the SSID profile portal-ssid, and set the SSID name to Portal.
[AC-wlan-view] ssid-profile name portal-ssid
[AC-wlan-ssid-prof-portal-ssid] ssid Portal
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-portal-ssid] quit

# Create the VAP profile portal-vap, configure the data forwarding mode and service
VLANs, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name portal-vap
[AC-wlan-vap-prof-portal-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-portal-vap] service-vlan 101
[AC-wlan-vap-prof-portal-vap] security-profile portal-security
[AC-wlan-vap-prof-portal-vap] ssid-profile Portal
[AC-wlan-vap-prof-portal-vap] authentication-profile portal_auth
[AC-wlan-vap-prof-portal-vap] quit

# Bind the VAP profile to an AP group and apply the VAP profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile portal-vap wlan 2 radio all
[AC-wlan-ap-group-ap-group1] quit

Step 5 [AC-Campus] Configure the Boarding to enable the automatic configuration for 802.1X on
user terminals.

Choose Policy > Permission Control > Boarding Management > Quick Start to perform
configurations according to the wizard.

1. Configure the network access policy and specify 802.1X access parameters.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 69

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

The 802.1X network access parameters are the same as those on the AC. The commands
used to configure key parameters on the AC are as follows:
– Security mode: security wpa2 dot1x aes
– Encryption mode: security wpa2 dot1x aes
– SSID: ssid 802.1X
2. Upload a CA certificate for verification when a user certificate is used for authentication
and when the AC-Campus applies for a user certificate from the Windows CA server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 70

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Configure the SCEP certificate server to apply for user certificates from the Windows
CA server.

4. Optional: Configure OCSP to check the revocation status of user certificates online. The
revoked user certificates cannot be used. You are advised to use OCSP. If OCSP is not
configured, you can choose System > External Authentication > Certificate
Management to configure CRL synchronization or manually upload a CRL to check the
certificate revocation status.

5. Customize a Portal page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 71

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

The AC-Campus provides the default Portal page. The administrator can modify the
default Portal page or add a Portal page.

If the version of the network configuration tool needs to be updated, choose Policy >
Permission Control > Page Cunstomization > Page Customization Material to
upload the latest version.

– Android: A Portal authentication page needs to be customized, containing the

download link of the network configuration tool (in the format of *.apk).
– iOS: A Portal authentication page needs to be customized so that users can enter the
account and password for authentication on the page. An authentication success
page needs to be customized to provide the download link of the network
configuration file (in the format of *.mobileconfig).
– Windows: A Portal authentication page needs to be customized, containing the
download link of the network configuration tool (in the format of *.exe).
6. Configure Portal page push policies. Different Portal pages are pushed to terminals
running different OSs to provide proper network configuration tools or configuration
files.

Configure Portal page push policies for terminals running the Android OS, iOS, and
Windows OS. Set the following parameters and use the default settings for other
parameters.

– Android
n Name: Android
n Push different pages based on terminal OS: Android
n Pushed page: Android_en
– iOS
n Name: iOS
n Push different pages based on terminal OS: iOS
n Pushed page: iOS_en

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 72

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

– Windows
n Name: Windows
n Push different pages based on terminal OS: Windows PC
n Pushed page: Windows_en
Step 6 [AC-Campus] Add an access control device and connect it to the AC-Campus through
RADIUS.
Choose Resource > Device > Device Management to add an AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 73

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

The commands used to configure parameters on the AC are as follows:

l Authentication/Accounting key: radius-server shared-key cipher Admin@123

l Authorization key: radius-server authorization 192.168.1.210 shared-key cipher
Admin@123

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 74

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l Real-time accounting interval: accounting realtime 15

l Portal key: shared-key cipher Admin@123

Step 7 [AC-Campus] Configure authentication and authorization. After completing 802.1X network
configurations, users can obtain permission based on the configured authentication and
authorization rules.
1. Optional: Configure an authentication rule.

This example uses the default authentication rule that contains all authentication
protocols.

If a non-local data source is used for synchronization, such as the AD/LDAP server,
modify the default authentication rule or create an authentication rule.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result to configure authorization using an ACL.

The ACL number 3001 set in the ACL Number/AAA User Group area is the same as
that configured on the AC.

3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule to configure an authorization rule.

Set Authorization Result to Post-authentication domain configured in the preceding

step. Use the default settings for other parameters.

----End

Verification
l Terminals running the Android OS

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 75

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

a. After a terminal associates with the Portal wireless network, the terminal can
access the patch server specified in the free-rule command. If the terminal access
other websites, the terminal is redirected to the Portal authentication page for
Android terminals.
b. Download the network configuration tool (in the format of *.apk) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.
l Terminals running the iOS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
iOS.
b. Enter the account and password on the Portal authentication page for identity
authentication.
c. After the identity authentication succeeds, the Portal authentication success page is
automatically displayed. Download the configuration file in the format of
*.mobileconfig.
d. After the configuration file is installed, the system automatically completes
configuration for 802.1X certificate authentication. After manually connecting the
terminal to the 802.1X wireless network, you can access post-authentication domain
resources.
l Terminals running the Windows OS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
Windows OS.
b. Download the network configuration tool (in the format of *.exe) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.

1.5 Example for Configuring Guests to Obtain Passwords

Through Mobile Phones to Pass Authentication Quickly
Guests can obtain passwords through mobile phones to connect to networks quickly.

Involved Products and Versions

Product Type Product Name Version

l RADIUS Server AC-Campus V100R002C10

l Portal Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 76

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Networking Requirements
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through
personal computers (PCs) and guests connect to the network through mobile phones. The
administrator has created local accounts for the employees so that they can use the local
accounts to pass authentication. For guest accounts, the system should satisfy the following
demands:
l All guests must associate with the Wi-Fi network whose SSID is guest to connect to the
Internet. Other SSIDs are not allowed.
l All guests can use their mobile phone number to obtain passwords to access the network.
After guests send their requests to obtain passwords, passwords are sent to the guests
through SMS messages.
l After the authentication succeeds, the web page requested by the guest before the
authentication is displayed automatically.

Data Plan

Table 1-15 Data plan

Item Data Description

SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)

SMS server Message Sending Method Set corresponding parameters on

GPRS modem the GPRS modem in advance. For
details, see 1.12.9 What Should I
Enable distributed SC Do Before Connecting a GPRS
no Modem to the AC-Campus?.
Serial Port ID
COM1
Country Code
86
Baud Rate
115200
Test Number
13412345678

Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 77

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

SSID of the guest Configure this parameter on the

network to AC. For details, see step 4 in 1.2
which guests Example for Configuring Portal
associate Authentication (Including MAC
with Address-Prioritized Portal
Authentication) for Wireless
Users.

Configuration Roadmap
1. Configure the SMS server so that the system can send SMS messages properly.
2. Configure guest account policies. This example uses the default policy "self-
registration_obtaining passwords through mobile phones_8-hour validity period".
3. Customize the authentication page. The authentication page is automatically displayed if
an unauthenticated guest accesses the network.
4. Configure a Portal page push rule to push the customized authentication page to guests.
5. Add guest authorization results and authorization rules to assign access rights to guests
after they are successfully authenticated.

Prerequisites
Portal authentication configurations have been completed on the AC/switch and the AC-
Campus. For details, see configuration examples about Portal.

Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.

Step 2 Configure the SMS server so that the system can send SMS messages properly.
1. Choose System > Server Configuration > SMS Server Configuration.
2. Set parameters of the SMS server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 78

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

NOTE

If the SMS modem is used, no more than three guests can register per minute. If the number of
guests that need to register in a minute exceeds three, use the SMS gateway.
3. Click Test. The Test Succeeded message is displayed and the phone with the configured
mobile phone number receives a test SMS message.
4. Click Save.

Step 3 Configure guest account policies. Choose Policy > Permission Control > Guest
Management > Guest Account Policy.
This example uses the default policy "Self-registration_password through phones_valid for 8
hours". If the default policy cannot satisfy requirements, you can modify it or create a new
policy. Set the parameters marked in red rectangles according to the following figure.

Step 4 Customize the authentication page. The authentication page is automatically displayed if an
unauthenticated guest accesses the network.
1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.
You must select Self Register and set Guest Account Policy to the policy created in
Step 3.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 79

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

4. Click Next. Set the page template and language template.

The page template is set to System-Mobile Quick Authentication Template and the
language template is set to English.

5. Click Next to customize the page pushed to a phone.

The guest uses the phone to obtain a password to complete registration. Therefore, no
registration and registration success pages are required. You only need to customize the

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 80

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

authentication, authentication success, and user notice pages. You can change logos as
required.

6. Click Next to customize the page pushed to a PC.

7. Click Publish.
If Delivery succeeded is displayed, page customization succeeds.
Step 5 Configure a Portal page push rule to push the customized authentication page to guests.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 81

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Click Add to add the Portal page push rule.

Parameter Value Description

Name Push rule for phone -

registration

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 82

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

User-defined parameters ssid=guest – ssid=guest indicates

that the AC pushes the
specified page so long
as unauthorized guests
select the SSID guest.
– For details about User-
defined parameters,
see 1.12.3 Defining a
Redirection Rule for
the Portal Page.
– The AC needs to send
the user-defined URL
parameter to the Portal
server through the URL
parameter template, so
that the Portal server
can correctly match the
pushed condition. In
this example, the AC
sends the user-defined
URL parameter ssid to
the Portal server, so
that it can correctly
match the pushed
condition.

Pushed page Select the page customized -

in Step 4

Page displayed after Continue to visit the The value of the redirect-
successful authentication original page url field specified on the
AC must be url. For
details, see 1.12.8 How Do
I Continue to Access the
Original Page After
Successful Portal
Authentication?.

3. Click OK.
Step 6 Add SSIDs to the AC-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 83

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 7 Add an authorization result and rule to allow guests to connect to the Internet after they are
successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and specify resources that guests can access after being
authenticated and authorized.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 84

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name Authorization Result for guest -

Service Type Access Service -

ACL 3002 ACL number must be the same

Number/AAA as the number of the ACL
User Group configured for guests on the AC.

2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and specify the authorization conditions for guests.

Parameter Value Description

Name Authorization Rule for -

guest

Service Type Access User -

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 85

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

User Group Guest The value must be the same as that of

User Group specified when you
configure a guest account policy.

SSID guest The SSID must be the same as that

configured for guests on the AC.

Authorization Authorization Result for -

Result guest

----End

Verification
1. A guest uses a mobile phone to connect to a Wi-Fi network. The guest selects the hotspot
guest to connect to the Internet. The authentication page is pushed to the guest.
2. The guest enters his or her mobile phone number and clicks Get Password.
The authentication password is sent to the guest's mobile phone.
3. The guest enters the mobile phone number and password and clicks Login. The web
page requested by the guest before the authentication is displayed automatically.
4. On the Service Manager, choose Resource > User > Online User Management. The
online information about the account is displayed.
5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the account are displayed.

1.6 Example for Configuring Guest Access Using Social

Media Accounts (GooglePlus, Facebook, or Twitter
Accounts)
The Service Manager can interconnect with the Google, Facebook, and Twitter authentication
servers so that end users can use their social media accounts and passwords to complete
authentication on the Service Manager. Authenticated users then can connect to the network.

Involved Products and Versions

Product Type Product Name Version

l RADIUS Server AC-Campus V100R002C10

l Portal Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 86

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

connect to the enterprise network. Enterprise employees connect to the network through PCs
and guests connect to the network through mobile phones. The administrator has created local
accounts for the employees so that they can use the local accounts to pass authentication. For
guest accounts, the administrator needs to configure the Service Manager to enable guests to
complete authentication using GooglePlus, Facebook or Twitter accounts.

Data Plan

Table 1-16 Data Plan

Item Data Description

SM + SC Domain name: controller.sz -

(RADIUS
server +
Portal server)

Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

SSID of the guest Configure this parameter on the

network to AC. For details, see step 4 in 1.2
which guests Example for Configuring Portal
associate Authentication (Including MAC
with Address-Prioritized Portal
Authentication) for Wireless
Users.

Configuration Roadmap
1. Configure the AC-Campus to interconnect with the Google, Facebook, and Twitter
authentication servers.
2. Customize authentication pages. The authentication page is automatically displayed if an
unauthenticated guest attempts to connect to the network.
3. Customize the portal page push rule to push the customized authentication page to
guests.
4. Configure social media as external authentication sources and add authorization results
and authorization rules to grant different access rights to guests after they are
successfully authenticated.

Prerequisites
1. Portal authentication configurations have been completed on the AC/switch and the AC-
Campus. For details, see configuration examples about Portal. Pay attention to the
following points during the configuration:
a. When configuring the Portal server's URL in the URL template, set a URL in the
domain name format.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 87

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC] url-template name huawei

[AC-url-template-huawei] url http://Portal server's domain name:8080/
portal
[AC-url-template-huawei] quit

b. A free rule has been configured on the AC/switch to permit social media website
addresses. This ensures that guests' terminals can access the social media
authentication page before passing authentication.
n Access to authentication-free resources is permitted by the domain name on
the AC/switch. You need to permit guests to access the following domain
names before passing authentication.
○ Google server: www.googleapis.com and apis.google.com
○ Facebook server: connect.facebook.net
○ Twitter server: api.twitter.com, abs.twimg.com, mobile.twitter.com and
twitter.com
n If the AC/switch cannot permit access to authentication-free resources by the
domain name, run the nslookup complete host name command in the CLI to
view the IP address matching the host name, and then permit the destination
server by the IP address.
c. If the enterprise uses its own DNS server and an access control device is used as the
DHCP server, you must configure the DNS server address on the VLANIF interface
of the access control device that communicates with terminals.
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.0.1 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server dns-list 172.18.1.2 //Configure the DNS
server address. 172.18.1.2 is only used as an example.
[AC-Vlanif101] quit

2. The social media server and AC-Campus server are reachable to each other.

Procedure
Step 1 Configure the interconnection with the Google authentication server.
1. Apply for a googlePlus account.

To enable end users to use googlePlus accounts for guest identity authentication,
enterprises must request their own googlePlus accounts from Google to obtain the
authorization information from Google.
a. Open the Web browser.
b. Enter https://accounts.google.com/SignUp?service=oz&continue=https://
plus.google.com/?hl=en-us&gpsrc=gplp0&hl=en-us in the address box.
c. Register an account.
2. Create the googlePlus application.
a. Enter https://console.developers.google.com/project in the address box. On the
page that is displayed, log in using a Google account, and click Create Project.

b. Enter a project name and click Create.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 88

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

c. Click Use Google APIs.

d. In the Social APIs area, click Google+ API.

e. Click Enable API.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 89

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

f. Click Go to Credentials.

g. Set the Credentials type and click What credentials do I need?.

h. Fill in required information, and click Create client ID.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 90

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Name Web client 1

Authorized JavaScript origins https://Service Controller-Domain

Name:8445 or http://Service
Controller-Domain Name:8080.
When you customize pages on the AC-
Campus, the protocol for page pushing
must be consistent with the input here.
If you enter https://Service Controller-
domain name:8445 here, select Push
pages using HTTPS. If you enter
http://Service Controller-domain name:
8080 here, deselect Push pages using
HTTPS.
NOTE
HTTP is an insecure protocol; therefore,
HTTPS is recommended.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 91

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Authorized redirect URls https://Service Controller-Domain

Name:8445/portal or http://Service
Controller-Domain Name:8080/
portal.
When you customize pages on the AC-
Campus, the protocol for page pushing
must be consistent with the input here.
If you enter https://Service Controller-
domain name:8445 here, select Push
pages using HTTPS. If you enter
http://Service Controller-domain name:
8080 here, deselect Push pages using
HTTPS.
If multiple Portal servers are deployed,
use Enter to isolate their URIs.

i. Set Email address and Product name shown to users, and click Continue.

j. Click Done.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 92

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

k. On the Credentials page, click New credentials, and select API key.

l. Select Browser key.

m. Set the API key name, and click Create. The created API key is displayed.

n. Write down the client ID and API key.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 93

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 2 Configure the interconnection with the Facebook authentication server.

1. Apply for a Facebook account.
To enable end users to use Facebook accounts for guest identity authentication,
enterprises must request their own Facebook accounts from Facebook to obtain the
authorization information from Facebook.
a. Open the Web browser.
b. Enter https://en-us.facebook.com/ in the address box.
c. Register an account.
2. Create a Facebook application.
a. Enter https://developers.facebook.com/ in the address box. On the page that is
displayed, log in using a Facebook account, and choose My Apps > Add a New
App.
Click Register in the upper right corner of the page upon initial login to register as
a developer. After that, you can create apps.

b. Choose Facebook Canvas.

c. Enter a project name, and click Create New Facebook App ID.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 94

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

d. Set Contact Email, set Category to Utilities, and click Create App ID.

e. Click Skip Quick Start to skip the quick start wizard and access the application
configuration page.
f. Click Add Product in the navigation tree, then click Get Started under Facebook
Login.

g. Configure Valid OAuth redirect URIs and Deauthorize Callback URL.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 95

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Valid OAuth redirect https://Service Controller-IP or Domain Name:8445

URIs or http://Service Controller-IP or Domain Name:
8080. If a Google account is used for authentication,
configure this parameter in the domain name format.
When you customize pages on the AC-Campus, the
protocol for page pushing must be consistent with the
input here. If you enter https://Service Controller-
domain name:8445 here, select Push pages using
HTTPS. If you enter http://Service Controller-domain
name:8080 here, deselect Push pages using HTTPS.
NOTE
HTTP is an insecure protocol; therefore, HTTPS is
recommended.
If multiple Portal servers are deployed, enter multiple
URIs.

Deauthorize Callback https://Service Controller-IP or Domain Name:8445.

URL If a Google account is used for authentication, configure
this parameter in the domain name format.
If multiple Portal servers are deployed, enter multiple
URLs and separate them with spaces.

NOTE

Ensure that the address format of Deauthorize Callback URL and Valid OAuth redirect
URIs are the same. The domain name format is recommended. If one field is set to the IP
address format while the other is set to the domain name format, configuration error may
occur. If the IP address format is used, you are advised to use the network segment
192.168.x.x but not the segments 10.x.x.x or 172.x.x.x. Otherwise, the configuration may
fail.
h. Click Save changes.
i. Choose Settings > Basic, and save the App ID and App Secret of the corresponding
application. You need to set the two parameters when perform related configuration
on the AC-Campus.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 96

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

j. Click App Review, and set Make My Project public to Yes.

Step 3 Configure the interconnection with the Twitter authentication server.

1. Apply for a Twitter account.
To enable end users to use Twitter accounts for guest identity authentication, enterprises
must request their own Twitter accounts from Twitter to obtain the authorization
information from Twitter.
a. Open the Web browser.
b. Enter https://twitter.com/ in the address box.
c. Register an account.
2. Create a Twitter application.
a. Enter https://apps.twitter.com/ in the address box. On the page that is displayed,
log in using a Twitter account, and click Create New App.

b. Enter application information.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 97

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Name authtest10001

Description authtest10001

Website https://Service Controller-IP or Domain Name:8445

or http://Service Controller-IP or Domain Name:
8080. If a Google account is used for authentication,
configure this parameter in the domain name format.
When you customize pages on the AC-Campus, the
protocol for page pushing must be consistent with the
input here. If you enter https://Service Controller-
domain name:8445 here, select Push pages using
HTTPS. If you enter http://Service Controller-domain
name:8080 here, deselect Push pages using HTTPS.
NOTE
HTTP is an insecure protocol; therefore, HTTPS is
recommended.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 98

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Callback URL https://Service Controller-IP or Domain Name:8445

c. Click Create your Twitter application.

d. Click Settings, select Allow this application to be used to Sign in with Twitter,
and click Update Settings.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 99

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

e. Click Keys and Access Tokens.

f. Save the API Key and API Secret.

Step 4 On the Service Manager, configure the association parameters on Google, Facebook, and
Twitter authentication servers.
1. Choose System > External Authentication > Third-Party Applications.
Select Facebook, Google, and Twitter.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 100

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Facebook

App ID *****************

App secret *****************

Google

Client ID *****************

API key *****************

Twitter

API key *****************

API secret *****************

User group ROOT\Guest

Role guest

Step 5 Customize the authentication page.

1. Choose Policy > Permission Control > Page Customization > Page Customization
and click .
2. Set parameters on the page.
If guests are allowed to complete authentication through both their social media accounts
and self-registration, select Self Register. For details about how to configure guests to

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 101

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

connect to networks through self-registration, see 1.5 Example for Configuring Guests
to Obtain Passwords Through Mobile Phones to Pass Authentication Quickly.
Click Advanced setting and select or deselect Push pages using HTTPS based on the
configuration on the social media server.
– If the configuration on the social media server is https://Service Controller-IP or
Domain Name:8445, select Push pages using HTTPS.
– If the configuration on the social media server is http://Service Controller-IP or
Domain Name:8080, deselect Push pages using HTTPS.

3. Click Next and select the page template and language template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 102

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

4. Click Next and customize Authentication Page, Authentication Success Page, and
User Notice Page.

5. Click Publish.

Step 6 Configure portal page push rules.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 103

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule
and click Add.

Parameter Value Description

Name Guest page pushing policy -

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 104

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

User-defined parameters ssid=guest – ssid=guest indicates

Pushed page Select a page customized -

in Step 5.

Page displayed after Continue to access the Configure URL

successful authentication original page. parameters on the AC. For
details, see 1.12.8 How Do
I Continue to Access the
Original Page After
Successful Portal
Authentication?.

2. Click OK.
Step 7 Add SSIDs to the AC-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 105

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 8 Configure social media as external authentication sources.

1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule and click Add.

Parameter Value

Name Social Media

Customize Condition Social Media Account

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 106

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value

Data Source Third-Party Applications Data Source

Please select the allowed authentication Select all protocols.

protocol

2. Click OK.

Step 9 Configure authorization results and rules.

1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result. Click Add.

Parameter Value

Name Social Media

ACL Number/AAA User Group 3002 (It has been configured on the
switch. The ACL determines the network
resources that the user can access after
successful authentication.)

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 107

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Click OK.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule. Click Add.

Parameter Value

Name Authorization rules of social media

Customize Condition Social Media Account

Authorization Result Social media

4. Click OK.
----End

Verification
1. A guest connects to the Wi-Fi hotspot guest using a mobile phone. The guest
authentication page is pushed to the mobile phone.
2. On the authentication page, the guest presses the icon matching the guest's account type
and the web browser opens the corresponding website.
3. The guest enters the user name and password and presses Authentication. After
successful authentication, the user can visit the Internet.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 108

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

4. On the Service Manager, choose Resource > User > Online User Management. The
online information about the account is displayed.
5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the account are displayed.

1.7 Example for Configuring Guests Connect to Networks

by Scanning Public QR Codes
After guests connect to a Wi-Fi network using their mobile phones, they can scan QR codes
posted in public areas for authentication to easily access a network.

Involved Products and Versions

Product Type Product Name Version

l RADIUS Server AC-Campus V100R002C10

l Portal Server

Networking Requirements
An enterprise has deployed an identity authentication system to implement access control for
all the wireless users who attempt to connect to the enterprise network. Only authenticated
users can connect to the enterprise network. To allow guests to access the network in the
enterprise exhibition hall, system administrators can post a public QR code in public areas in
the exhibition hall, so that guests can access the network by scanning the public QR code.

Data Plan

Table 1-17 Data plan

Item Data Description

SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)

Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 109

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

SSID of the guest Configure this parameter on the

network to AC. For details, see step 4 in 1.2
which guests Example for Configuring Portal
associate Authentication (Including MAC
with Address-Prioritized Portal
Authentication) for Wireless
Users.

Configuration Roadmap
1. Enable public QR code authentication.
2. Configure a guest account policy for creating public QR codes.
3. Create and export a public QR code. Print and post it in public areas where guests can
scan it to connect to the network.
4. Customize authentication and authentication success pages. After guests pass
authentication by scanning the public QR code, the authentication success page is
automatically displayed.
5. Customize a Portal page push rule to push the customized authentication page to guests.
6. Add guest authorization results and authorization rules to assign access permission to
guests after they are authenticated.

Prerequisites
Portal authentication has been configured on the AC/switch and the AC-Campus. For details,
see configuration examples about Portal.
NOTE

When you configure URL parameters in the URL template, a value must be set for redirect-url;
otherwise, the AC-Campus fails to interconnect with the AC/switch. The recommended value is url.
[AC] url-template name huawei
[AC-url-template-huawei] url-parameter redirect-url url
[AC-url-template-huawei] url http://172.18.1.1:8080/portal
[AC-url-template-huawei] quit

Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.
Step 2 Enable public QR code authentication.
You can use the Guest Management navigation to complete this step and the subsequent steps.
Choose Policy > Permission Control > Guest Management > Quick Start, set Guest
Account Management Mode to Public QR Code, and click Navigation. Complete the
configuration by following the navigation. The following example illustrates how to use the
GUI menus to open the configuration page and complete the configuration.
1. Choose Policy > Permission Control > Guest Management > Parameter Setting.
2. Click the Set Public QR Code Parameters tab.
3. Enable Public QR Code and set public QR code parameters.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 110

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Public QR Code Enable -

URL prefix in the http://192.168.1.1 Use an IP address but not a domain name
link to specify the URL prefix. The URL
prefix is only used to trigger Portal
authentication. The IP address of a post-
authentication domain can be used as the
URL prefix. In other words, an IP address
that guests cannot access before
authentication can be used as the URL
prefix.

URL encryption key Admin@123 -

Confirm URL Admin@123 -

encryption key

4. Click OK.
Step 3 Configure a guest account policy for creating public QR codes.
1. Choose Policy > Permission Control > Guest Management > Guest Account Policy.
2. Click Add.
3. Configure a guest account policy.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 111

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name Public QR Code -

Creation type Single Only a single public QR code

can be created each time.
Public QR codes cannot be
created in batches.

Generation policy Public QR Code -

Effective time Takes effect immediately after -

being created

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 112

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Account Fields Click Edit, select the Location Attribute fields of a public QR
field, and deselect the other code account are displayed.
fields. When creating a public QR
code, enter information about
the attribute fields that are
selected here. In this example,
the Location field is selected.

4. Click OK.
Step 4 Create a public QR code.
1. Choose Policy > Permission Control > Guest Management > Guest Account
Management.
2. Click Add to create a public QR code.
Set Account policy to the guest account policy configured in Step 3.

3. Click Save and generate a QR code.

Select the enterprise logo image in the Update Barcode Logo area, and click Upload to
add the logo to the public QR code.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 113

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

4. Click Export Barcode to export the public QR code to a local directory. Print and post it
in public areas.
Step 5 Customize authentication and authentication success pages.
After a guest connects to a Wi-Fi network and scans the public QR code, the authentication
page is automatically displayed to authenticate the guest.
1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 114

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Customize page Public QR Code -

name

Page title Web This web title will be displayed on the

authentication page.

Enable Self- Deselect it. -

Push pages using Deselect it. If you want to allow guests to use
HTTPS WeChat to scan the public QR code
for authentication, you need to
purchase a server certificate issued by
a CA to replace the default server
certificate. For details, see 1.12.7
Server Certificate Importing Tool.
Otherwise, deselect Push pages using
HTTPS to ensure that guests can use
WeChat to scan the public QR code.

4. Click Next and set the page template and language template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 115

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

5. Click Next to customize authentication and authentication success pages.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 116

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

6. Click Publish to complete the page customization.

Step 6 Configure a Portal page push rule to push the customized authentication page to guests.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
2. Click Add to set the Portal page push rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 117

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name Push rule for public QR -

code authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 118

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Customized parameters ssid=guest – ssid=guest indicates

Account type Public QR Code -

Pushed page Select a page customized -

in Step 5.

3. Click OK.
Step 7 Add SSIDs to the AC-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 119

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 8 Add an authorization result and rule to allow guests to connect to the Internet after they are
successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and specify resources that guests can access after being
authenticated and authorized.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 120

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name Authorization Result for guest -

Service Type Access Service -

ACL 3002 ACL number must be the same

Number/AAA as the number of the ACL
User Group configured for guests on the AC.

2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and specify the authorization conditions for guests.

Parameter Value Description

Name Authorization Rule for -

guest

Service Type Access User -

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 121

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

User Group Guest The value must be the same as that of

User Group specified when you
configure a guest account policy.

SSID guest The SSID must be the same as that

configured for guests on the AC.

Authorization Authorization Result for -

Result guest

----End

Verification
1. A guest uses a mobile phone to connect to the Wi-Fi hotspot guest.
Before scanning the public QR code, the guest needs to connect to the Wi-Fi hotspot for
public QR code authentication. Scanning a public QR code only triggers authentication
and authorization. It is recommended that the following information be added on the
upper side of the public QR codes posted in public areas: Connect to the Wi-Fi network
before scanning the public QR code for authentication.
2. The guest scans the public QR code posted in public areas.
NOTE

The customized public QR code authentication page is pushed only after the guest scans the public
QR code. If a guest does not scan the public QR code after connecting to the Wi-Fi network, the
guest is authenticated based on the Portal authentication process. The system matches Portal page
push rules by priority and pushes the matched authentication page but not the public QR code
authentication page to the guest.
3. The terminal automatically initiates an authentication request after the guest successfully
scans the public QR code.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 122

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

If a blank page is displayed after the guest scans the public QR code using WeChat, the
possible causes are as follows:
– During customization of the authentication page, the administrator selects Push
pages using HTTPS but does not buy a trusted server certificate.
Guests can use another scanning tool to scan the public QR code for authentication.
Alternatively, the administrator re-customizes the public QR code authentication
page. During the customization, the administrator needs to deselect Push pages
using HTTPS and specify the new customized authentication page in the Portal
page push rule.
– If the guest has passed public QR code authentication and scans it again, a blank
page is displayed.
Choose Resource > User > Online User Management to check whether the
terminal is online using the public QR code account.
4. After the authentication succeeds, the authentication success page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 123

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

If the authentication fails, choose Resource > User > RADIUS Log to check RADIUS
authentication logs. Check causes of the authentication failure and whether the
authentication rule and authorization rule are correctly configured.
5. After the authentication succeeds, the guest can access the Internet.
6. On the Service Manager, choose Resource > User > Online User Management. The
online information about the public QR code account is displayed.
7. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the public QR code account are displayed.
NOTE

The same account (public QR code account) is displayed on the Service Manager for all guests
who scan the same public QR code for authentication.

Summary and Suggestions

Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition of a
user matches a rule, the system does not check the subsequent rules. Therefore, it is
recommended that you set higher priorities for the rules defining more precise conditions and
set lower priorities for the rules defining fuzzy conditions.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 124

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.8 Example for Configuring 802.1X Authentication for

Wireless Users in a VRRP HSB Environment
The two-node cluster environment includes the AC (VRRP) and RADIUS server two-node
clusters. Deploying two-node clusters on WLANs improve network reliability.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Core switch S7700 V200R008C00

Networking Requirements
To meet service requirements, a company needs to deploy an identity authentication system to
implement access control for all employees who attempt to connect to the enterprise network
in wireless mode. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The network must be reliable because all employees need to connect to the wireless
network for work and Internet access.
l A unified identity authentication mechanism is used to authenticate all terminals
accessing the enterprise network and deny access to the enterprise network and Internet
from unauthorized terminals.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 125

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-6 Networking diagram

Requirement Analysis
Based on user requirements, networking design is performed as follows:
l Reliability
– AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively.
A VRRP group is configured between AC1 and AC2, and HSB is used to determine
the active and standby ACs.
– A VRRP group is configured between S7700A and S7700B to improve reliability.
– Eth-Trunks are used to connect aggregation switches and access switches, ACs and
core switches, and ACs.
– The AC-Campus is deployed in 1+2 (one SM + two SCs) mode to ensure reliability
of the authentication server.
l Internetworking
The aggregation switch is configured as a DHCP server to assign IP addresses to APs.
Core switches serve as DHCP servers to assign IP addresses to employees and guests.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 126

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

VLAN Plan

Table 1-18 VLAN plan

VLAN ID Function

100 mVLAN for APs

101 Service VLAN for employees

103 Egress VLAN for core switches

104 VLAN for communication between ACs

Network Data Plan

Table 1-19 Network data plan

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

Access ( GE0/0/1 - 100 and 101 - Connected to

switch 1 the AP in the
S2750 ) employee
EI area

( GE0/0/4 - 100 and 101 - Connected to

2 the AP in the
) guest area

( GE0/0/2 and Eth-Trunk1 100 and 101 - Connected to

3 GE0/0/3 the
) aggregation
switch
S5720HI

Aggreg ( GE0/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

ation 4 GE0/0/2 100: the access
switch ) 172.18.10.4/ switch
S5720 16 S2750EI
HI Gateway for
APs

( GE0/0/3 and Eth-Trunk2 100 and 101 - Connected to

5 GE0/0/4 the core
) switch
S7700A

( GE0/0/5 and Eth-Trunk3 100 and 101 - Connected to

6 GE0/0/6 the core
) switch
S7700B

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 127

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

S7700 ( GE1/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

A 7 GE1/0/2 101: the
(Active ) 172.19.10.2/ aggregation
) 24 switch
S5720HI

( GE1/0/3 and Eth-Trunk2 100 and 101 VLANIF Connected to

8 GE1/0/4 100: AC1
) 172.18.10.5/
24

( GE1/0/5 - 103 VLANIF Connected to

9 103: the egress
) 172.22.20.1/ router
24

S7700 ( GE1/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

B 1 GE1/0/2 101: the
(Standb 0 172.19.10.3/ aggregation
y) ) 24 switch
S5720HI

( GE1/0/3 and Eth-Trunk2 100 and 101 VLANIF Connected to

1 GE1/0/4 100: AC2
1 172.18.10.6/
) 24

( GE1/0/5 - 103 VLANIF Connected to

1 103: the egress
2 172.23.20.1/ router
) 24

AC1 ( GE0/0/1 and Eth-Trunk1 100 VLANIF Connected to

(Active 1 GE0/0/2 100: the core
) 3 172.18.10.2/ switch
) 24 S7700A

( GE0/0/3 and Eth-Trunk2 104 VLANIF Connected to

1 GE0/0/4 104: AC2
4 10.10.11.1/2
) 4

AC2 ( GE0/0/1 and Eth-Trunk1 100 VLANIF Connected to

(Standb 1 GE0/0/2 100: the core
y) 5 172.18.10.3/ switch
) 24 S7700B

( GE0/0/3 and Eth-Trunk2 104 VLANIF Connected to

1 GE0/0/4 104: AC1
6 10.10.11.2/2
) 4

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 128

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

Virtual - - - - 172.18.10.1/ Connected to

address 24 the AC-
es of Campus
ACs

Virtual - - - - 172.19.10.1/ Gateway for

address 24 employees
es of
S7700s

Se SM + SC 172.22.10.2 -
rv
er SC 172.22.10.3 -

DNS server 172.22.10.4 -

Internal server 172.22.10.5 -

Service Data Plan

Table 1-20 Service data plan

Item Data Description

AC Number of the ACL for You need to enter this ACL

employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
SSID of the employee area: the AC-Campus.
employee

RADIUS authentication server: l The Service Controller of the

l Primary IP address: AC-Campus provides
172.22.10.2 RADIUS server function;
therefore, IP addresses of the
l Secondary IP address: authentication server,
172.22.10.3 accounting server, and
l Port number: 1812 authorization server are all the
l Shared key: Admin@123 IP address of the Service
Controller.
l Configure a RADIUS
accounting server to obtain
user login and logout
information. The port numbers
of the authentication server and
accounting server must be the
same as those of the RADIUS
server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 129

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

RADIUS accounting server: l Configure an authorization

l Primary IP address: server to enable the RADIUS
172.22.10.2 server to deliver authorization
rules to the AC. The shared
l Secondary IP address: key of the authorization server
172.22.10.3 must be the same as those of
l Port number: 1813 the authentication server and
l Shared key: Admin@123 accounting server.

l Accounting interval: 15
minutes

RADIUS authorization server:

l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Shared key: Admin@123

AC-Campus IP address: 172.18.10.1 -

Authentication port: 1812 -

Accounting port: 1813 -

RADIUS shared key: Admin@123 It must be the same as the

RADIUS shared key configured
on the AC.

l Account: tony -
l Password: Admin@123

Post- Internal servers and Internet -

authentication
domain for
employees

Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.

Configuration Roadmap
NOTE

The active and standby nodes do no synchronize VRRP HSB configurations. Therefore, all operations must
be performed on both the active and standby nodes.

1. Configure the access switch, aggregation switch, core switches, and ACs to ensure
network connectivity and reliability.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 130

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Configure VRRP and HSB on core switches.

3. Configure VRRP and HSB on ACs.
4. Configure a RADIUS server template, authentication, accounting, and authorization
schemes in the template, and wireless 802.1X authentication on each AC.
5. Add ACs on the SM and set parameters to ensure that the AC-Campus can communicate
properly with the ACs.
6. Add an authorization result and an authorization rule to grant permission to employees
after they are successfully authenticated.

Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/4] port link-type trunk //Change the link type of
gigabitethernet0/0/4 to trunk.
[S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/4 to VLAN 100.
[S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/4] quit

# Create Eth-Trunk 1, and add GE0/0/2 and GE0/0/3 to Eth-Trunk 1.

[S2700] interface eth-trunk 1 //Create Eth-Trunk 1.
[S2700-Eth-Trunk1] quit
[S2700] interface gigabitethernet 0/0/2 //Add gigabitethernet0/0/2 to Eth-Trunk
1.
[S2700-GigabitEthernet0/0/2] eth-trunk 1
[S2700-GigabitEthernet0/0/2] quit
[S2700] interface gigabitethernet 0/0/3 //Add gigabitethernet0/0/3 to Eth-Trunk
1.
[S2700-GigabitEthernet0/0/3] eth-trunk 1
[S2700-GigabitEthernet0/0/3] quit

# Add Eth-Trunk 1 to VLANs.

[S2700] interface eth-trunk 1 //Enter the view of the interface connected to the
aggregation switch.
[S2700-Eth-Trunk1] port link-type trunk //Change the link type of Eth-Trunk 1 to
trunk.
[S2700-Eth-Trunk1] port trunk allow-pass vlan 100 101 //Add Eth-Trunk 1 to VLAN
100 and VLAN 101.
[S2700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S2700-Eth-Trunk1] quit
[S2700] quit
<S2700> save //Save the configuration.

Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 131

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit

# Create Eth-Trunk 1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 1.

[S5720HI] interface eth-trunk 1
[S5720HI-Eth-Trunk1] quit
[S5720HI] interface gigabitethernet 0/0/1
[S5720HI-GigabitEthernet0/0/1] eth-trunk 1
[S5720HI-GigabitEthernet0/0/1] quit
[S5720HI] interface gigabitethernet 0/0/2
[S5720HI-GigabitEthernet0/0/2] eth-trunk 1
[S5720HI-GigabitEthernet0/0/2] quit

# Add Eth-Trunk 1 to VLANs.

[S5720HI] interface eth-trunk 1 //Enter the view of the interface connected to
the access switch S2700.
[S5720HI-Eth-Trunk1] port link-type trunk
[S5720HI-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk1] quit

# Create Eth-Trunk 2, and add GE0/0/3 and GE0/0/4 to Eth-Trunk 2.

[S5720HI] interface eth-trunk 2
[S5720HI-Eth-Trunk2] quit
[S5720HI] interface gigabitethernet 0/0/3
[S5720HI-GigabitEthernet0/0/3] eth-trunk 2
[S5720HI-GigabitEthernet0/0/3] quit
[S5720HI] interface gigabitethernet 0/0/4
[S5720HI-GigabitEthernet0/0/4] eth-trunk 2
[S5720HI-GigabitEthernet0/0/4] quit

# Add Eth-Trunk 2 to VLANs.

[S5720HI] interface eth-trunk 2 //Enter the view of the interface connected to
the core switch S7700A.
[S5720HI-Eth-Trunk2] port link-type trunk
[S5720HI-Eth-Trunk2] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk2] quit

# Create Eth-Trunk 3, and add GE0/0/5 and GE0/0/6 to Eth-Trunk 3.

[S5720HI] interface eth-trunk 3
[S5720HI-Eth-Trunk3] quit
[S5720HI] interface gigabitethernet 0/0/5
[S5720HI-GigabitEthernet0/0/5] eth-trunk 3
[S5720HI-GigabitEthernet0/0/5] quit
[S5720HI] interface gigabitethernet 0/0/6
[S5720HI-GigabitEthernet0/0/6] eth-trunk 3
[S5720HI-GigabitEthernet0/0/6] quit

# Add Eth-Trunk 3 to VLANs.

[S5720HI] interface eth-trunk 3 //Enter the view of the interface connected to
the core switch S7700B.
[S5720HI-Eth-Trunk3] port link-type trunk
[S5720HI-Eth-Trunk3] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk3] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk3] quit
[S5720HI] quit
<S5720HI> save //Save the configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 132

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.

# Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

[S7700A] interface eth-trunk 1
[S7700A-Eth-Trunk1] quit
[S7700A] interface gigabitethernet 1/0/1
[S7700A-GigabitEthernet1/0/1] eth-trunk 1
[S7700A-GigabitEthernet1/0/1] quit
[S7700A] interface gigabitethernet 1/0/2
[S7700A-GigabitEthernet1/0/2] eth-trunk 1
[S7700A-GigabitEthernet1/0/2] quit

# Add Eth-Trunk 1 to VLANs.

[S7700A] interface eth-trunk 1 //Enter the view of the interface connected to
the aggregation switch S5720HI.
[S7700A-Eth-Trunk1] port link-type trunk
[S7700A-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A-Eth-Trunk1] quit
[S7700A] dhcp enable
[S7700A] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700A-Vlanif101] ip address 172.19.10.2 24 //Configure an IP address for
VLANIF 101 for communicating with VLANIF 101 on S7700B.
[S7700A-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700A-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 //Exclude IP
addresses in use from the DHCP address pool.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.3
[S7700A-Vlanif101] quit

# Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

[S7700A] interface eth-trunk 2
[S7700A-Eth-Trunk2] quit
[S7700A] interface gigabitethernet 1/0/3
[S7700A-GigabitEthernet1/0/3] eth-trunk 2
[S7700A-GigabitEthernet1/0/3] quit
[S7700A] interface gigabitethernet 1/0/4
[S7700A-GigabitEthernet1/0/4] eth-trunk 2
[S7700A-GigabitEthernet1/0/4] quit

# Add Eth-Trunk 2 to VLANs.

# Configure an IP address for the interface connecting to the egress router.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 133

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S7700A-GigabitEthernet1/0/5] quit
[S7700A] interface vlanif 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A-Vlanif103] quit
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
<S7700A> save //Save the configuration.

Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.

# Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

[S7700B] interface eth-trunk 1
[S7700B-Eth-Trunk1] quit
[S7700B] interface gigabitethernet 1/0/1
[S7700B-GigabitEthernet1/0/1] eth-trunk 1
[S7700B-GigabitEthernet1/0/1] quit
[S7700B] interface gigabitethernet 1/0/2
[S7700B-GigabitEthernet1/0/2] eth-trunk 1
[S7700B-GigabitEthernet1/0/2] quit

# Add Eth-Trunk 1 to VLANs.

[S7700B] interface eth-trunk 1 //Enter the view of the interface connected to
the aggregation switch S5720HI.
[S7700B-Eth-Trunk1] port link-type trunk
[S7700B-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700B-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700B-Eth-Trunk1] quit
[S7700B] dhcp enable
[S7700B] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700B-Vlanif101] ip address 172.19.10.3 24 //Configure an IP address for
VLANIF 101 for communicating with VLANIF 101 on S7700A.
[S7700B-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700B-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2 //
Exclude IP addresses in use from the DHCP address pool.
[S7700B-Vlanif101] quit

# Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

[S7700B] interface eth-trunk 2
[S7700B-Eth-Trunk2] quit
[S7700B] interface gigabitethernet 1/0/3
[S7700B-GigabitEthernet1/0/3] eth-trunk 2
[S7700B-GigabitEthernet1/0/3] quit
[S7700B] interface gigabitethernet 1/0/4
[S7700B-GigabitEthernet1/0/4] eth-trunk 2
[S7700B-GigabitEthernet1/0/4] quit

# Add Eth-Trunk 2 to VLANs.

# Configure an IP address for the interface connecting to the egress router.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 134

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S7700B] interface gigabitethernet 1/0/5 //Enter the view of the interface

connected to egress router.
[S7700B-GigabitEthernet1/0/5] port link-type trunk
[S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700B-GigabitEthernet1/0/5] quit
[S7700B] interface vlanif 103
[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B-Vlanif103] quit
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save

Step 5 [Device] Configure VRRP groups on core switches (S7700s).

# On VLANIF 101 of S7700A, create VRRP group 1, set the priority of S7700A in the VRRP
group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP
group 1 as the employee gateway address.
<S7700A> system-view
[S7700A] interface vlanif 101
[S7700A-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700A-Vlanif101] vrrp vrid 1 priority 120
[S7700A-Vlanif101] vrrp vrid 1 preempt-mode timer delay 20
[S7700A-Vlanif101] quit

# On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the
VRRP group to 100.
<S7700B> system-view
[S7700B] interface vlanif 101
[S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700B-Vlanif101] quit

Step 6 [Device] Configure the ACs to ensure network connectivity.

# On AC1, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101 104
[AC1] interface eth-trunk 1
[AC1-Eth-Trunk1] port link-type trunk
[AC1-Eth-Trunk1] port trunk allow-pass vlan 100
[AC1-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and
GE0/0/2 connected to the core switch S7700A to Eth-Trunk 1.
[AC1-Eth-Trunk1] quit
[AC1] interface eth-trunk 2
[AC1-Eth-Trunk2] port link-type trunk
[AC1-Eth-Trunk2] port trunk allow-pass vlan 104
[AC1-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC2 to Eth-Trunk 2.
[AC1-Eth-Trunk2] quit

# Configure an IP address for AC1 to communicate with other NEs.

[AC1] interface vlanif 104
[AC1-Vlanif104] ip address 10.10.11.1 24 //Configure an IP address for VLANIF
104 for communicating with AC2 and transmitting backup data.
[AC1-Vlanif104] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 172.18.10.2 24
[AC1-Vlanif100] quit

# Configure a default route for AC1 so that packets are forwarded to core switches by default.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 135

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1] ip route-static 0.0.0.0 0 172.18.10.5

# On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 104
[AC2] interface eth-trunk 1
[AC2-Eth-Trunk1] port link-type trunk
[AC2-Eth-Trunk1] port trunk allow-pass vlan 100
[AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2
connected to the core switch S7700B to Eth-Trunk 1.
[AC2-Eth-Trunk1] quit
[AC2] interface eth-trunk 2
[AC2-Eth-Trunk2] port link-type trunk
[AC2-Eth-Trunk2] port trunk allow-pass vlan 104
[AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC1 to Eth-Trunk 2.
[AC2-Eth-Trunk2] quit

# Configure an IP address for AC2 to communicate with other NEs.

[AC2] interface vlanif 104
[AC2-Vlanif104] ip address 10.10.11.2 24 //Configure an IP address for VLANIF
104 for communicating with AC1 and transmitting backup data.
[AC2-Vlanif104] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.3 24
[AC2-Vlanif100] quit

# Configure a default route for AC2 so that packets are forwarded to core switches by default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.6

Step 7 [Device] Configure VRRP on AC1 to implement AC HSB.

# Set the recovery delay of a VRRP group to 30 seconds.

[AC1] vrrp recover-delay 30

# Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to
120 and preemption delay to 1200s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP
address for the management VRRP group.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP
group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption
delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.
[AC1-Vlanif100] quit

# Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-
data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 2 interval 1
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 136

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable HSB.
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 8 [Device] Configure VRRP on AC2 to implement AC HSB.

# Set the recovery delay of a VRRP group to 30 seconds.
[AC2] vrrp recover-delay 30

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP
address for the management VRRP group.
[AC2-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP backup group.
[AC2-Vlanif100] quit

# Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-
data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 2 interval 1
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

Step 9 [Device] Enable HSB on AC2.

# Enable HSB.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 137

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Step 10 [Device] Verify the VRRP configuration.

# After the configurations are complete, run the display vrrp command on AC1 and AC2.
The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

[AC2] display vrrp

Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 02:11:07 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, indicating that the active and standby HSB
channels have been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.1
Peer IP Address : 10.10.11.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.2
Peer IP Address : 10.10.11.1
Source Port : 10241

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 138

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Destination Port : 10241

Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------

Step 11 [Device] On the ACs, configure a RADIUS server template, and configure authentication,
accounting, and authorization schemes in the template. In this way, the ACs can communicate
with the RADIUS server.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 139

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

login and logout information.

Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
//Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the
AC-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the AC-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

Table 1-21 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

# On AC2, configure a RADIUS server template, and configure authentication, accounting,

and authorization schemes in the template. The RADIUS authentication configuration of AC2
is the same as that of AC1 and is not provided here.
Step 12 [Device] Configure APs to go online on AC1 and AC2. The following uses AC1 as an
example.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 140

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Create an AP group to which APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] capwap source ip-address 172.18.10.1

# Import the AP offline on the AC and add the AP to the AP group ap-group1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 10S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 20S
----------------------------------------------------------------------------------
---
Total: 2

Step 13 [Device] Configure wireless 802.1X authentication on AC1. The 802.1X authentication
configuration of AC2 is the same as that of AC1 and is not provided here.

The following figure shows the process of configuring wireless 802.1X authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 141

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1. Configure an access profile.

NOTE

An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC1] dot1x-access-profile name acc_dot1x
[AC1-dot1x-access-profile-acc_dot1x] quit
2. Configure an authentication profile.
Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC1] authentication-profile name auth_dot1x
[AC1-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC1-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_dot1x] radius-server radius_template
[AC1-authentication-profile-auth_dot1x] quit
3. Set wireless 802.1X authentication parameters.
# Create the security profile security_dot1x and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_dot1x
[AC1-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC1-wlan-sec-prof-security_dot1x] quit

# Create the SSID profile wlan-ssid and set the SSID name to employee.
[AC1-wlan-view] ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 142

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

forwarding
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC1-wlan-vap-prof-wlan-vap] quit

# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Step 14 [Device] Configure resources accessible to users after successful authentication on AC1 and
AC2. In this example, all resources are configured as accessible after successful
authentication.
[AC1] acl 3001
[AC1-acl-adv-3001] rule 1 permit ip
[AC1-acl-adv-3001] quit

Step 15 [AC-Campus] Add the AC to the Service Manager to enable the AC-Campus to manage the
AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 143

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name AC -

IP address 172.18.10.1 Virtual IP address of the AC.

Authenticatio Admin@123 It must be the same as the shared key of the

n key RADIUS authentication server configured on
the AC.

Accounting Admin@123 It must be the same as the shared key of the

key RADIUS accounting server configured on the
AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 144

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Real-time 15 It must be the same as the real-time accounting

accounting interval configured on the AC.
interval
(minute)

4. Click OK.
Step 16 Configure authentication and authorization.
1. Optional: Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.
By default, an authentication rule takes effect only on the local data source. If a third-
party data source such as AD data source is used, modify the default authentication rule
or create an authentication rule, and select the authentication data source correctly.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 145

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Verification

Item Expected Result

Employee l Use a mobile phone to associate with the SSID employee, and enter an
authenticatio AD domain user name and password.
n l After successful authentication, you can access Internet resources
successfully.
l Run the display access-user and display access-user user-id user-id
commands on AC1 to view detailed online user information.
l Choose Resource > User > RADIUS Log on the AC-Campus to view
RADIUS logs.

AC1 power- Services are automatically switched to AC2, without affecting employee
off authentication. The process is not detected by user terminals.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 146

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Expected Result

SC power- After the network cable of an Service Controller, employees are re-
off authenticated and go online. Their access rights are normal.

Summary and Suggestions

l The authentication key and accounting key must be kept consistent on the ACs and AC-
Campus.
l Authorization rules are matched in descending order of priority (ascending order of rule
numbers). If the authorization condition of a user matches a rule, the AC-Campus does
not check the subsequent rules. Therefore, it is recommended that you set higher
priorities for the rules defining more precise conditions and set lower priorities for the
rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the ACs to enable the AC-Campus to
obtain online user information by exchanging accounting packets with the AC. The AC-
Campus does not support the real accounting function. If accounting is required, use a
third-party accounting server.

1.9 Example for Configuring Portal Authentication for

Wireless Users in a VRRP HSB Environment
This example illustrates how to configure Portal authentication on a hot standby (HSB)
wireless network. VRRP-enabled ACs, RADIUS servers, and Portal servers on the network
are deployed in HSB mode, improving network reliability.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Core switch S7700 V200R008C00

Networking Requirements
A company has about 2000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The authentication operations must be simple. The authentication system only performs
access authorization and does not require any client software on user terminals.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 147

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l A unified identity authentication mechanism is used to authenticate all terminals

attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees and guests access the campus network using different SSIDs.
l Employees can connect only to the DNS server and AC-Campus of the company before
authentication, and can connect to both the intranet and Internet after being
authenticated.
l Guests can connect only to the DNS server and AC-Campus of the company before
authentication, and can connect only to the Internet after being authenticated.
l Two ACs, two core switches, and two AC-Campus servers are deployed in HSB mode to
improve network reliability.

Figure 1-7 Networking of Portal authentication for wireless users in HSB mode

Requirement Analysis
The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals. Considering
the networking and requirements of the company, Portal authentication can be used on the
campus network.
Based on user requirements, networking design is performed as follows:
l Reliability
– AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively.
A VRRP group is configured between AC1 and AC2, and HSB is used to determine
the active and standby ACs.
– A VRRP group is configured between S7700A and S7700B to improve reliability.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 148

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

– Eth-Trunks are used to connect aggregation switches and access switches, ACs and
core switches, and ACs.
– The AC-Campus is deployed in 1+2 (one SM + two SCs) mode to ensure reliability
of the authentication server.
l Internetworking
– The aggregation switch is configured as a DHCP server to assign IP addresses to
APs. Core switches serve as DHCP servers to assign IP addresses to employees and
guests.
l Data traffic forwarding mode
Data packets of employees and guests are forwarded in local and tunnel modes,
respectively. Authentication packets of employees and guests are forwarded both in
tunnel mode.
l Services
– Employees and guests are all authenticated on the web pages pushed by the Portal
server. You need to configure different ACL rules on the ACs to control access
rights of employees and guests.
– Different SSIDs need to be configured for employees and guests so that different
authentication pages can be pushed to them based on their SSIDs.

VLAN Plan

Table 1-22 VLAN plan

VLAN ID Function

100 mVLAN for APs

101 Service VLAN for employees

102 Service VLAN for guests

103 Egress VLAN for core switches

104 VLAN for communication between ACs

Network Data Plan

Table 1-23 Network data plan

Item N Interface Eth-Trunk VLAN IP address Descriptio
o. Number n

Access ( GE0/0/1 - 100 and 101 - Connected to

switch 1 the AP in the
S2750 ) employee
EI area

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 149

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

( GE0/0/4 - 100 and 101 - Connected to

2 the AP in the
) guest area

( GE0/0/2 and Eth-Trunk1 100 and 101 - Connected to

3 GE0/0/3 the
) aggregation
switch
S5720HI

Aggreg ( GE0/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

ation 4 GE0/0/2 100: the access
switch ) 172.18.10.4/ switch
S5720 24 S2750EI
HI Gateway for
APs

( GE0/0/3 and Eth-Trunk2 100 and 101 - Connected to

5 GE0/0/4 the core
) switch
S7700A

( GE0/0/5 and Eth-Trunk3 100 and 101 - Connected to

6 GE0/0/6 the core
) switch
S7700B

S7700 ( GE1/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

A 7 GE1/0/2 101: the
(Active ) 172.19.10.2/ aggregation
) 24 switch
S5720HI

( GE1/0/3 and Eth-Trunk2 100, 101, VLANIF Connected to

8 GE1/0/4 and 102 100: AC1
) 172.18.10.5/
24
VLANIF
102:
172.20.10.2/
24

( GE1/0/5 - 103 VLANIF Connected to

9 103: the egress
) 172.22.20.1/ router
24

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 150

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

S7700 ( GE1/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

B 1 GE1/0/2 101: the
(Standb 0 172.19.10.3/ aggregation
y) ) 24 switch
S5720HI

( GE1/0/3 and Eth-Trunk2 100, 101, VLANIF Connected to

1 GE1/0/4 and 102 100: AC2
1 172.18.10.6/
) 24
VLANIF
102:
172.20.10.3/
24

( GE1/0/5 - 103 VLANIF Connected to

1 103: the egress
2 172.23.20.1/ router
) 24

AC1 ( GE0/0/1 and Eth-Trunk1 100 VLANIF Connected to

(Active 1 GE0/0/2 100: the core
) 3 172.18.10.2/ switch
) 24 S7700A

( GE0/0/3 and Eth-Trunk2 104 VLANIF Connected to

1 GE0/0/4 104: AC2
4 10.10.11.1/2
) 4

AC2 ( GE0/0/1 and Eth-Trunk1 100 VLANIF Connected to

(Standb 1 GE0/0/2 100: the core
y) 5 172.18.10.3/ switch
) 24 S7700B

( GE0/0/3 and Eth-Trunk2 104 VLANIF Connected to

1 GE0/0/4 104: AC1
6 10.10.11.2/2
) 4

Virtual - - - - 172.18.10.1/ Connected to

address 24 the AC-
es of Campus
ACs

Virtual - - - - 172.19.10.1/ Gateway for

address 24 employees
1 of
S7700s

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 151

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n

Virtual - - - - 172.20.10.1/ Gateway for

address 24 guests
2 of
S7700s

Se SM + SC (RADIUS server 1 + Portal server 1) 172.22.10.2 -

rv
er SC (RADIUS server 2 + Portal server 2) 172.22.10.3 -

DNS server 172.22.10.4 -

Internal server 172.22.10.5 -

Service Data Plan

Table 1-24 Service data plan

Item Data Description

AC Number of the ACL for You need to enter this ACL

employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
SSID of the employee area: the AC-Campus.
employee

Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID of the guest area: guest authorization rules and results on
the AC-Campus.

RADIUS authentication server: l The Service Controller of the

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 152

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

RADIUS accounting server: l Configure an authorization

l Accounting interval: 15
minutes

RADIUS authorization server:

l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Shared key: Admin@123

Portal server:
l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Shared key: Admin@123
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123

AC-Campus Host name1: access1.example.com Users can use the domain name to
Host name2: access2.example.com access the Portal server.

Authentication port: 1812 -

Accounting port: 1813 -

RADIUS shared key: Admin@123 It must be the same as the

RADIUS shared key configured
on the AC.

Port number of the Portal server: -

50200

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 153

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

Portal key: Admin@123 It must be the same as the Portal

key configured on the AC.

Department: Employee Department Employee, employee

l Account: tony account tony, and guest account
susan have been created on the
l Password: Admin@123 AC-Campus.
Department: Guest
l Account: susan
l Password: Admin@123

Pre- SM + SC1 (RADIUS server + -

authentication Portal server), SC2 (RADIUS
domain server + Portal server), and DNS
server

Post- Internal servers and Internet -

authentication
domain for
employees

Post- Internet -
authentication
domain for
guests

Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.

Configuration Roadmap
1. Configure the access switches, aggregation switch, core switches, and ACs to implement
interworking on the network.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
AC-Campus can manage the ACs.
4. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 154

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/4] port link-type trunk //Change the link type of
gigabitethernet0/0/4 to trunk.
[S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/4 to VLAN 100.
[S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/4] quit

# Create Eth-Trunk 1, and add GE0/0/2 and GE0/0/3 to Eth-Trunk 1.

# Add Eth-Trunk 1 to VLANs.

Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.
[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit

# Create Eth-Trunk 1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 1.

# Add Eth-Trunk 1 to VLANs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 155

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S5720HI] interface eth-trunk 1 //Enter the view of the interface connected to

the access switch S2700.
[S5720HI-Eth-Trunk1] port link-type trunk
[S5720HI-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk1] quit

# Create Eth-Trunk 2, and add GE0/0/3 and GE0/0/4 to Eth-Trunk 2.

# Add Eth-Trunk 2 to VLANs.

# Create Eth-Trunk 3, and add GE0/0/5 and GE0/0/6 to Eth-Trunk 3.

# Add Eth-Trunk 3 to VLANs.

Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.

# Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

# Add Eth-Trunk 1 to VLANs.

[S7700A] interface eth-trunk 1 //Enter the view of the interface connected to
the aggregation switch S5720HI.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 156

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S7700A-Eth-Trunk1] port link-type trunk

[S7700A-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A-Eth-Trunk1] quit
[S7700A] dhcp enable
[S7700A] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700A-Vlanif101] ip address 172.19.10.2 24 //Configure an IP address for
VLANIF 101 for communicating with VLANIF 101 on S7700B.
[S7700A-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700A-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 //Exclude IP
addresses in use from the DHCP address pool.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.3
[S7700A-Vlanif101] quit

# Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

# Add Eth-Trunk 2 to VLANs.

[S7700A] interface eth-trunk 2 //Enter the view of the interface connected to
AC1.
[S7700A-Eth-Trunk2] port link-type trunk
[S7700A-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A-Eth-Trunk2] quit
[S7700A] interface vlanif 100 //Enter the view of VLANIF 100.
[S7700A-Vlanif100] ip address 172.18.10.5 24 //Configure an IP address for
VLANIF 100 for communicating with AC1.
[S7700A-Vlanif100] quit
[S7700A] interface vlanif 102 //Enter the view of VLANIF 102.
[S7700A-Vlanif102] ip address 172.20.10.2 24 //Configure an IP address for
VLANIF 102 for communicating with VLANIF 102 on S7700B.
[S7700A-Vlanif102] dhcp select interface //Configure DHCP for VLANIF 102 so that
the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700A-Vlanif102] dhcp server dns-list 172.22.10.4
[S7700A-Vlanif102] dhcp server excluded-ip-address 172.20.10.1
[S7700A-Vlanif102] dhcp server excluded-ip-address 172.20.10.3
[S7700A-Vlanif102] quit

# Configure an IP address for the interface connecting to the egress router.

[S7700A] interface gigabitethernet 1/0/5 //Enter the view of the interface
connected to the egress router.
[S7700A-GigabitEthernet1/0/5] port link-type trunk
[S7700A-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700A-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700A-GigabitEthernet1/0/5] quit
[S7700A] interface vlanif 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A-Vlanif103] quit
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
<S7700A> save //Save the configuration.

Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 157

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

# Add Eth-Trunk 1 to VLANs.

[S7700B] interface eth-trunk 1 //Enter the view of the interface connected to
the aggregation switch S5720HI.
[S7700B-Eth-Trunk1] port link-type trunk
[S7700B-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700B-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700B-Eth-Trunk1] quit
[S7700B] dhcp enable
[S7700B] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700B-Vlanif101] ip address 172.19.10.3 24 //Configure an IP address for VLANIF
101 for communicating with VLANIF 101 on S7700A.
[S7700B-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700B-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2 //
Exclude IP addresses in use from the DHCP address pool.
[S7700B-Vlanif101] quit

# Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

# Add Eth-Trunk 2 to VLANs.

[S7700B] interface eth-trunk 2 //Enter the view of the interface connected to
AC2.
[S7700B-Eth-Trunk2] port link-type trunk
[S7700B-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
[S7700B-Eth-Trunk2] undo port trunk allow-pass vlan 1
[S7700B-Eth-Trunk2] quit
[S7700B] interface vlanif 100 //Enter the view of VLANIF 100.
[S7700B-Vlanif100] ip address 172.18.10.6 24 //Configure an IP address for
VLANIF 100 for communicating with AC2.
[S7700B-Vlanif100] quit
[S7700B] interface vlanif 102 //Enter the view of VLANIF 102.
[S7700B-Vlanif102] ip address 172.20.10.3 24//Configure an IP address for VLANIF
102 for communicating with VLANIF 102 on S7700A.
[S7700B-Vlanif102] dhcp select interface//Configure DHCP for VLANIF 102 so that
the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700B-Vlanif102] dhcp server dns-list 172.22.10.4
[S7700B-Vlanif102] dhcp server excluded-ip-address 172.20.10.1 172.20.10.2
[S7700B-Vlanif102] quit

# Configure an IP address for the interface connecting to the egress router.

[S7700B] interface gigabitethernet 1/0/5 //Enter the view of the interface
connected to egress router.
[S7700B-GigabitEthernet1/0/5] port link-type trunk
[S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 158

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S7700B-GigabitEthernet1/0/5] quit
[S7700B] interface vlanif 103
[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B-Vlanif103] quit
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save //Save the configuration.

Step 5 [Device] Configure VRRP groups on core switches (S7700s).

# On VLANIF 102 of S7700A, create VRRP group 2, set the priority of S7700A in the VRRP
group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP
group 2 as the guest gateway address.
[S7700A] interface vlanif 102
[S7700A-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700A-Vlanif102] vrrp vrid 1 priority 120
[S7700A-Vlanif102] vrrp vrid 1 preempt-mode timer delay 20
[S7700A-Vlanif102] quit
[S7700A] quit
<S7700A> save //Save the configuration.

# On VLANIF 102 of S7700B, create VRRP group 2 and set the priority of S7700B in the
VRRP group to 100.
[S7700B] interface vlanif 102
[S7700B-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700B-Vlanif102] quit
[S7700B] quit
<S7700B> save //Save the configuration.

Step 6 [Device] Configure the ACs to ensure network connectivity.

# On AC1, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101 102 104
[AC1] interface eth-trunk 1
[AC1-Eth-Trunk1] port link-type trunk
[AC1-Eth-Trunk1] port trunk allow-pass vlan 100
[AC1-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2
connected to the core switch S7700A to Eth-Trunk 1.
[AC1-Eth-Trunk1] quit
[AC1] interface eth-trunk 2

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 159

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1-Eth-Trunk2] port link-type trunk

[AC1-Eth-Trunk2] port trunk allow-pass vlan 104
[AC1-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC2 to Eth-Trunk 2.
[AC1-Eth-Trunk2] quit

# Configure an IP address for AC1 to communicate with other NEs.

[AC1] interface vlanif 104
[AC1-Vlanif104] ip address 10.10.11.1 24 //Configure an IP address for VLANIF 104
for communicating with AC2 and transmitting backup data.
[AC1-Vlanif104] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 172.18.10.2 24
[AC1-Vlanif100] quit

# Configure a default route for AC1 so that packets are forwarded to core switches by default.
[AC1] ip route-static 0.0.0.0 0 172.18.10.5

# On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 102 104
[AC2] interface eth-trunk 1
[AC2-Eth-Trunk1] port link-type trunk
[AC2-Eth-Trunk1] port trunk allow-pass vlan 100
[AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2
connected to the core switch S7700B to Eth-Trunk 1.
[AC2-Eth-Trunk1] quit
[AC2] interface eth-trunk 2
[AC2-Eth-Trunk2] port link-type trunk
[AC2-Eth-Trunk2] port trunk allow-pass vlan 104
[AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC1 to Eth-Trunk 2.
[AC2-Eth-Trunk2] quit

# Configure an IP address for AC2 to communicate with other NEs.

[AC2] interface vlanif 104
[AC2-Vlanif104] ip address 10.10.11.2 24 //Configure an IP address for VLANIF 104
for communicating with AC1 and transmitting backup data.
[AC2-Vlanif104] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.3 24
[AC2-Vlanif100] quit

# Configure a default route for AC2 so that packets are forwarded to core switches by default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.6

Step 7 [Device] Configure the AP to go online.

# Create an AP group to which APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 160

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1-wlan-view] ap-group name ap_group

[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] capwap source ip-address 172.18.10.1

# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 20S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2

The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.
Step 8 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 161

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication

server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
//Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the
AC-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the AC-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

Table 1-25 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 162

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

User Quantity Real-Time Accounting Interval

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC1] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.

# Configure Portal authentication for AC1.

1. Configure the URL of the primary Portal authentication page. When a user attempts to
access a website before authentication, the AC redirects the website to the primary Portal
server.
You are advised to configure the URL using a domain name to ensure secure and fast
page pushing. Before configuring the URL using a domain name, you must first
configure the mapping between the domain name and IP address of the AC-Campus
server on the DNS server.
[AC1] url-template name huawei1
[AC1-url-template-huawei1] url http://access1.example.com:8080/portal //
access1.example.com is the host name of the primary Portal server.

2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url //
Specify the names of the parameters included in the URL. The parameter names
must the same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.
//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC1-url-template-huawei1] quit

3. Configure the URL of the secondary Portal authentication page. When the primary Portal
server is unavailable, the AC redirects the website that a user attempts to access to the
secondary Portal server.
[AC1] url-template name huawei2
[AC1-url-template-huawei2] url http://access2.example.com:8080/portal //
access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1-url-template-huawei2] quit

4. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the AC-Campus.
[AC1] web-auth-server listening-port 2000

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 163

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.

6. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC1-web-auth-server-portal_huawei1] url-template huawei1 //Bind the URL
template to the Portal server profile.

7. Enable the Portal server detection function.

After the Portal server detection function is enabled in the Portal server template, the
device detects all Portal servers configured in the Portal server template. If the number of
times that the device fails to detect a Portal server exceeds the upper limit, the status of
the Portal server is changed from Up to Down. If the number of Portal servers in Up state
is less than the minimum number (specified by the critical-num parameter), the device
performs the corresponding operation to allow the administrator to obtain the real-time
Portal server status. The detection interval cannot be shorter than 15s, and the
recommended value is 100s. The AC only supports Portal server detection but not Portal
escape.
[AC1-web-auth-server-portal_huawei1] server-detect interval 100 max-times 5
critical-num 1 action log

8. (Optional) Enable user information synchronization.

The user-sync command enables user information synchronization so that user
information on the device and Portal server is synchronized at intervals to ensure user
information consistency. Therefore, user information on the device and on the Portal
server may be inconsistent and accounting may be inaccurate. The user information
synchronization interval must be greater than 300s. (The AC-Campusresponds to probe
packets of a switch or AC at an interval of 5 minutes.) If the synchronization interval is
shorter than 300s, users may go offline after passing authentication. You are advised to
set the user information synchronization interval to 500s, that is, set interval to 100 and
max-times to 5.
[AC1-web-auth-server-portal_huawei1] user-sync interval 100 max-times 5
[AC1-web-auth-server-portal_huawei1] quit

9. Configure a secondary Portal server template, including configuring the IP address, port
number, and shared key of the secondary Portal server.
[AC1] web-auth-server portal_huawei2
[AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3 //Configure an IP
address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
[AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5
critical-num 1 action log
(Optional)[AC1-web-auth-server-portal_huawei2] user-sync interval 100 max-
times 5
[AC1-web-auth-server-portal_huawei2] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 164

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

# Create a Portal access profile, and bind the Portal server template to it.
[AC1] portal-access-profile name acc_portal //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1
portal_huawei2 direct //Configure the primary and secondary Portal server
templates used by the Portal access profile. If the network between end users and
the AC is a Layer 2 network, configure the direct mode; if the network is a Layer
3 network, configure the layer3 mode.
[AC1-portal-access-profile-acc_portal] quit

# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC1-acl-adv-3001] rule 5 permit ip
[AC1-acl-adv-3001] quit
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002] rule 10 permit ip
[AC1-acl-adv-3002] quit

# Configure an authentication profile.

[AC1] authentication-profile name auth_portal
[AC1-authentication-profile-auth_portal] portal-access-profile acc_portal
[AC1-authentication-profile-auth_portal] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_portal] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_portal] radius-server radius_template
[AC1-authentication-profile-auth_portal] free-rule-template default_free_rule
[AC1-authentication-profile-auth_portal] quit

# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60

# On AC2, configure a RADIUS server template, and configure authentication, accounting,

and authorization schemes in the template. The configuration procedure for AC2 is the same
as that for AC1, and details are not provided here.
Step 9 [Device] Set WLAN service parameters on AC.
# Create the security profile security_portal and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit

# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 165

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1-wlan-view] ssid-profile name wlan-ssid-employee

[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit

# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel //Configure tunnel
forwarding for guests.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit

# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] quit

The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.

Step 10 [Device] Configure VRRP on AC1 to implement AC HSB.

# Set the recovery delay of a VRRP group to 30 seconds.

[AC1] vrrp recover-delay 30

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 166

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable HSB.
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 11 [Device] Configure VRRP on AC2 to implement AC HSB.

# Set the recovery delay of a VRRP group to 30 seconds.
[AC2] vrrp recover-delay 30

# Create a management VRRP group on AC2

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 167

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

# Enable HSB.
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Step 12 [Device] Verify the VRRP configuration.

[AC2] display vrrp

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 168

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Keep Alive Interval : 1

Service State : Connected
Service Batch Modules :
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.2
Peer IP Address : 10.10.11.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------

Step 13 [AC-Campus] Add the AC to the Service Manager to enable the AC-Campus to manage the
AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 169

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 170

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name AC -

IP address 172.18.10.1 The AC interface with this IP address must be

able to communicate with the Service
Controller.

Enable Select -
RADIUS

Authenticatio Admin@123 [AC1-radius-radius_template] radius-server

n/Accounting shared-key cipher Admin@123
key

Authorization Admin@123 [AC1] radius-server authorization 172.22.10.2

key shared-key cipher Admin@123

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 171

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Real-time 15 [AC1-aaa-accounting-acco_scheme] accounting

accounting realtime 15
interval
(minute)

Enable Portal Select -

Port 2000 This is the port that the AC uses to communicate

with the Portal server. Retain the default value.

Portal key Admin@123 [AC1-web-auth-server-portal_huawei1] shared-

key cipher Admin@123

Access 172.20.0.0/24;17 You need to add the IP addresses of all the

terminal IP 2.21.0.0/24 terminals that go online through Portal
list authentication to the access terminal IP list.
After the Portal server receives the account and
password submitted by an end user, it searches
for an access control device based on the
terminal's IP address and allows the terminal to
go online from the target access control device.
If the IP address pool of the access control
device does not include the terminal IP address,
the Portal server cannot find an access control
device to grant network access permission to the
terminal, causing the terminal login failure.

Enable Selected When detecting that the primary Portal server is

heartbeat unavailable, the access device automatically
between connects to the secondary Portal server.
access device The Portal server can send heartbeat packets to
and Portal the access device only when Enable heartbeat
server between access device and Portal server is
selected and the Portal server's IP address has
been added to Portal server IP list. The access
device then periodically detects heartbeat
packets of the Portal server to determine the
Portal server status and synchronize user
information from the Portal server. The server-
detect and user-sync commands must have been
configured in the Portal server view on the
access device.

Portal server 172.22.10.2;172. -

IP list 22.10.3

4. Click OK.
Step 14 [AC-Campus] Add SSIDs on the AC-Campus, so that the AC-Campus can authorize users
through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 172

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Click Add and add SSIDs for employees and guests.

The SSIDs must be the same as those configured on the AC.

Step 15 [AC-Campus] Configure authorization results and rules to grant different access rights to
employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 173

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 174

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 175

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 176

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 177

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 178

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 179

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Expected Result

Employee l User account tony (employee account) can only access the AC-Campus
authenticatio server and DNS server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet, the default authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user tony is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.

Guest l User account susan (guest account) can only access the AC-Campus
authenticatio server and DNS server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the guest authentication page is
pushed to the user. After the guest enters the correct user name and
password, the authentication succeeds and the requested web page is
displayed automatically.
l User account susan cannot access internal servers of the company.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user susan is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user susan is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user susan.

AC1 power- Services are automatically switched to AC2, without affecting employee
off and guest authentication. The process is not detected by user terminals.

SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.

Summary and Suggestions

l The authentication key, accounting key, and Portal key must be kept consistent on the
ACs and AC-Campus. The accounting interval set on the AC-Campus must also be the
same as those on the ACs.
l Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition
of a user matches a rule, the AC-Campus does not check the subsequent rules. Therefore,
it is recommended that you set higher priorities for the rules defining more precise
conditions and set lower priorities for the rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the ACs to enable the AC-Campus to
obtain online user information by exchanging accounting packets with the AC. The AC-

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 180

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Campus does not support the real accounting function. If accounting is required, use a
third-party accounting server.

1.10 Example for Configuring Portal Authentication for

Wireless Users in an AC Dual-Link Backup Environment
This example illustrates how to configure AC dual-link backup to improve network reliability.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Core switch S7700 V200R008C00

Networking Requirements
A company needs to deploy an authentication system to implement access control for
employees who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network.
The company has the following requirements:
l All employees do office work and visit the Internet through the wireless network and
require a reliable network.
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees can connect only to the DNS server and AC-Campus of the company before
authentication, and can connect to both the intranet and Internet after being
authenticated.
l Guests can access the DNS server and AC-Campus of the company before
authentication, and can access the Internet after they are successfully authenticated.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 181

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-8 Networking of Portal authentication for wireless users in an AC dual-link backup
environment

Requirement Analysis
Considering the networking and requirements of the company, Portal authentication based on
the AC-Campus can be used on the campus network. You need to configure different ACL
rules on the ACs to control access rights of employees.
Based on user requirements, the networking shown in Figure 1-8 is used, and networking
analysis is performed as follows:
l ACs are deployed in dual-link backup mode. HSB links are used to connect AC1 and
AC2 to determine the active and standby ACs, ensuring reliability of WLAN services.
l User data traffic is forwarded in direct mode, ensuring AC performance upon a large
amount of user data and ensuring network reliability.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 182

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

VLAN Plan

Table 1-26 VLAN plan

VLAN ID Function

100 mVLAN for the AP

101 Service VLAN for employees

102 Service VLAN for guests

103 VLAN for communication between the

aggregation and core switches

104 VLAN for communication between the core

switch and servers

105 Backup VLAN of ACs

Network Data Plan

Table 1-27 Network data plan

Item N Interface VLAN IP address Description
o. Number

Access (1) GE0/0/1 100 - Connected to

switch 101 the AP
S2750EI
(2) GE0/0/2 100 - Connected to
101 the aggregation
switch S5720HI
102

(3) GE0/0/3 100 - Connected to

102 APs

Aggregat (4) GE0/0/1 100 VLANIF 100: Connected to

ion 101 172.18.10.3/16 the access
switch VLANIF 101: switch S2750EI
S5720HI 102
172.19.10.1/16 VLANIF 100 as
VLANIF 102: the AP's
172.20.10.1/16 gateway
VLANIF 101 as
the gateway for
employees
VLANIF 102 as
the gateway for
guests

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 183

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface VLAN IP address Description

o. Number

(5) GE0/0/2 100 - Connected to

105 AC1

(6) GE0/0/3 100 - Connected to

105 AC2

(7) GE0/0/4 103 VLANIF103:17 Connected to

2.21.10.1/24 the core switch
S7700

AC1 (8) GE0/0/1 100 VLANIF 100: Connected to

105 172.18.10.1/24 the aggregation
VLANIF 105: switch S5720HI
10.10.11.1/24

AC2 (9) GE0/0/1 100 VLANIF 100: Connected to

105 172.18.10.2/24 the aggregation
VLANIF 105: switch S5720HI
10.10.11.2/24

Core (1 GE1/0/1 103 172.21.10.2/24 Connected to

switch 0) the S5720HI
S7700
(1 GE1/0/2 104 172.22.10.1 Gateway for
1) servers

Ser SM + SC1 (RADIUS server + Portal server) 172.22.10.2 -

ver
SC2 (RADIUS server + Portal server) 172.22.10.3 -

DNS server 172.22.10.4 -

Company server 172.22.10.5 -

Service Data Plan

Table 1-28 Service data plan

Item Data Description

AC Number of the ACL for You need to enter this ACL

employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
SSID of the employee area: the AC-Campus.
employee

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 184

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID: guest authorization rules and results on
the AC-Campus.

RADIUS authentication server: l The Service Controller of the

l Primary IP address: AC-Campus provides
172.22.10.2 RADIUS server and Portal
server functions; therefore, IP
l Secondary IP address: addresses of the authentication
172.22.10.3 server, accounting server,
l Port number: 1812 authorization server, and Portal
l Shared key: Admin@123 server are all the IP address of
the Service Controller.
RADIUS accounting server: l Configure a RADIUS
l Primary IP address: accounting server to obtain
172.22.10.2 user login and logout
l Secondary IP address: information. The port numbers
172.22.10.3 of the authentication server and
accounting server must be the
l Port number: 1813 same as those of the RADIUS
l Shared key: Admin@123 server.
l Accounting interval: 15 l Configure an authorization
minutes server to enable the RADIUS
server to deliver authorization
RADIUS authorization server: rules to the AC. The shared
l Primary IP address: key of the authorization server
172.22.10.2 must be the same as those of
the authentication server and
l Secondary IP address:
accounting server.
172.22.10.3
l Shared key: Admin@123

Portal server: -
l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Shared key: Admin@123
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 185

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

AC-Campus Authentication port: 1812 -

Accounting port: 1813 -

RADIUS shared key: Admin@123 It must be the same as the

RADIUS shared key configured
on the AC.

Port number of the Portal server: -

50200

Portal key: Admin@123 It must be the same as the Portal

key configured on the AC.

Department: Employee Department Employee, employee

l Account: tony account tony, and guest account
susan have been created on the
l Password: Admin@123 AC-Campus.
Department: Guest
l Account: susan
l Password: Admin@123

Pre- SM + SC1 (RADIUS server + -

authentication Portal server), SC2 (RADIUS
domain server + Portal server), and DNS
server

Post- Internal servers and Internet -

authentication
domain for
employees

Post- Internet -
authentication
domain for
guests

Configuration Roadmap
1. Configure the access switch, aggregation switch, and ACs to ensure network
connectivity.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the ACs can communicate with the RADIUS server and Portal server.
3. Configure dual-link backup for ACs to ensure reliability of WLAN services.
4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
AC-Campus can manage the ACs.
5. Add authorization results and rules to grant different access rights to employees after
they are successfully authenticated.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 186

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101 and VLAN 102 in a
batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to the aggregation switch.
[S2700-GigabitEthernet0/0/2] port link-type trunk //Change the link type of
gigabitethernet0/0/2 to trunk.
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/2 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/2] quit
[S2700] interface gigabitethernet 0/0/3 //Connect to AP1's interface.
[S2700-GigabitEthernet0/0/3] port link-type trunk //Change the link type of
gigabitethernet0/0/3 to trunk.
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/3 to VLAN 100
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/3 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/3] quit
[S2700] quit
<S2700> save //Save the configuration.

Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 100 101 102 105 //Create VLAN 100, VLAN 101, VLAN 102 and
VLAN 105 in a batch.
[S5700] interface vlanif 100 //Enter the view of VLANIF 100.
[S5700-Vlanif100] ip address 172.18.10.3 16 //Configure an IP address for VLANIF
100 as the AP's gateway.
[S5700-Vlanif100] dhcp select interface
[S5700-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.2 //
Exclude IP addresses in use from the DHCP address pool.
[S5700-Vlanif100] quit
[S5700] interface vlanif 101 //Enter the view of VLANIF 101.
[S5700-Vlanif101] ip address 172.19.10.1 16 //Configure an IP address for VLANIF
101 as the gateway for employees.
[S5700-Vlanif101] dhcp select interface
[S5700-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S5700-Vlanif101] quit
[S5700] interface vlanif 102 //Enter the interface view of VLANIF 102.
[S5700-Vlanif102] ip address 172.20.10.1 16 //Configure an IP address for VLANIF
102 to enable it to function as a guest gateway.
[S5700-Vlanif102] dhcp select interface
[S5700-Vlanif102] dhcp server dns-list 172.22.10.4 //Configure an IP address for
the DNS server.
[S5700-Vlanif102] quit
[S5700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the access switch.
[S5700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101 and VLAN 102.
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2 //Enter the view of the interface

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 187

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

connected to AC1.
[S5700-GigabitEthernet0/0/2] port link-type trunk //Change the link type of
gigabitethernet0/0/2 to trunk.
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 105 //Add
gigabitethernet0/0/2 to VLAN 100 and VLAN 105.
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3 //Enter the view of the interface
connected to AC2.
[S5700-GigabitEthernet0/0/3] port link-type trunk //Change the link type of
gigabitethernet0/0/3 to trunk.
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 105 //Add
gigabitethernet0/0/3 to VLAN 100 and VLAN 105.
[S5700-GigabitEthernet0/0/3] quit
[S5700] ip route-static 172.22.10.0 255.255.255.0 172.21.10.2
[S5700] quit
<S5700> save //Save the configuration.

Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] vlan batch 103 104 //Create VLANIF 103 and VLANIF 104 in batches.
[S7700] interface gigabitethernet 1/0/1 //Connect to the interface of the
aggregation switch.
[S7700-GigabitEthernet1/0/1] port link-type trunk
[S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[S7700-GigabitEthernet1/0/1] quit
[S7700] interface vlanif 103
[S7700-Vlanif103] ip address 172.21.10.2 255.255.255.0
[S7700-Vlanif103] quit
[S7700] interface gigabitethernet 1/0/2 //Connect to the interface of the server
zone.
[S7700-GigabitEthernet1/0/2] port link-type access
[S7700-GigabitEthernet1/0/2] port default vlan 104 //Configure VLAN 104 as the
default VLAN for the gigabitethernet1/0/2 interface.
[S7700-GigabitEthernet1/0/2] quit
[S7700] interface vlanif 104
[S7700-Vlanif104] ip address 172.22.10.1 255.255.255.0 //Configure a gateway IP
address for the server zone.
[S7700-Vlanif104] quit
[S7700] ip route-static 172.19.0.0 255.255.255.0 172.21.10.1 //Configure a
static route to the employees' network segment.
[S7700] ip route-static 172.20.1.0 255.255.255.0 172.21.10.1 //Configure a
static route to the guests' network segment.
[S7700] quit
<S7700> save //Save the configuration.

Step 4 [Device] Configure the ACs to ensure network connectivity.

# On AC1, ensure network connectivity, and add GE0/0/1 connecting to the S5720HI to
VLAN 100 and VLAN 105.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 105
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 105
[AC1-GigabitEthernet0/0/1] quit

# Configure an IP address for AC1 to communicate with other NEs.

[AC1] interface vlanif 105
[AC1-Vlanif105] ip address 10.10.11.1 24 //Configure an IP address for VLANIF 105
for communicating with AC2 and transmitting backup data.
[AC1-Vlanif105] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 172.18.10.1 24 //Configure an IP address for VLANIF
100 for communicating with servers and managing the AP.
[AC1-Vlanif100] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 188

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Configure a default route for AC1 so that packets are forwarded to the routing gateway by
default.
[AC1] ip route-static 0.0.0.0 0 172.18.10.3

# On AC2, ensure network connectivity, and add GE0/0/1 connecting to the S5720HI to
VLAN 100 and VLAN 105.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 105
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 105
[AC2-GigabitEthernet0/0/1] quit

# Configure an IP address for AC2 to communicate with other NEs.

[AC2] interface vlanif 105
[AC2-Vlanif105] ip address 10.10.11.2 24 //Configure an IP address for VLANIF 105
for communicating with AC1 and transmitting backup data.
[AC2-Vlanif105] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.2 24 //Configure an IP address for VLANIF
100 for communicating with servers and managing the AP.
[AC2-Vlanif100] quit

# Configure a default route for AC2 so that packets are forwarded to the routing gateway by
default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.3

Step 5 [Device] Configure the AP to go online.

# Create an AP group to which APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 189

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 20S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2

The configuration of AC2 is the same as that of AC1 and is not provided here.
Step 6 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 190

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
//Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the
AC-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the AC-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

Table 1-29 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

# On AC2, configure a RADIUS server template, and configure authentication, accounting,

and authorization schemes in the template. The RADIUS authentication configuration of AC2
is the same as that of AC1 and is not provided here. However, when setting the source IP
address for AC2 in the RADIUS server template, set the source IP address of AC2 to
172.18.10.1.

# Configure Portal authentication for AC1.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 191

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

5. Configure a primary Portal server template, including configuring the IP address and
port number of the primary Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 192

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1-web-auth-server-portal_huawei1] url-template huawei1 //Bind the URL

template to the Portal server profile.

7. Enable the Portal server detection function.

8. (Optional) Enable user information synchronization.

# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 193

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3 network, configure the layer3 mode.

[AC1-portal-access-profile-acc_portal] quit

# Configure pre-configuration and post-authentication access rules for users.

[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC1-acl-adv-3001] rule 5 permit ip
[AC1-acl-adv-3001] quit
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002] rule 10 permit ip
[AC1-acl-adv-3002] quit

# Configure an authentication profile.

# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60

# The Portal authentication configuration of AC2 is the same as that of AC1 and is not
provided here. However, when setting the source IP address for AC2 in the Portal server
template, set the source IP address of AC2 to 172.18.10.1.
Step 7 [Device] Set WLAN service parameters on the ACs.
# Create the security profile security_portal and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit

# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC1-wlan-view] ssid-profile name wlan-ssid-employee
[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 194

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

direct forwarding for employees.

[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit

# The WLAN service parameters configuration of AC2 is the same as that of AC1 and is not
provided here.
Step 8 [Device] Configure dual-link backup on AC1 to implement HSB.
# Configure the IP address of AC2 and the AC1 priority to implement dual-link backup.
[AC1] wlan
[AC1-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC1-wlan-view] wlan ac protect protect-ac 172.18.10.2 priority 2
Warning: Operation successful. It will take effect after AP reset.

# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP (s), continue?[Y/N]:y
[AC1-wlan-view] quit

# Bind the NAC service to the HSB service.

[AC1] hsb-service-type access-user hsb-service 0

# Bind the WLAN service to the HSB service.

[AC1] hsb-service-type ap hsb-service 0

Step 9 [Device] Configure dual-link backup on AC2 to implement HSB.

# Configure the IP address of AC1 and the AC2 priority to implement dual-link backup.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 195

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC2] wlan
[AC2-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC2-wlan-view] wlan ac protect protect-ac 172.18.10.1 priority 5
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] quit

# Bind the NAC service to the HSB service.

[AC2] hsb-service-type access-user hsb-service 0

# Bind the WLAN service to the HSB service.

[AC2] hsb-service-type ap hsb-service 0

Step 10 [Device] Verify the dual-link configuration.

# After the configurations are complete, run the display ac protect command on AC1 and
AC2 to view dual-link backup information.
[AC1] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 172.18.10.2
Priority : 2
Protect restore : enable
Coldbackup kickoff station: disable
------------------------------------------------------------
[AC2] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 172.18.10.1
Priority : 5
Protect restore : enable
Coldbackup kickoff station: disable
------------------------------------------------------------

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 196

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Keep Alive Times : 2

Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------

Step 11 [AC-Campus] Add the AC to the Service Manager to enable the AC-Campus to manage the
AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 197

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name AC -

IP address 172.18.10.1 The AC1 interface with this IP address must be

able to communicate with the Service
Controller.

Enable Select -
RADIUS

Standby 172.18.10.2 The AC2 interface with this IP address must be

device IP able to communicate with the Service
address Controller.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 198

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Authenticatio Admin@123 [AC1-radius-radius_template] radius-server

n/Accounting shared-key cipher Admin@123
key

Authorization Admin@123 [AC1] radius-server authorization 172.22.10.2

key shared-key cipher Admin@123

Real-time 15 [AC1-aaa-accounting-acco_scheme] accounting

accounting realtime 15
interval
(minute)

Enable Portal Selected -

Port 2000 This is the port that the AC uses to communicate

with the Portal server. Retain the default value.

Portal key Admin@123 [AC1-web-auth-server-portal_huawei1] shared-

key cipher Admin@123

Access 172.19.10.1/16;1 You need to add the IP addresses of all the

terminal IP 72.20.10.1/16 terminals that go online through Portal
list authentication to the access terminal IP list.
After the Portal server receives the account and
password submitted by an end user, it searches
for an access control device based on the
terminal's IP address and allows the terminal to
go online from the target access control device.
If the IP address pool of the access control
device does not include the terminal IP address,
the Portal server cannot find an access control
device to grant network access permission to the
terminal, causing the terminal login failure.

Enable Select The Portal server can send heartbeat packets to

heartbeat the access device only when Enable heartbeat
between between access device and Portal server is
access device selected and the Portal server's IP address has
and Portal been added to Portal server IP list. The access
server device then periodically detects heartbeat
packets of the Portal server to determine the
Portal server 172.22.10.2;172. Portal server status and synchronize user
IP list 22.10.3 information from the Portal server. The server-
detect and user-sync commands must have been
configured in the Portal server view on the
access device.

4. Click OK.

Step 12 [AC-Campus] Add SSIDs on the AC-Campus, so that the AC-Campus can authorize users
through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 199

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

2. Click Add and add SSIDs for employees and guests.

The SSIDs must be the same as those configured on the AC.

Step 13 [AC-Campus] Configure authorization results and rules to grant different access rights to
employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 200

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 201

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 202

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 203

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 204

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 205

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 206

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Expected Result

Employee l User account tony (employee account) can only access the AC-Campus
authenticatio server and DNS server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet, the employee authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user tony is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.

AC1 power- Services are automatically switched to AC2, without affecting employee
off authentication. The process is not detected by user terminals.

Summary and Suggestions

l The authentication key, accounting key, and Portal key must be kept consistent on the
ACs and AC-Campus. The accounting interval set on the AC-Campus must also be the
same as those on the ACs.
l Authorization rules are matched in descending order of priority (ascending order of rule
numbers). If the authorization condition of a user matches a rule, the AC-Campus does
not check the subsequent rules. Therefore, it is recommended that you set higher
priorities for the rules defining more precise conditions and set lower priorities for the
rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the ACs to enable the AC-Campus to
obtain online user information by exchanging accounting packets with the AC. The AC-
Campus does not support the real accounting function. If accounting is required, use a
third-party accounting server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 207

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.11 Example for Configuring Portal Authentication for

Wireless Users in an AC N+1 Environment
This example illustrates how to configure Portal authentication on an AC N+1 network. The
RADIUS server and Portal server are both deployed in a two-node cluster, improving network
access reliability.

Involved Products and Versions

Product Type Product Name Version

AC-Campus AC-Campus V100R002C10

WLAN AC AC6605 V200R006C20

Access switch S2750EI V200R008C00

Aggregation switch S5720HI V200R008C00

Core switch S7700 V200R008C00

Networking Requirements
A company has about 5000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees and guests access the campus network using different SSIDs.
l Employees use laptops to access the network, and guests use mobile terminals to access
the network.
l Employees can connect only to the DNS server, DHCP server, and AC-Campus of the
company before authentication, and can connect to both the intranet and Internet after
being authenticated.
l Guests can connect only to the DNS server, DHCP server, and AC-Campus of the
company before authentication, and can connect only to the Internet after being
authenticated.
l There are three ACs on the network. Two ACs are deployed as the active ACs, and one
as the standby AC to improve network reliability.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 208

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Figure 1-9 Networking of Portal authentication for wireless users in N+1 mode

Requirement Analysis
l Considering the networking and requirements of the company, without specific
requirement on terminal security check. Portal authentication can be used on the campus
network to authenticate employees and guests, and authentication points are deployed on
the ACs.
l It is recommended that authentication packets be forwarded in tunnel mode and user data
packets be forwarded in local mode to release the burden on the ACs.

VLAN Plan

Table 1-30 VLAN plan

VLAN ID Function

100 mVLAN for APs

101 Service VLAN for employees

102 Service VLAN for guests

103 VLAN for connecting the core switch to the

server domain

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 209

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Network Data Plan

Table 1-31 Network data plan

Item N Interface VLAN IP address Description
o. Number

Access (1) GE0/0/1 100, 101, and - Connected to

switch 102 the AP in the
S2750EI guest area

(2) GE0/0/2 100, 101, and - Connected to

102 the AP in the
guest area

(3) GE0/0/3 100, 101, and - Connected to

102 the aggregation
switch S5720HI

Aggregat (4) GE0/0/1 100, 101, and - Connected to

ion 102 the access
switch switch S2750EI
S5720HI
(5) GE0/0/2 100, 101, and - Connected to
102 the core switch
S7700

(6) GE0/0/3 100 - Connected to

AC1

(7) GE0/0/4 100 - Connected to

AC2

(8) GE0/0/5 100 - Connected to

AC3

AC1 (9) GE0/0/1 100 VLANIF 100: Connected to

172.18.10.1 the S5720HI

AC2 (1 GE0/0/1 100 VLANIF 100: Connected to

0) 172.18.10.2 the S5720HI

AC3 (1 GE0/0/1 100 VLANIF 100: Connected to

1) 172.18.10.3 the S5720HI

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 210

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item N Interface VLAN IP address Description

o. Number

S7700 (1 GE1/0/1 100, 101, and VLANIF 100: Connected to

2) 102 172.18.10.4 the S5720HI
VLANIF 101: VLANIF 100
172.20.10.1 for
VLANIF 102: communicating
172.19.10.1 with ACs and as
the gateway for
APs
VLANIF 101 as
the gateway for
employees
VLANIF 102 as
the gateway for
guests

(1 GE1/0/2 103 VLANIF 103: Connected to

3) 172.22.10.1 the server
domain

Ser SM + SC1 (RADIUS server + Portal server) 172.22.10.2 -

ver
SC2 (RADIUS server + Portal server) 172.22.10.3 -

DNS server 172.22.10.4 -

DHCP server 172.22.10.6 IP address pool:

l IP address
range for
APs:
172.18.10.0/
24
l IP address
range for
employees:
172.20.0.0/1
6
l IP address
range for
guests:
172.19.0.0/1
6

Internal server 172.22.10.5 -

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 211

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Service Data Plan

Table 1-32 Service data plan

Item Data Description

AC Number of the ACL for You need to enter this ACL

employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
SSID of the employee area: the AC-Campus.
employee

Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID of the guest area: guest authorization rules and results on
the AC-Campus.

RADIUS authentication server: l The Service Controller of the

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 212

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

AC-Campus Host name1: access1.example.com Users can use the domain name to
Host name2: access2.example.com access the Portal server.

IP address of the active device 1: -

172.18.10.1
IP address of the active device 2:
172.18.10.2
IP address of the standby device:
172.18.10.3

Authentication port: 1812 -

Accounting port: 1813 -

RADIUS shared key: Admin@123 It must be the same as the

RADIUS shared key configured
on the AC.

Port number of the Portal server: -

50200

Portal key: Admin@123 It must be the same as the Portal

key configured on the AC.

Department: Employee Department Employee, employee

l Account: tony account tony, and guest account
susan have been created on the
l Password: Admin@123 AC-Campus.
Department: Guest
l Account: susan
l Password: Admin@123

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 213

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Data Description

Pre- SM + SC1 (RADIUS server + -

authentication Portal server), SC2 (RADIUS
domain server + Portal server), and DNS
server

Post- Internal servers and Internet -

authentication
domain for
employees

Post- Internet -
authentication
domain for
guests

Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Configure reliability services and basic WLAN services for the ACs.
4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
AC-Campus can manage the ACs.
5. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.

Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101, and VLAN 102.
[S2700-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation to
prevent unwanted broadcast packets in a VLAN and Layer 2 communication between
WLAN users connected to different APs.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk pvid vlan 100
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[S2700-GigabitEthernet0/0/2] port-isolate enable
[S2700-GigabitEthernet0/0/2] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 214

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[S2700] interface gigabitethernet 0/0/3 //Enter the view of the interface

connected to the aggregation switch S5700.
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102
[S2700-GigabitEthernet0/0/3] quit
[S2700] quit
<S2700> save //Save the configuration.

Step 2 [Device] Configure the aggregation switch S5700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
[S5700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the access switch S2700.
[S5700-GigabitEthernet0/0/1] port link-type trunk
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to the core switch S7700.
[S5700-GigabitEthernet0/0/2] port link-type trunk
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3 //Enter the view of the interface
connected to AC1.
[S5700-GigabitEthernet0/0/3] port link-type trunk
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/3] quit
[S5700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to AC2.
[S5700-GigabitEthernet0/0/4] port link-type trunk
[S5700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/4] quit
[S5700] interface gigabitethernet 0/0/5 //Enter the view of the interface
connected to AC3.
[S5700-GigabitEthernet0/0/5] port link-type trunk
[S5700-GigabitEthernet0/0/5] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/5] quit
[S5700] quit
<S5700> save //Save the configuration.

Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] dhcp enable //Enable the DHCP service.
[S7700] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.
[S7700] interface gigabitethernet 1/0/1 //Enter the view of the interface
connected to the aggregation switch S5700.
[S7700-GigabitEthernet1/0/1] port link-type trunk
[S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 101 102
[S7700-GigabitEthernet1/0/1] quit
[S7700] interface vlanif 100
[S7700-Vlanif100] ip address 172.18.10.4 24
[S7700-Vlanif100] dhcp select relay //Enable the DHCP relay agent.
[S7700-Vlanif100] dhcp relay server-ip 172.22.10.6 //Configure the DHCP server
connected to the DHCP relay agent.
[S7700-Vlanif100] quit
[S7700] interface vlanif 101
[S7700-Vlanif101] ip address 172.20.10.1 24
[S7700-Vlanif101] dhcp select relay
[S7700-Vlanif101] dhcp relay server-ip 172.22.10.6
[S7700-Vlanif101] quit
[S7700] interface vlanif 102
[S7700-Vlanif102] ip address 172.19.10.1 24
[S7700-Vlanif102] dhcp select relay
[S7700-Vlanif102] dhcp relay server-ip 172.22.10.6
[S7700-Vlanif102] quit
[S7700] interface gigabitethernet 1/0/2 //Enter the view of the interface

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 215

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

connected to the server domain.

[S7700-GigabitEthernet1/0/2] port link-type trunk
[S7700-GigabitEthernet1/0/2] port trunk allow-pass vlan 103
[S7700-GigabitEthernet1/0/2] quit
[S7700] interface vlanif 103
[S7700-Vlanif103] ip address 172.22.10.1 24
[S7700-Vlanif103] quit
[S7700] quit
<S7700> save //Save the configuration.

Step 4 [Device] Configure the ACs to ensure network connectivity.

# Configure network connectivity, connect GE0/0/1 on AC1 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101 102
[AC1] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the aggregation switch S5700.
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 172.18.10.1 24 //Configure a source IP address for
AC1.
[AC1-Vlanif100] quit
[AC1] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC1 and the server zone so that packets are forwarded to the core switch by
default.

# Configure network connectivity, connect GE0/0/1 on AC2 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 102
[AC2] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the aggregation switch S5700.
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.2 24 //Configure a source IP address for
AC2.
[AC2-Vlanif100] quit
[AC2] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC2 and the server zone so that packets are forwarded to the core switch by
default.

# Configure network connectivity, connect GE0/0/1 on AC3 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102. Configure AC3 as the standby AC of AC1
and AC2.
<AC6605> system-view
[AC6605] sysname AC3
[AC3] vlan batch 100 101 102
[AC3] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the aggregation switch S7700.
[AC3-GigabitEthernet0/0/1] port link-type trunk
[AC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC3-GigabitEthernet0/0/1] quit
[AC3] interface vlanif 100
[AC3-Vlanif100] ip address 172.18.10.3 24 //Configure a source IP address for
AC3.
[AC3-Vlanif100] quit
[AC3] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC3 and the server zone so that packets are forwarded to the core switch by
default.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 216

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 5 [Device] Configure the AP to go online.

On AC1, configure the AP to go online.
# Create an AP group to which APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN and the MAC address of the AP is 60de-4476-e360.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1

On AC2, configure the AP to go online.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 217

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

NOTE

The configuration process on AC2 is the same as that on AC1. The detailed process is as follows:
1. Create the AP group ap_group on AC2 and add APs managed by AC2 to this AP group.
2. Create a regulatory domain profile on AC2, configure the AC country code in the profile, and apply the
profile to the AP group.
3. Specify the IP address of VLANIF 100 on AC2 as the source address.
4. Add an AP with the type AP6010DN-AGN and MAC address 60de-4476-e380 to AC2 offline, and add
the AP to ap_group.

On AC3, configure the AP to go online.

# Create an AP group to which APs with the same configuration can be added.
[AC3] wlan
[AC3-wlan-view] ap-group name ap_group
[AC3-wlan-ap-group-ap_group] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC3-wlan-view] regulatory-domain-profile name domain1
[AC3-wlan-regulatory-domain-prof-domain1] country-code cn
[AC3-wlan-regulatory-domain-prof-domain1] quit
[AC3-wlan-view] ap-group name ap_group
[AC3-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-group-ap_group] quit
[AC3-wlan-view] quit

# Configure the AC's source interface.

[AC3] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC3] wlan
[AC3-wlan-view] ap auth-mode mac-auth
[AC3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC3-wlan-ap-0] ap-name ap_0
[AC3-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-0] quit
[AC3-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC3-wlan-ap-1] ap-name ap_1
[AC3-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-1] quit
[AC3-wlan-view] quit

Step 6 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 218

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication

server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
//Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the
AC-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the AC-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit

NOTE

The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 219

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Table 1-33 Accounting interval

User Quantity Real-Time Accounting Interval

1 to 99 3 minutes

100 to 499 6 minutes

500 to 999 12 minutes

≥ 1000 ≥ 15 minutes

# Configure the Portal server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 220

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

7. Enable the Portal server detection function.

8. (Optional) Enable user information synchronization.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 221

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

critical-num 1 action log

(Optional)[AC1-web-auth-server-portal_huawei2] user-sync interval 100 max-
times 5
[AC1-web-auth-server-portal_huawei2] quit

# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] free-rule 2 destination ip 172.22.10.6 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC1-acl-adv-3001] rule 5 permit ip
[AC1-acl-adv-3001] quit
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002] rule 10 permit ip
[AC1-acl-adv-3002] quit

# Configure an authentication profile.

# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60

The configurations of AC2 and AC3 are the same as that of AC1 and are not described here.
When configuring the authentication server, specify the IP address of VLANIF 100 on a
device as the source address.
Step 7 [Device] Set WLAN service parameters.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 222

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Set WLAN service parameters on AC1.

# Create the security profile security_portal and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit

# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit

Set WLAN service parameters on AC2, which are the same as those on AC1.

Set WLAN service parameters on AC3.

The WLAN service configurations on the standby AC must contain all the configurations on
the active ACs. In this example, the active ACs have the same WLAN service configurations,
so the configurations on AC3 must be the same as those on AC1 or AC2.

# Create the security profile security_portal and set the security policy in the profile.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 223

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC3] wlan
[AC3-wlan-view] security-profile name security_portal
[AC3-wlan-sec-prof-security_portal] quit

# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC3-wlan-view] ssid-profile name wlan-ssid-employee
[AC3-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC3-wlan-ssid-prof-wlan-ssid-employee] quit
[AC3-wlan-view] ssid-profile name wlan-ssid-guest
[AC3-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC3-wlan-ssid-prof-wlan-ssid-guest] quit

# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC3-wlan-view] vap-profile name wlan-vap-employee
[AC3-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC3-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC3-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC3-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC3-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC3-wlan-vap-prof-wlan-vap-employee] quit
[AC3-wlan-view] vap-profile name wlan-vap-guest
[AC3-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
[AC3-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC3-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC3-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC3-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC3-wlan-vap-prof-wlan-vap-guest] quit

# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC3-wlan-view] ap-group name ap_group
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC3-wlan-ap-group-ap_group] quit

Step 8 [Device] Enable N+1 backup on AC1, AC2, and AC3.

# On AC1, configure the global and individual priorities of the active AC1 and configure an
IP address for the standby AC3 so that the ACs work in N+1 backup mode.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs can connect to the same number of APs, the
AC that connects to more STAs is the active AC. If the ACs can connect to the same number of STAs, the AC
with a smaller IP address is the active AC.
[AC1] wlan
[AC1-wlan-view] ac protect protect-ac 172.18.10.3 //Configure an IP address for
the standby AC.
Warning: Operation successful. It will take effect after AP reset.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 224

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

[AC1-wlan-view] ac protect priority 6 //Configure the global priority of the

active AC1.
Warning: Operation successful. It will take effect after AP reset.
[AC1-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC1-wlan-ap-system-prof-ap-system1] priority 3 //Configure the individual
priority of the active AC1.
Warning: This action will take effect after resetting AP.
[AC1-wlan-ap-system-prof-ap-system1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] ap-system-profile ap-system1 //Bind the AP system
profile to the AP group.
[AC1-wlan-ap-group-ap_group] quit

# On AC2, configure the global and individual priorities of the active AC2 and configure an
IP address for the standby AC3 so that the ACs work in N+1 backup mode.
[AC2] wlan
[AC2-wlan-view] ac protect protect-ac 172.18.10.3 //Configure an IP address for
the standby AC.
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] ac protect priority 6 //Configure the global priority of the
active AC2.
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC2-wlan-ap-system-prof-ap-system1] priority 3 //Configure the individual
priority of the active AC2.
Warning: This action will take effect after resetting AP.
[AC2-wlan-ap-system-prof-ap-system1] quit
[AC2-wlan-view] ap-group name ap_group
[AC2-wlan-ap-group-ap_group] ap-system-profile ap-system1 //Bind the AP system
profile to the AP group.
[AC2-wlan-ap-group-ap_group] quit

# On AC3, configure IP addresses for active ACs and configure the global priority of the
standby AC3 so that the ACs work in N+1 backup mode.
[AC3] wlan
[AC3-wlan-view] ac protect priority 5
Warning: Operation successful. It will take effect after AP reset.
[AC3-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 172.18.10.1
Warning: This action will take effect after resetting AP.
[AC3-wlan-ap-system-prof-ap-system1] quit
[AC3-wlan-view] ap-system-profile name ap-system2 //Create an AP system profile
and enter this profile view.
[AC3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 172.18.10.2
Warning: This action will take effect after resetting AP.
[AC3-wlan-ap-system-prof-ap-system2] quit
[AC3-wlan-view] ap-id 0
[AC3-wlan-ap-0] ap-system-profile ap-system1
[AC3-wlan-ap-0] quit
[AC3-wlan-view] ap-id 1
[AC3-wlan-ap-1] ap-system-profile ap-system2
[AC3-wlan-ap-1] quit

# On AC1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. To restart all APs, run the ap-reset all command on AC1 and AC2. After
the APs are restarted, N+1 backup starts to take effect.
[AC1-wlan-view] undo ac protect enable //Enable the N+1 backup function.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# On AC2, enable N+1 backup and restart all APs to make the function take effect.
[AC2-wlan-view] undo ac protect enable
[AC2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 225

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

# Enable revertive switchover and N+1 backup on AC3.

[AC3-wlan-view] undo ac protect restore disable //Enable the global revertive
switching function.
[AC3-wlan-view] undo ac protect enable
[AC3-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

Step 9 [AC-Campus] Add AC1 to the Service Manager to enable the AC-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for AC1.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 226

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Name AC1 -

IP address 172.18.10.1 The AC1 interface with this IP address must be

able to communicate with the Service
Controller.

Standby 172.18.10.3 It is used for AC3 to communicate with the AC-

device IP Campus.
address

Authenticatio Admin@123 [AC1-radius-radius_template] radius-server

n/Accounting shared-key cipher Admin@123
key

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 227

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Value Description

Authorization Admin@123 [AC1] radius-server authorization 172.22.10.2

key shared-key cipher Admin@123

Real-time 15 [AC1-aaa-accounting-acco_scheme] accounting

accounting realtime 15
interval
(minute)

Port 2000 This is the port that the AC uses to communicate

with the Portal server. Retain the default value.

Portal key Admin@123 [AC1-web-auth-server-portal_huawei1] shared-

key cipher Admin@123

Access 172.19.10.1/16;1 You need to add the IP addresses of all the

Enable Selected When a Portal server is unavailable, services can

heartbeat be switched to the standby Portal server.
between The Portal server can send heartbeat packets to
access device the access device only when Enable heartbeat
and Portal between access device and Portal server is
server selected and the Portal server's IP address has
Portal server 172.22.10.2;172. been added to Portal server IP list. The access
IP list 22.10.3 device then periodically detects heartbeat
packets of the Portal server to determine the
Portal server status and synchronize user
information from the Portal server. The server-
detect and user-sync commands must have been
configured in the Portal server view on the
access device.

4. Click OK.
5. Click Add again and set parameters of AC2.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 228

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 229

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 10 [AC-Campus] Add SSIDs on the AC-Campus, so that the AC-Campus can authorize users
through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add and add SSIDs for employees and guests.
The SSIDs must be the same as those configured on the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 230

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 11 [AC-Campus] Configure authorization results and rules to grant different access rights to
employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 231

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 232

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 233

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 234

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 235

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 236

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 237

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Item Expected Result

AC1 and Services are automatically switched to AC3, and employees and guests are
AC2 power- offline. Employees and guests are re-authenticated and go online, and their
off access rights are normal.

SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.

Summary and Suggestions

l The authentication key, accounting key, and Portal key must be kept consistent on the
AC and AC-Campus. The accounting interval set on the AC-Campus must also be the
same as those on the AC.
l Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition
of a user matches a rule, the AC-Campus does not check the subsequent rules. Therefore,
it is recommended that you set higher priorities for the rules defining more precise
conditions and set lower priorities for the rules defining fuzzy conditions.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 238

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l The RADIUS accounting function is configured on the AC to enable the AC-Campus to

obtain online user information by exchanging accounting packets with the AC. The AC-
Campus does not support the real accounting function. If accounting is required, use a
third-party accounting server.

1.12 Appendix
1.12.1 Common Page Customization Operations Using the Editor
This section describes common page customization operations using the editor, for example,
replacing pictures, buttons, and controls, and deleting controls.

Replace the Replace the Logo Add Dynamic Change Static

Background Image Pictures Pictures

Modify the Button Delete Picture, Text Change the Add Links to User
Background Box, Button, and Authentication Notice Page, Page
Other Controls Mode Switching, Forget
Password and
Registration Page

Add Common Add Common Modify the Interval Set Mandatory

Buttons Fields for Quickly Fields
Obtaining the
Password Through
Mobile Phone

Replace the Background Image

Click to select the background image.

To ensure smooth display of a customized page, large-sized pictures are not recommended for
the background image. You are advised to use small pictures and lay out them in tile mode.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 239

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Replace the Logo

Click the logo, and then click Replace.

Add Dynamic Pictures

Click to select pictures and enter hyperlinks of the pictures.

Dynamic pictures consist of a group of pictures and corresponding hyperlinks. The pictures
can be switched at a specified interval. You can use dynamic pictures to provide characteristic
advertisements.

Change Static Pictures

Click the picture you want to change, and then click Replace or .
Check the sizes of the original pictures you want to change. Ensure that the sizes of new
pictures to be uploaded be the same as those of the pictures to be replaced.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 240

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Modify the Button Background

Click the button you want to change, and click Button Image.
Texts on buttons cannot be modified directly. Use the picture editor to enter texts on the
button's background image, convert the texts to be part of the image, and then replace the
background image.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 241

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Delete Picture, Text Box, Button, and Other Controls

Click the control you want to delete, and press Delete.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 242

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Change the Authentication Mode

Select the authentication mode you want from the drop-down list box on the
menu bar. Before adding a new authentication mode, press Delete to delete all controls used
in the original authentication mode.
l Account password authentication
Includes the Account and Password fields and Log In buttons.
l Passcode authentication
Includes the Passcode field and Log In buttons.
l Quick mobile phone authentication
Includes the Phone number and Password fields as well as Get Password and Log In
buttons.
l Mobile phone verification code authentication
Includes the Account, Password and Verification code fields, and Get Verification
Code and Log In buttons.
NOTE

l The validity period of a verification code is 10 minutes. When the validity period expires,
users need to obtain a new verification code.
l Click Get Verification Code and then Set Button Background and Verification Code
Delivery Interval to set the countdown period for receiving a verification code through a
short message and the text on the button.
l End users receive verification codes through their mobile phones when this authentication
mode is used. Therefore, end users' mobile phone numbers must be configured; otherwise,
they cannot receive verification codes.
l One-key authentication
Includes the Email field and Log In button.
l Uniform authentication
Indicates account/password authentication, passcode authentication, and social media
authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 243

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Add Links to User Notice Page, Page Switching, Forget Password and
Registration Page

Select links you want to add from the drop-down list box on the menu bar.
Links to the target pages are available by default. You can add the links directly without any
special settings.
The following figure shows the link setting effect for the user notice page. Click Readme to
switch to the user notice page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 244

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Add Common Buttons

Select buttons you want to add from the drop-down list box on the menu bar.

The following figure shows the effect of adding the AutoLogin button.
NOTE

l End users need to enable the browser cookie after adding the Remember password or Auto login
button; otherwise the button does not take effect. Enabling the browser cookie may cause potential
risks. Exercise caution when you perform this operation.
l The AutoLogin button does not take effect on the automatically displayed Portal authentication
page on iPhone, because the displayed web page on iPhone cannot save cookie information. The
built-in Safari browser of iPhone can save cookie information.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 245

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Add Common Fields

Generally, you need to add specific fields, such as, verification code and phone number when

customizing a registration page. Select the field you want to add from the
drop-down list box on the menu bar.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 246

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

NOTE

The verification code field is not provided in the default authentication page template. You are advised
to add the field to improve login and authentication security. On the position where a verification code is
to be added, select Verification code from the Field drop-down list box.

Modify the Interval for Quickly Obtaining the Password Through Mobile Phone
Click Get Password on the quick authentication page, and then click Set Button
Background and Short Message Sending Interval. Set the parameters accordingly in the
displayed dialog box.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 247

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Set Mandatory Fields

Click the field, and select Not Empty.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 248

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 249

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.12.2 Customizing Pages

This section describes how to customize registration page, authentication page, authentication
success page, and user notice page for guests.

Context
To ensure that a page has an elegant appearance and high security, an administrator must be
capable of page editing and image processing.

Based on the screen size, terminal devices are classified into mobile phones and computers.
When you customize a page for mobile phones, the compact and simple style, small pictures,
and short texts are recommended because mobile phones have small screen size. As
computers have large screen size and can carry more information than mobile phones, you can
use large pictures and relatively long texts during page customization. You need to customize
pages for mobile phones and computers if an enterprise allows guests to access the network
using mobile phones and computers (laptops and tablet computers).

Page customization supports multiple languages, including simplified Chinese, English,

traditional Chinese, Germany, Spanish, French, and Portuguese by default. If the default
language templates do not meet your needs, you can add language templates. For details, see
1.12.4 Example: Adding Language Templates.

The Service Manager provides pre-defined page templates that are frequently used. You can
choose Policy > Permission Control > Page Customization > Authentication &
Registration Template to locate the templates. Administrators can select their desired page
style or modify the style of the templates.

The registration page, authentication page, authentication success page, and user notice page
make up a set of guest pages.

Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Page Customization.

Step 2 Click in the operation area on the right.

Step 3 Set parameters for the customized page and click Next.

Step 4 Select your desired page template and preview the effect. Select a language template and click
Next.

Step 5 Customize pages for mobile phones and PCs.

For details, see 1.12.1 Common Page Customization Operations Using the Editor.

Step 6 Click Preview, Test and Publish.

A customization page can be used by guests only after the page is released. The save to draft
function only saves a customization page on the Service Manager.

After you click Publish, the system automatically saves the customization page.

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 250

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.12.3 Defining a Redirection Rule for the Portal Page

After customizing authentication and registration pages for guests, the administrator defines a
redirection rule for the Portal page to ensure that the guests can access the corresponding
authentication and registration page.

Prerequisites
The authentication or registration page has been customized. For details, see 1.12.2
Customizing Pages.

Context
If guests use different authentication and registration pages, configure a unified Portal page
http://server-ip:8080/portal or http://agilecontroller.huawei.com:8080/portal for all users.
The AC-Campus automatically redirects the Portal page to the authentication or registration
page based on the defined redirection rule.

The URL using the domain name is recommended for safer and faster. However, you need to
configure the mapping between the domain name agilecontroller.huawei.com and the server
IP address on the DNS server in advance.

The AC-Campus supports redirection based on the following authentication information:

l IP address of the terminal to be authenticated.
l Information about the access device to be authenticated, for example, MAC address or
SSID.
This information is obtained from the HTTP parameter in the user authentication data.
The redirection rule needs to be associated with the access device. For details, see Table
1-34.
l Terminal's operating system type for authentication.
l Account type for authentication.
You need to configure the authentication-free function for WeChat accounts and select
the corresponding option for public QR codes.

The redirection rules are prioritized. The rule with the highest priority is preferentially
matched with the user authentication data. If all configured rules are mismatched, the default
rule is used.

Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.

Step 2 Click Add.

Step 3 Set push rule related parameters.

Table 1-34 Set push rule related parameters

Parameter Description

Name Indicates the name of a Portal page push rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 251

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Description

Push conditions Specifies the condition for pushing Portal pages, including the time,
terminal's IP address segment, self-defined parameter, terminal's
operating system type, and account type.
Self-defined parameters must be the same as those parameters carried
in the URL configured on the AC by running the url-parameter
command. The command format on the AC is as follows: url-
parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-
value | ap-mac ap-mac-value | ssid ssid-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-
value | redirect-url redirect-url-value } *
l ac-ip ac-ip-value: specifies the AC IP address carried in the URL.
If required, set ac-ip-value to ac-ip.
l ac-mac ac-mac-value: specifies the AC MAC address carried in
the URL and sets the parameter name.
l ap-ip ap-ip-value: specifies the AP IP address carried in the URL
and sets the parameter name.
l ap-mac ap-mac-value: specifies the AP MAC address carried in
the URL. If required, set ap-mac-value to apmac.
l ssid ssid-value: specifies the SSID that users associate with carried
in the URL. If required, set ssid-value to ssid.
l sysname sysname-value: specifies the device system name carried
in the URL and sets the parameter name.
l user-ipaddress user-ipaddress-value: specifies the user IP address
carried in the URL. If required, set user-ipaddress-value to userip.
l user-mac user-mac-value: specifies the user MAC address carried
in the URL. If required, set user-mac-value to usermac.
l redirect-url redirect-url-value: specifies the original URL that a
user accesses carried in the URL. If required, set redirect-url-value
to url.
For example, if the url-parameter ssid ssid command is configured
on the AC, you must set ssid-value to ssid. If users connect to the
network through the SSID example, you must set Customized
parameters to ssid=example.
NOTE
l For WeChat authentication and public QR code authentication, you must set
a value for redirect-url.
l For WeChat authentication-free, you need to set values for redirect-url and
user-mac.
l In scenarios where guests follow WeChat public account to access Wi-Fi,
ssid, redirect-url, and user-mac are mandatory.
l When configure URL parameters in the URL template view on the AC, do
not run the parameter { start-mark parameter-value | assignment-mark
parameter-value | isolate-mark parameter-value } * command to modify
symbols in the URL. If you modify the symbols in the URL, URL
resolution on the AC-Campus may fail, leading to an interconnection
failure.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 252

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Description

Push page Select a page customized in 1.12.2 Customizing Pages.

First page to push Specifies the page to be pushed to a guest for the first time.

URL Use the default value.

Page displayed l No redirect: The authentication success page is displayed after the
after successful authentication succeeds.
authentication l Redirect to the specified address: A specified page is displayed
after the authentication succeeds. Set the URL to be switched to in
Address.
l Continue to visit the original page: The original page that the user
requests is displayed after the authentication succeeds. You need to
configure the url-parameter redirect-url url command in the
URL template on the AC or switch. For details, see 1.12.8 How Do
I Continue to Access the Original Page After Successful Portal
Authentication?.

Description -

Step 4 Click OK.

----End

Example
Configure three redirection rules for the Portal page.

Redirection Rule Redirected to Priority (Smaller Value,

Higher Priority)

Terminal device type: Authentication page A 1

Android mobile phone

Self-defined parameter: Authentication page B 2

network

Terminal's IP address Authentication page C 3

segment:
10.10.10.10-10.10.10.50

Default rule Default page N

A guest uses a laptop to connect to the wireless network network. The laptop's IP address is
10.10.10.20. The guest accesses http://server-ip:8080/portal or or http://
agilecontroller.huawei.com:8080/portal and then is redirected to authentication page B for
authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 253

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.12.4 Example: Adding Language Templates

Language templates are used to specify languages of GUI elements such as page titles,
buttons, and expressions on pages such as the self-service page, authentication page,
registration page, authentication success page, registration success page, and user notice page.
By default, the AC-Campus provides the following language templates: Chinese, English,
traditional Chinese, German, French, Spanish and Portuguese. You can add language
templates if the default language templates cannot satisfy your demands.

Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Language Template to
create a language template for basic self-service information.

Step 2 Choose Policy > Permission Control > Page Customization > Page Customization to
customize the page containing this language template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 254

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

When you customize an authentication success page, the page must contain the Self-help
Service button.

Step 3 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule to
create a Portal page push rule and choose the page customized in the preceding step as the
page to be pushed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 255

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Step 4 Enter http://IP address of the Portal authentication server:8080/portal in the address box of
a web browser to visit the self-service page and check whether the GUI elements are
displayed in the language configured in the language template.

----End

1.12.5 Configuring MAC Address Authentication

This section describes operations and precautions for configuring MAC address
authentication.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 256

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Scenario Description
MAC address authentication controls terminal network access permission based on the device
interface and terminal MAC address. When a terminal connects to the network, the access
control device automatically detects the terminal MAC address and sends the MAC address as
the account and password to the RADIUS server for identity authentication. The RADIUS
server instructs the access control device to grant network access permission to the end user
only after the user identity is verified on the RADIUS server. MAC address authentication
applies to scenarios where dumb terminals such as printers and IP phones cannot be
authenticated using user names and passwords or scenarios where only terminal MAC
addresses but not user names and passwords need to be verified due to special requirements.
These terminals cannot trigger identity authentication and need to wait until the access control
device sends authentication requests to the RADIUS server to connect to the network.

Task Overview

Procedure
Step 1 Configure the access control device.
l Function
In MAC address authentication, the access control device sends authentication requests
to the RADIUS server. Therefore, configurations related to RADIUS authentication must
be performed on the access control device.
l Entrance
Log in to the CLI of the access control device through the console port or using SSH.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 257

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l Key configuration description

See configuration examples for MAC address authentication.
Step 2 Add the access control device on the AC-Campus.
l Function
The AC-Campus can work with the access control device only after the device is added
to the AC-Campus and interconnection parameters on the AC-Campus and device are the
same.
l Entrance
Choose Resource > Device > Device Management.
l Key configuration description
– Authentication/Accounting key: The value is the same as the value configured using
the radius-server shared-key command in the RADIUS template.
– Authorization key: The value is the same as the value configured using the radius-
server authorization 172.18.1.1 shared-key cipher Admin@123 command in the
system view.
– Real-time accounting interval: The value is the same as the value configured using
the accounting realtime command in the accounting template.
Step 3 Add terminals to be authenticated using MAC address authentication.
l Function
In MAC address authentication, the identity of a terminal is verified using the terminal
MAC address. The terminal can be authenticated only after it is manually added to the
terminal list.
l Entrance
a. Choose Resource > Terminal > Terminal List.
b. In the Device Group list, choose the first node and click Add on the right to add a
device group to be authenticated using MAC address authentication.
c. In the Device Group list, click the created device group and add terminals to be
authenticated using MAC address authentication on the right.
n Add terminals one by one.
Click the Device List tab to add the terminals one by one.
n Add terminals in a batch.
Click the Device Group List tab and click Import to add the terminals in a
batch.
l Key configuration description

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 258

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Parameter Description

Terminal Type – Unknown type: default value, indicating temporarily un-

identified devices. The AC-Campus needs to continue to
identify such devices.
– Fixed terminal: wired access devices, such as desktop
computers.
– Mobile terminal: wireless access devices, such as
tablets.
– Dumb terminal: devices that provide fewer functions
than PCs, do not have processors or disks, and need to
connect to hosts to process services, such as printers and
VoIP phones.

Statically Assigned – Enable: The AC-Campus identifies devices using only

Policy the policies set in Matched Policy. If you know the
device types, you can statically assign policies to
enhance the device identification ratio and accuracy.
– Disable: The AC-Campus automatically selects policies
to identify devices. Disable is the default value and
applies when you do not know the device types.
The AC-Campus matches the collected device
information with the rules in the rule database. If the
device matches a rule, the AC-Campus queries all
identification policies that contain this rule and
evaluates a score for each policy based on the device
information. The highest score is the identification
result.

Matched Policy You need to set a name for the policy when Statically
Assigned Policy is enabled. Resource > Terminal >
Identification Policy displays all policy names.

User-Defined Device – Enable: The AC-Campus adds devices to device groups.

Group If you know the device types, you can set the User-
Defined Device Group parameter to accurately add
devices to groups.
– Disable: The AC-Campus automatically identifies
device types and adds the devices to groups. Disable is
the default value and applies when you do not know the
device types.

Device Group You need to set a name for the group when User-Defined
Device Group is enabled. Resource > Terminal >
Terminal List displays all group names.

Step 4 Configure an authentication rule.

l Function
In MAC address authentication, users do not need to enter their user names and
passwords for authentication. The service type used in MAC address authentication
differs from that used in common authentication modes. Therefore, the default

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 259

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

authentication rule cannot be used and an authentication rule needs to be configured

separately.
l Entrance
Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule.
l Key configuration description
Choose MAC Bypass Authentication Service for Service Type.

Step 5 Configure an authorization rule.

l Function
The AC-Campus grants network access permission to terminals using an authorization
rule. The default authorization rule does not apply to MAC address authentication and an
authorization rule needs to be configured separately.
l Entrance
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule.
l Key configuration description
– When adding an authorization rule, choose MAC Bypass Authentication Service
for Service Type.
– According to the rule priority, the AC-Campus matches terminal access information
with authorization conditions of the authorization rule. When access information
about a terminal matches all authorization conditions of an authorization rule, the
AC-Campus grants permission defined by the authorization result of the
authorization rule to the terminal.

Step 6 A terminal accesses the network.

After a terminal connects to the network, authentication is performed automatically. After
passing the authentication, the terminal can access resources in the post-authentication
domain.

After the terminal is authenticated successfully:

l Run the display access-user command on the device. Online information about the
terminal MAC address is displayed.
l On the Service Manager, choose Resource > User > Online User Management. Online
information about the terminal is displayed.
l On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the terminal are displayed.

If the terminal fails to be authenticated, create a common account on the AC-Campus, log in
to the device, and run the test-aaa user-name user-password radius-template template-name
pap command to test whether the account can pass RADIUS authentication.
l If the system displays the message "Info: Account test succeed", indicating that the
account can pass RADIUS authentication, the fault occurs in the access authentication
phase. Check the network connection between the terminal and the access control device.
l If the system displays the message "Error: Account test time out", indicating that the
account cannot pass RADIUS authentication, the fault occurs in the RADIUS
authentication phase. Check whether interconnection parameter configurations of the
RADIUS server on the AC-Campus are consistent with those on the access control
device.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 260

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

The test aaa command can only test whether users can pass RADIUS authentication and the
interaction process of RADIUS accounting is not involved. Therefore, after running the test
aaa command, you can view RADIUS logs but cannot view user online information on the
AC-Campus.

----End

Example
The following example describes how to import MAC address authentication terminals in a
batch.
l How to Fill in the Excel File When You Do Not Know Device Details
When you do not know the device details, fill in only the MAC address and device group
and enter Device Group List in Unknown Device List.

l How to Fill in the Excel File When You Know Device Details
When you know the device details, you can manually configure an identification policy
to enhance the identification ratio and accuracy. The AC-Campus identifies the device
based on the configured identification policy.
In this case, specify Endpoint MAC, set Statically Assigned Policy to Enable, enter
the name of the identification policy in Matched Policy, and enter Device Group List in
Unknown Device List. The AC-Campus automatically adds the device to a device
group.

l How to Fill in the Excel File When You Manually Add the Device to a Specified Device
Group
By default, the AC-Campus classifies devices into groups based on the device types. You
can also manually add a device to a specified device group.
In this case, specify Endpoint MAC, set User-Defined Device Group to Enable, and
enter the name of a specific device group in Device Group List.

l How to Fill in the Excel File When You Need to Mark the Device Access Location
l You can use the IP address and connected interface of a device to rapidly locate the
device when a fault occurs.
In this case, specify Endpoint MAC, Access Device IP Address, and Access Device
Port and enter Device Group List in Unknown Device List.

1.12.6 Deploying a CA Certificate Server

To use 802.1X certificate authentication, a CA certificate server must be deployed in advance.

A Windows CA certificate server supports only Windows Server 2008 Enterprise or Windows
Server 2008 R2 Enterprise.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 261

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

You are advised to check the CA certificate server deployment according to the following
flowchart.

Check the working status

of the CA component

Check extended fields

CDP and AIA

Check network
registration service and
HTTPS mode

Check the client

authentication field in the
SCEP template

Check the registry

settings

Check the permission on

SCEP and OCSP
templates

Check the issue of the

SCEP and OCSP
templates

Check the ocsp_test

status

1. Open a browser and enter http://Server-IP/certsrv, where Server-IP indicates the IP

address of the CA certificate server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 262

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

If the following page is displayed after login using the AD domain account
administrator and its password, the CA server functions properly. Otherwise, delete and
then add the CA component again.

2. On Server Manager, right-click the root certificate. In the displayed dialog box, click
the Extensions tab and check extended fields CDP and AIA.
– CDP: Include in the CDP extension of issued certificates must be selected for
LDAP and HTTP.
– AIA: The two options in the red box must be selected for the OCSP URL.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 263

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Open a browser and enter https://Server-IP/certsrv/mscep_admin, where Server-IP

indicates the IP address of the CA certificate server.
If the following page is displayed after login using the AD domain account
administrator and its password, the SCEP and HTTPS settings are correct.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 264

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

If the page is displayed in HTTP mode but cannot be displayed in HTTPS mode, check
whether HTTPS is bound to the certificate, and whether the correct root certificate is
selected. Select the certificate the same as the full computer name for SSL certificate.

If the page cannot be displayed in HTTP mode, check whether Network Device
Enrollment Service is Installed.

4. The SCEP template must contain the Client Authentication field. Otherwise, end users
may fail the authentication. If the SCEP template does not contain the Client
Authentication field, correct the settings based on the video instruction.

5. In the registries, set the SCEP template name and disable EnforcePassword.
Find entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\MSCEP, and set their values to the SCEP template name.
Registry modification takes effect only after the operating system is restarted.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 265

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

Set EnforcePassword to 0.

6. Check the permission settings in the SCEP and OCSP templates. If the settings are
incorrect, correct them based on the video instruction.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 266

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

7. Check whether the SCEP and OCSP templates are issued. If SCEP and OCSP templates
are not in the list, issue the templates based on the video instruction.

8. Choose Start > Administrative Tools > Online Responder Management to check
whether OCSP is in working state. If not, delete ocsp_test and create it again based on
the video instruction.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 267

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

1.12.7 Server Certificate Importing Tool

The server certificate importing tool is used to replace the default authentication certificate of
the Tomcat server and portal server. The Tomcat server or portal server certificate is used for
establishing a reliable communication channel between the Tomcat server and Web browser.
To enable the server to support the Internet Explorer 6 that is used on Windows XP operating
system, the SHA1 encryption mode is used for certificate signature by default. If the browser
versions with later than the Internet Explorer 6 are used, the SHA256 encryption mode is
recommended, which is more secure.

Prerequisites
The Service Manager and Service Controller have been installed.

Context
l If the Service Manager and Service Controller are installed on the same hardware server,
both Tomcat server certificate and Portal server certificate are replaced after you run the
server certificate importing tool.
l If the Service Manager and Service Controller are installed on different hardware
servers, run the server certificate importing tool on the server where the Service Manager
is installed to replace the Tomcat server certificate, and run the tool on the server where
the Service Controller is installed to replace the Portal server certificate.

Procedure
Step 1 Log in to the server where the Service Manager or Service Controller is installed.
l Windows
Log in to the server using an administrator account.
l Linux
Log in to the server using a root account.

Step 2 Start the server certificate importing tool.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 268

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l Windows
Access the installation directory of the AC-Campus, which is D:\Agile Controller by
default. Change the installation directory according to the actual situation. Double-click
Upload Certificate.bat to start the certificate importing tool.
l Linux
a. Run the chmod /opt/755 **.jks command to add read and write permissions to
certificate files, so that the certificate importing tool can normally obtain certificate
files. In this command, opt specifies the directory for saving a certificate file and
755 **.jks specifies the certificate name. You need to replace them with the actual
directory and file name respectively.
b. Run the su - controller command to switch to the controller user.
c. Run the cd /opt/AgileController command to access the installation directory of the
AC-Campus. /opt/AgileController is the default installation directory of the AC-
Campus. Change the installation directory according to the actual situation.
d. Run the ll command to check whether the Upload Certificate.sh file exists in the
installation directory of the AC-Campus.
If so, continue to perform the following steps. If not, check whether the installation
directory of the AC-Campus is correct.
e. Run the sh Upload Certificate.sh command to start the certificate importing tool.

Step 3 Click Browse. Select the path for storing the certificate and enter the Certificate Password.

Step 4 Click Upload to replace the default server certificate.

Step 5 Restart the Service Manager and Service Controller services after successful upload to make
new certificates take effect.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 269

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

NOTE

After a Portal server certificate is uploaded, you can only access the Portal server by the domain name
using the HTTPS protocol, and the domain name must be the same as that used during server certificate
application.

----End

1.12.8 How Do I Continue to Access the Original Page After

Successful Portal Authentication?
Question
How do I continue to access the original page after successful Portal authentication?

Answer
When forcible switching is disabled, the web browser switches an authenticated end user to
the URL requested before the authentication. The AC sends the URL to the Portal server,
which parses the URL to obtain the specific URL. For example, an end user wants to access
http://bbs.example.com. After you specify the URL address parameter (url) on the AC, the
Portal server receives http://Portal server IP address:8080/portal?url=http://bbs.example.com,
and the web browser pushes http://bbs.example.com to the authenticated end user.
To access the original page after successful Portal authentication, you need to perform the
following configurations on both the AC and AC-Campus.
l Configuration on the AC
When configuring the Portal server on the AC, configure the AC to send the URL that
the user accesses as the parameter to the Portal server.
<AC> system-view
[AC] url-template name myurl
[AC-url-template-myurl] url http://192.168.1.203:8080/portal
[AC-url-template-myurl] url-parameter redirect-url url
#The Portal server obtains the URL to be switched to based on the url
parameter. The AC must send the URL that the user accesses as the parameter
to the Portal server. Do not change the parameter name url.
[AC-url-template-myurl] quit

[AC] web-auth-server portal

[AC-web-auth-server-portal] server-ip 10.1.1.1
[AC-web-auth-server-portal] port 50200
[AC-web-auth-server-portal] shared-key simple Admin@123
[AC-web-auth-server-portal] url-template myurl

[AC-web-auth-server-portal] quit
[AC] interface vlanif 30
[AC-Vlanif30] web-auth-server portal direct

l Configuration on the AC-Campus V100R002C00

When configuring the Portal page push rule on the AC-Campus, set Page displayed
after successful authentication to Continue to visit the original page.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 270

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

l Configuration on the AC-Campus V100R001C00

When configuring the Portal page push rule on the AC-Campus, choosePolicy >
Permission Control > Page Customization > Page Customization, and set URL Field
Name to url.

----End

1.12.9 What Should I Do Before Connecting a GPRS Modem to

the AC-Campus?

Question
What Should I Do Before Connecting a GPRS Modem to the AC-Campus?

Answer
1. Ensure that the GPRS modem driver is compatible with the operating system (Microsoft
Windows Server 2008, SUSE Linux 11 SP3) of the server to be connected.
2. Obtain the baud rate (data transmission rate) of the GPRS modem.
NOTE

Refer to the Product Documentation of the GPRS modem or consult the GPRS modem's technical
support engineer.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 271

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

3. Use the serial cable or USB cable to connect the GPRS modem to the server.
NOTE

l If the GPRS modem provides a console port, use the serial cable to connect to the GPRS
modem to the server with the Service Manager installed.
l If the GPRS modem provides a USB to serial converter, use the USB cable to connect to the
GPRS modem to the server with the Service Manager installed and install the USB driver for
the GPRS modem on the server.
4. Configure the baud rate (data transmission rate) of the server to be connected to ensure
that the rate is the same as that of the SMS modem.
– Windows
i. Choose Start > Administrative Tools > Computer Management.
ii. On the Computer Management page, choose System Tools > Device
Manager.
iii. In Ports (COM&LPT), right-click Communications Port (COM1) or
Communications Port (COM2) according to the console port of the SMS
modem and choose Properties.

iv. Click the Port Settings tab and check the baud rate. If the default baud rate
differs from that of the GPRS modem, change the baud rate based on the
GPRS modem's baud rate.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 272

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

– Linux
In the Linux operating system, the console port identifier is ttyS*. Generally, ttyS0
matches the console port COM1 and ttyS1 matches the console port COM2 in the
Windows operating system. Perform the operation based on the console port to
which the GPRS modem connects.
When configuring a communication port on the AC-Campus, ensure that the port is
in the /dev/ttyS0 format.
i. Log in to the Linux operating system using the root account.
ii. Run the ls -lrt /dev/ttyS* command and view the console port to which the
GPRS modem connects.
Determine the console port to which the GPRS modem connects based on the
time when the GPRS modem is connected to the server port.

iii. Run the stty -a -F /dev/ttyS0 command and view the baud rate of the console
port.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 273

Copyright © Huawei Technologies Co., Ltd.
1 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Huawei Agile Controller-Campus Server

The port ttyS0 is used as an example. You need to replace it with the actual
port connected to the GPRS modem.

If the baud rate is different from that of the GPRS modem, change the baud rate
based on that of the GPRS modem.
i. Run the stty -F console port speed baud rate command to change the baud
rate of the console port.
For example, you can run the stty -F /dev/ttyS0 speed 115200 command to
change the baud rate of the console port ttyS0 to 115200.
stty -F /dev/ttyS0 speed 115200 //Change the baud rate of the
console port ttyS0 to 115200.
9600 //Display the baud rate before the change.

ii. Run the stty -F /dev/ttyS0 command to check whether the baud rate has been
changed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 274

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2 Typical Configuration for Interconnection

Between AC and Cisco ISE Server

About This Chapter

2.1 Example for Configuring 802.1x Authentication (CLI)

2.2 Example for Configuring 802.1x Authentication (Web)
2.3 Example for Configuring MAC Address Authentication (CLI)
2.4 Example for Configuring MAC Address Authentication (Web)
2.5 Example for Configuring User Authorization Based on ACL Numbers or Dynamic
VLANs (CLI)
2.6 Example for Configuring User Authorization Based on ACL Numbers or Dynamic
VLANs (Web)
2.7 Example for Configuring User Authorization Based on User Groups (CLI)
2.8 Example for Configuring User Authorization Based on User Groups (Web)
2.9 Example for Configuring External Portal Authentication
2.10 Example for Configuring External Portal Authentication (Web)

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 275

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2.1 Example for Configuring 802.1x Authentication (CLI)

802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security. Therefore, 802.1x authentication is applicable to network
construction scenarios where users are densely distributed and high information security is
required.

When the AC is interconnected with the Cisco ISE, three authentication methods, that is,
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.

For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.

For details about how to configure the authentication on the Cisco ISE server, see Configure
the Cisco ISE.

Applicable Products and Versions

Table 2-1 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 276

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

l Service data forwarding mode: direct forwarding

l WLAN authentication mode: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 277

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-1 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 278

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Planning

Table 2-2 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 279

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 2-3 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure 802.1x authentication on the AC.
6. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 280

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 281

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1

Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 282

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-wlan-ap-0] ap-name area_1

[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit

# Configure the channel and power for radio 0.

[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit

# Configure the channel and power for radio 1.

[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit

Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.
[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 283

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-aaa-authen-wlan-net] authentication-mode radius

[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.
[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

Step 6 Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 284

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2. Create a department and an account.

# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.

# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Add the account to department R&D. Then, click Submit.

3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the right side, click Add and create a device profile named Huawei. Then, click
Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 285

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 286

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.

Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 8 Verify the configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 287

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

l SwitchB configuration file

#
sysname SwitchB
#

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 288

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

vlan batch 100 to 104

#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 289

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

2.2 Example for Configuring 802.1x Authentication (Web)

Introduction to 802.1x Authentication
8802.1x authentication is a method used for Network Admission Control (NAC). It controls
user access rights based on access ports to protect enterprise intranet security.
802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security. Therefore, 802.1x authentication is applicable to network

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 290

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

construction scenarios where users are densely distributed and high information security is
required.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is,
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure 802.1x authentication on the AC, see Configure WLAN
services.
For details about how to configure the authentication on the Cisco ISE server, see Configure
the Cisco ISE.

Applicable Products and Versions

Table 2-4 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 291

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-2 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 292

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Planning

Table 2-5 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 293

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 2-6 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 294

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 295

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 296

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 297

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
# On the Confirm Settings page, confirm that the settings are correct and click Finish.
In the dialog box that is displayed, click OK.
Step 4 On the AC, configure a static route to the RADIUS server.
# Choose Configuration > AC Config > IP > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 298

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.
Step 5 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
802.1x profile wlan-net, RADIUS server template wlan-net, and authentication scheme
profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 299

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Set Mode to Batch import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.

# Click next to Import AP file, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 6 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 300

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings(5G) page is similar to the configuration of
Radio0 and is not mentioned here.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the Cisco ISE.
1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Create a department and an account.
# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 301

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 302

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 303

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 8 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 9 Verify the configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 304

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

– Configuration on the Windows XP operating system:

i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l After the authentication succeeds, choose Monitoring > User on the AC. Information
about online employees is displayed.

----End

2.3 Example for Configuring MAC Address

Authentication (CLI)
Introduction to MAC Address Authentication
MAC address authentication is a method used for Network Admission Control (NAC). It
controls user access rights based on access ports and user MAC addresses to protect security
for enterprise networks.

MAC address authentication does not need client software, but user terminals' MAC
addresses must be registered on the authentication server. Network configuration and
management are complex. In contrast, 802.1x authentication needs client software, allowing
low networking flexibility. However, 802.1x authentication is more secure. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security.

MAC address authentication is applicable to dumb terminals such as printers and fax
machine.

For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.

For details about how to configure MAC address authentication on the Cisco ISE server, see
Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 305

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Applicable Products and Versions

Table 2-7 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 306

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-3 Networking diagram for configuring MAC address authentication

Internet

Router

GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA

Management VLAN：VLAN 100

Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 307

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Planning

Table 2-8 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

MAC access profile Name: wlan-net

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: MAC
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 308

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 2-9 Data planning on the Cisco ISE

Configuration Item Data

Terminals MAC addresses (use the actual MAC

addresses of devices)

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure basic WLAN services.
5. Configure MAC address authentication on the AC.
6. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 309

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 310

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 311

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-wlan-ap-0] ap-name area_1

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure MAC address authentication on the AC.

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 312

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-aaa-authen-wlan-net] authentication-mode radius

[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure a MAC access profile.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.

# Create the MAC access profile wlan-net.

[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit

3. Create the authentication profile wlan-net and bind it to the MAC access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the security profile wlan-net and set the security policy in the profile. By
default, the security policy is open system authentication.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit

Step 6 Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 313

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2. Add STAs.
# Choose Administration > Identity Management > Identities > EndPoints. In the
pane on the right side, click Add. On the page that is displayed, set MAC Address and
click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 314

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 315

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 8 Verify the configuration.

l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, run the display access-user access-
type mac-authen command on the AC. The command output shows that user huawei
using the mac-authen authentication mode has successfully gone online.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 316

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 104
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 317

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
radius-attribute set Service-Type 10 auth-type mac
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
mac-access-profile name wlan-net
#
return

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 318

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2.4 Example for Configuring MAC Address

Authentication (Web)
Introduction to MAC Address Authentication
MAC address authentication is a method used for Network Admission Control (NAC). It
controls user access rights based on access ports and user MAC addresses to protect security
for enterprise networks.

MAC address authentication is applicable to dumb terminals such as printers and fax
machine.

For details about how to configure MAC address authentication on the AC, see Configure
WLAN services.

For details about how to configure MAC address authentication on the Cisco ISE server, see
Configure the Cisco ISE.

Applicable Products and Versions

Table 2-10 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 319

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-4 Networking diagram for configuring MAC address authentication

Internet

Router

GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA

Management VLAN：VLAN 100

Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 320

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Planning

Table 2-11 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

MAC access profile Name: wlan-net

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: MAC
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 321

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 2-12 Data planning on the Cisco ISE

Configuration Item Data

Terminals MAC addresses (use the actual MAC

addresses of devices)

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select MAC address and RADIUS authentication, and set the RADIUS
server parameters.
5. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 322

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 323

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 324

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 325

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 326

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
MAC authentication profile wlan-net, RADIUS server template wlan-net, and
authentication scheme profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 327

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Set Mode to Batch import and click to download the AP template file to your
local computer.

# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP file, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 328

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings(5G) page is similar to the configuration of
Radio0 and is not mentioned here.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the Cisco ISE.

1. # Log in to the Cisco ISE server.

# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.

# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Add STAs.

# Choose Administration > Identity Management > Identities > EndPoints. In the
pane on the right side, click Add. On the page that is displayed, set MAC Address and
click Save.

3. Add the AC so that the Cisco ISE can interwork with the AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 329

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the right side, click Add and create a device profile named Huawei. Then, click
Submit.

4. Configure the authentication protocol.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 330

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Step 8 On the AC, check that users can pass RADIUS authentication.
# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.
# Configure the RADIUS server template, authentication mode, user name, and password.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 331

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click Start.
Step 9 Verify the configuration.
l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, choose Monitoring > User on the AC
to view information about the dumb terminals.
----End

2.5 Example for Configuring User Authorization Based on

ACL Numbers or Dynamic VLANs (CLI)
Introduction to User Authorization
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication. After an 802.1x user is successfully authenticated on a
RADIUS server, the server sends authorization information to the access device of the user.
When the Cisco Identity Services Engine (ISE) functions as a RADIUS server, it can deliver
multiple authorization parameters. The following example uses ACL numbers and dynamic
VLANs to control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
The ACL numbers supported by the AC range from 3000 to 3031.
l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 332

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.

For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.

For details about how to configure user authorization based on ACL numbers on the Cisco
ISE server, see Cisco ISE configuration.

Applicable Products and Versions

Table 2-13 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.

A large number of employees use wireless terminals to access an enterprise network. To

ensure network security, the administrator needs to control network access rights of terminals.
After successful authentication, terminals can access the service server (with IP address
10.23.105.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
10.23.20.2-10.23.20.100).

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to allocate IP addresses to APs.
– SwitchB functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 333

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-5 Networking for configuring user authorization based on ACL numbers or dynamic
VLANs

Data Planning

Table 2-14 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to
assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 334

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

10.23.20.101-10.23.20.254/24

RADIUS authentication parameters l RADIUS server template name: wlan-

net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x
+AES

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and
authentication profile wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 335

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Table 2-15 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account l Account: huawei

l Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Authorization ACL 3002

Dynamic VLAN VLAN20

Configuration Roadmap
1. Configure network interworking.
2. Configure basic WLAN services.
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
4. Configure the Cisco ISE server.
– Add users.
– Add the AC.
– Configure the password authentication protocol.
– Configure authentication policies.
– Configure authorization policies.

Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
l If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 336

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Procedure
Step 1 Configure network interworking.

# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 20 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN20, VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, GE0/0/4 to VLAN104, and
GE0/0/5 to VLAN 105.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 20 100 to 105
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface gigabitethernet 0/0/5
[SwitchB-GigabitEthernet0/0/5] port link-type trunk
[SwitchB-GigabitEthernet0/0/5] port trunk pvid vlan 105
[SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 105
[SwitchB-GigabitEthernet0/0/5] quit

# Create VLANIF interfaces VLANIF 102, VLANIF 103, VLANIF 104 and VLANIF 105 on
SwitchB and configure configure a default route with the next hop of the address of Router.
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] interface vlanif 105
[SwitchB-Vlanif105] ip address 10.23.105.2 24

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 337

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[SwitchB-Vlanif105] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

# On the AC, add GE0/0/1 connected to SwitchB to VLAN 100 and VLAN 102, create
VLANIF 102, and configure the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

address segment 10.23.20.2-10.23.20.100 cannot be assigned to STAs.
[SwitchB] interface vlanif 20
[SwitchB-Vlanif20] ip address 10.23.20.1 24
[SwitchB-Vlanif20] dhcp select interface
[SwitchB-Vlanif20] dhcp server excluded-ip-address 10.23.20.2 10.23.20.100
[SwitchB-Vlanif20] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 338

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 339

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-wlan-radio-0/0] eirp 127

[AC-wlan-radio-0/0] quit

# Configure the channel and power for radio 1.

Step 5 Configure 802.1x authentication on the AC.

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.
[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 340

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101

[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit

Step 6 Configure the authorization parameter ACL 3002 for users who pass authentication.
[AC] acl 3002
[AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0
[AC-acl-adv-3002] rule 2 deny ip destination any
[AC-acl-adv-3002] quit

Step 7 Configure the Cisco ISE server.

1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Create a department and an account.
# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 341

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 342

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 343

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

5. Configure the ACL and dynamic VLAN for authorization.

# Choose Policy > Policy Elements > Results > Authorization > Authorization
Profiles. In the pane on the right side, click Add. Enter the name, set the delivery
attribute to Radius:Filter-ID, and enter the ACL number 3002.

# Click Submit to complete the configuration and return to the Authorization Profiles
page.

# In the pane on the right side, click Add, enter the name, and configure the following
delivery attributes.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 344

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

– Radius:Tunnel-Type: VLAN
– Radius:Tunnel-Medium-Type: 802
– Radius:Tunnel-Private-Group-ID: 20

# Click Submit to complete the configuration.

6. Add an authorization rule.

# Choose Policy > Authorization. In the pane on the right side, click the triangle next to
Edit. Choose Insert New Rule Above to add a new authorization rule named
ACL_VLAN. Set the authorized user group to R&D and select PermitAccess,
ACL_3002, and VLAN_20 under Permissions.

# Click Done on the right side. Then click Save to complete the authorization rule
configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 345

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 9 Verify the configuration.

l An employee can access the service server, and laboratory after passing authentication.
l After the authentication succeeds, run the display access-user command on the AC. The
command output shows online employees.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.20.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 20 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
return

l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 20 100 to 105
#
dhcp enable
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.20.2 10.23.20.100
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 346

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface Vlanif105
ip address 10.23.105.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 105
port trunk allow-pass vlan 105
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 347

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

2.6 Example for Configuring User Authorization Based on

ACL Numbers or Dynamic VLANs (Web)
Introduction to User Authorization
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication. After an 802.1x user is successfully authenticated on a
RADIUS server, the server sends authorization information to the access device of the user.
When the Cisco Identity Services Engine (ISE) functions as a RADIUS server, it can deliver
multiple authorization parameters. The following example uses ACL numbers and dynamic
VLANs to control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 348

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

The ACL numbers supported by the AC range from 3000 to 3031.

l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.

For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.

For details about how to configure user authorization based on ACL numbers on the Cisco
ISE server, see Cisco ISE configuration.

Applicable Products and Versions

Table 2-16 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.

A large number of employees use wireless terminals to access an enterprise network. To

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 349

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-6 Networking for configuring user authorization based on ACL numbers or dynamic
VLANs

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 350

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Planning

Table 2-17 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to
assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

10.23.20.101-10.23.20.254/24

RADIUS authentication parameters l RADIUS server template name: wlan-

net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 351

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x
+AES

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and
authentication profile wlan-net

Table 2-18 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account l Account: huawei

l Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

Authorization ACL 3002

Dynamic VLAN VLAN20

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 352

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

– Add users.
– Add the AC.
– Configure the password authentication protocol.
– Configure authentication policies.
– Configure authorization policies.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 20 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/3] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 353

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[SwitchB] interface gigabitethernet 0/0/4

[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface gigabitethernet 0/0/5
[SwitchB-GigabitEthernet0/0/5] port link-type trunk
[SwitchB-GigabitEthernet0/0/5] port trunk pvid vlan 105
[SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 105
[SwitchB-GigabitEthernet0/0/5] quit

Step 2 Configure SwitchB to function as a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 354

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 355

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 356

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 357

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch import and click to download the AP template file to your
local computer.

# Click next to Import AP file, select the AP template file, and click Import.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 358

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the page that displays the template import result, click OK.
Step 6 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 359

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the authorization parameter ACL 3002 for users who pass authentication.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The Advanced
ACL Settings page is displayed.
# Click Create. On the Create Advanced ACL page that is displayed, configure an ACL.

# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3002. On the Add Rule page that is displayed, add an ACL
rule.

# Click OK. On the Advanced ACL Settings page that is displayed, add another ACL rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 360

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.
Step 8 Configure the Cisco ISE server.
1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Create a department and an account.
# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 361

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 362

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 363

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

5. Configure the ACL and dynamic VLAN for authorization.

# Click Submit to complete the configuration and return to the Authorization Profiles
page.

# In the pane on the right side, click Add, enter the name, and configure the following
delivery attributes.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 364

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

– Radius:Tunnel-Type: VLAN
– Radius:Tunnel-Medium-Type: 802
– Radius:Tunnel-Private-Group-ID: 20

# Click Submit to complete the configuration.

6. Add an authorization rule.

# Click Done on the right side. Then click Save to complete the authorization rule
configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 365

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 9 On the AC, check that users can pass RADIUS authentication.
# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.
# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.
Step 10 Verify the configuration.
l An employee can access the service server, and laboratory after passing authentication.
l After the authentication succeeds, choose Monitoring > User on the AC. Information
about online employees is displayed.

----End

2.7 Example for Configuring User Authorization Based on

User Groups (CLI)
Introduction to User Authorization Based on User Groups
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication.
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Cisco ISE
server, see Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 366

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Applicable Products and Versions

Table 2-19 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Service Requirements
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 367

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-7 Networking for configuring user authorization based on user groups

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 368

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Plan

Table 2-20 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1X+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 369

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

Table 2-21 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

User group User-group

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 370

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.

Procedure
Step 1 Configure network interworking.

# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 371

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-GigabitEthernet0/0/1] port link-type trunk

[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1

Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.

# On the AC, configure the VLANIF 100 to assign IP addresses to APs.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 372

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

NOTE

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 373

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.

[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 374

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 6 Configure a user group.

# Configure the user group group1 that can access the post-authentication domain. Enable
users in group1 to access network resources on the network segment 10.23.200.0/24.

NOTE

Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
[AC-acl-adv-3001] rule 2 deny ip destination any
[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit

Step 7 Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 375

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 376

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 377

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

5. Configure an authorized user group.

# Choose Policy > Policy Elements > Results > Authorization > Authorization
Profiles. In the pane on the right side, click Add. Configure Name, Access Type, and
Advanced Attributes Settings. Then, click Submit.

# Choose Policy > Authorization. Click next to Edit and choose Insert New Rule
Above from the menu to add a new authorization policy.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 378

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# In the new authorization policy, configure Rule Name, Conditions, and Permissions.
Click Done and then Save.

Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 9 Verify the configuration.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 379

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

ii. Click Change connection settings. On the Wireless Network Properties

page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.

----End

l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 100 to 104
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 380

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 381

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

vap-profile name wlan-net

service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

2.8 Example for Configuring User Authorization Based on

User Groups (Web)
Introduction to User Authorization Based on User Groups
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication.
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Cisco ISE
server, see Configure the Cisco ISE.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 382

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Applicable Products and Versions

Table 2-22 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Cisco ISE 2.0.0.306

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 383

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-8 Networking for configuring user authorization based on user groups

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 384

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Data Plan

Table 2-23 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1X+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 385

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

Table 2-24 Data planning on the Cisco ISE

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

User group User-group

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 386

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 387

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1

Step 2 Configure a DHCP server to assign IP addresses to STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 388

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 389

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 390

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 391

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 392

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure a user group.
1. Configure an ACL.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. On the Create Advanced ACL page that is displayed, configure an
ACL.

# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed, add an
ACL rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 393

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK. On the Advanced ACL Settings page that is displayed, add another ACL
rule.

# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
# Click Create. On the Create User Group page that is displayed, set User group
name and bind an ACL.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 394

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK.
Step 8 Configure the Cisco ISE.
1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Create a department and an account.
# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 395

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 396

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 397

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

5. Configure an authorized user group.

# Choose Policy > Authorization. Click next to Edit and choose Insert New Rule
Above from the menu to add a new authorization policy.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 398

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# In the new authorization policy, configure Rule Name, Conditions, and Permissions.
Click Done and then Save.

Step 9 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 10 Verify the configuration.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 399

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.

----End

2.9 Example for Configuring External Portal

Authentication
External Portal Authentication Overview
Portal authentication is a method used for Network Admission Control (NAC) and is also
called web authentication. To access the Internet, the user must pass authentication on the
Portal. Portal authentication supports Portal 2.0, Hypertext Transfer Protocol (HTTP), and
Hypertext Transfer Protocol Secure (HTTPS). When a Huawei AC is interconnected with a
Cisco ISE, Portal authentication is implemented based on HTTP or HTTPS.
When the AC is interconnected with the Cisco ISE, HTTPS and Remote Authentication Dial
In User Service (RADIUS) can be used in Portal authentication. The configurations for the
two authentication methods are similar. The following uses RADIUS as an example.
For the configuration for external Portal authentication on the AC, see Step 4.
For the configuration on the Cisco ISE server, see Step 5.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 400

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Applicable Products and Versions

Table 2-25 Applicable products and versions

Product Version

Product V200R007C20

Cisco ISE 2.0.0.306

Service Requirements
To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 401

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Figure 2-9 Networking diagram for configuring external Portal authentication

Data Planning

Table 2-26 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2 to 10.23.100.254/24

IP address pool for the STAs 10.23.101.2 to 10.23.101.254/24

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 402

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

IP address of the AC's source VLANIF 100: 10.23.100.1/24

interface

AP group l Name: ap-group1

l Bound profiles: VAP profile wlan-net and
regulatory domain profile default

AP group l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Portal authentication parameters Portal authentication scheme name: wlan-net

Portal server template name: wlan-net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123

Portal access profile l Name: wlan-net

l Bound profile: Portal server template wlan-net

Authentication profile l Name: wlan-net

l Bound profiles and authentication scheme: portal
access profile wlan-net, Portal server template
wlan-net, and RADIUS authentication scheme
wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 2-27 Data planning on the Cisco ISE

Configuration Item Data

Department Huawei

Account Account: huawei

Password: huawei123

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 403

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l PAP

l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure Portal authentication on the AC.
6. Configure the Cisco ISE server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 404

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[SwitchB-GigabitEthernet0/0/1] port link-type trunk

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.

# On the AC, configure the VLANIF 100 to assign IP addresses to APs.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 405

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Step 4 Configure external Portal authentication on the AC.

1. Configure Portal authentication parameters.

# Configure a Portal server template and a Portal authentication scheme.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 406

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

[AC] radius-server template wlan-net

[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit

# Create an AAA scheme and set the authentication method to RADIUS.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure a Portal server profile.

NOTE

Ensure that the Portal server IP address, URL, port number, and shared key are configured correctly and
are the same as those on the Portal server.
The ISE Portal URL is in format of https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a and can be obtained through Step
5.5.
[AC] http secure-server ssl-policy default_policy
[AC] http server enable
[AC] portal local-server ip 10.23.100.1
[AC] portal web-authen-server https ssl-policy default_policy port
2000 //Parse the HTTP authentication request from users and send
authentication information to the server.
[AC] url-template name test
[AC-url-template-test] url https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a
[AC-url-template-test] parameter start-mark #
[AC-url-template-test] url-parameter login-url switch_url https://
10.23.100.1:2000
[AC-url-template-test] quit
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] url-template test
[AC-web-auth-server-wlan-net] source-ip 10.23.100.1
[AC-web-auth-server-wlan-net] http get-method enable //Parse the
HTTP authentication request from users and send authentication information to
the server.
[AC-web-auth-server-wlan-net] quit

3. Configure the Portal access profile wlan-net and configure Layer 3 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net layer3
[AC-portal-access-profile-wlan-net] quit

4. Create the authentication profile wlan-net.

[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] portal-access-profile wlan-net
[AC-portal-access-profile-wlan-net] authentication-scheme wlan-net
[AC-portal-access-profile-wlan-net] radius-server wlan-net
[AC-portal-access-profile-wlan-net] quit

5. Configure WLAN service parameters.

# Create the security profile wlan-net and retain the default security policy (open system
authentication).
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC] wlan
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 407

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit

Step 5 Configure the Cisco ISE.

1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the right side, click Add and create a device profile named Huawei. Set
Supported Protocols to RADIUS. Then, click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 408

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

3. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP. For other parameters, use the default settings. Click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 409

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Add a user.
# Choose Administration > Identity Management > Identities > Users. In the right
pane, click Add, enter the user name and password, and click Submit.

5. Obtain the URL of the ISE Portal.

# Choose Guest Access > Configure > Guest Portals. On the Guest Portals page,
select Self-Registered Guest Portal(default) and click Edit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 410

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the Portals Settings and Customization page, click Portal test URL and copy the
link from the address bar.
Step 6 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 7 Verify the configuration.

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless STA obtains an IP address after it associates with the WLAN.
l When a user opens the browser on the STA, the user is redirected to the Portal
authentication page. After the user enters the correct user name and password and is
successfully authenticated, the user can access the Internet.
l After authentication succeeds, run the display access-user access-type command on the
AC. The command output shows online users.
[AC] display access-user access-type portal
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

Configuration Files
l SwitchA configuration file
#
sysname SwitchA

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 411

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

l SwitchB configuration file

l Router configuration file

#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 412

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

l AC configuration file
#
sysname AC
#
http secure-server ssl-policy default_policy
http server enable
#
portal local-server ip 10.23.100.1
#
vlan batch 100 102
#
authentication-profile name wlan-net
portal-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
portal web-authen-server https ssl-policy default_policy port 2000
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
url-template name test
url https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a
parameter start-mark #
url-parameter login-url switch_url https://10.23.100.1:2000
#
web-auth-server wlan-net
server-ip 10.23.103.1
url-template test
source-ip 10.23.100.1
http get-method enable
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0

interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 413

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

ap-group name ap-group1

radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return

2.10 Example for Configuring External Portal

Authentication (Web)
External Portal Authentication Overview
Portal authentication is a method used for Network Admission Control (NAC) and is also
called web authentication. To access the Internet, the user must pass authentication on the
Portal. Portal authentication supports Portal 2.0, Hypertext Transfer Protocol (HTTP), and
Hypertext Transfer Protocol Secure (HTTPS). When a Huawei AC is interconnected with a
Cisco ISE, Portal authentication is implemented based on HTTP or HTTPS.

When the AC is interconnected with the Cisco ISE, HTTPS and Remote Authentication Dial
In User Service (RADIUS) can be used in Portal authentication. The configurations for the
two authentication methods are similar. The following uses RADIUS as an example.

For the configuration for external Portal authentication on the AC, see Step 5.

For the configuration on the Cisco ISE server, see Step 6.

Applicable Products and Versions

Table 2-28 Applicable products and versions

Product Version

Product V200R007C20

Cisco ISE 2.0.0.306

Service Requirements
To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 414

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

l Authentication mode: external Portal authentication

l Security policy: open system authentication

Figure 2-10 Networking diagram for configuring external Portal authentication

Data Planning

Table 2-29 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 415

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Configuration Item Data

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2 to 10.23.100.254/24

IP address pool for the STAs 10.23.101.2 to 10.23.101.254/24

IP address of the AC's source VLANIF 100: 10.23.100.1/24

interface

AP group l Name: ap-group1

l Bound profiles: VAP profile wlan-net and
regulatory domain profile default

AP group l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Portal authentication parameters Portal authentication scheme name: wlan-net

Portal server template name: wlan-net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123

Portal access profile l Name: wlan-net

l Bound profile: Portal server template wlan-net

Authentication profile l Name: wlan-net

l Bound profiles and authentication scheme: portal
access profile wlan-net, Portal server template
wlan-net, and RADIUS authentication scheme
wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 416

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

Table 2-30 Data planning on the Cisco ISE

Configuration Item Data

Department Huawei

Account Account: huawei

Password: huawei123

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l PAP

l CHAP (only for the test-aaa test)

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select Portal and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure the Cisco ISE server.

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 417

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

Step 2 Configure a DHCP server to assign IP addresses to STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 418

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 419

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 420

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 421

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
Portal profile wlan-net, RADIUS server template wlan-net, and authentication scheme
profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch import and click to download the AP template file to your
local computer.

# Click next to Import AP file, select the AP template file, and click Import.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 422

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the page that displays the template import result, click OK.
Step 6 Configure the Cisco ISE.
1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.
2. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the right side, click Add and create a device profile named Huawei. Set
Supported Protocols to RADIUS. Then, click Submit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 423

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

3. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP. For other parameters, use the default settings. Click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 424

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

4. Add a user.
# Choose Administration > Identity Management > Identities > Users. In the right
pane, click Add, enter the user name and password, and click Submit.

5. Obtain the URL of the ISE Portal.

# Choose Guest Access > Configure > Guest Portals. On the Guest Portals page,
select Self-Registered Guest Portal(default) and click Edit.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 425

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

# On the Portals Settings and Customization page, click Portal test URL and copy the
link from the address bar.

Step 7 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 8 Verify the configuration.

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless STA obtains an IP address after it associates with the WLAN.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 426

Copyright © Huawei Technologies Co., Ltd.
2 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Cisco ISE Server

l When a user opens the browser on the STA, the user is redirected to the Portal
authentication page. After the user enters the correct user name and password and is
successfully authenticated, the user can access the Internet.
l After the authentication succeeds, choose Monitoring > User on the AC. Information
about online employees is displayed.

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 427

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

3 Typical Configuration for Interconnection

Between AC and Aruba ClearPass Server

About This Chapter

3.1 Example for Configuring 802.1x Authentication (CLI)

3.2 Example for Configuring 802.1x Authentication (Web)
3.3 Example for Configuring MAC Address Authentication (CLI)
3.4 Example for Configuring MAC Address Authentication (Web)
3.5 Example for Configuring User Authorization Based on ACL Numbers or Dynamic
VLANs (CLI)
3.6 Example for Configuring User Authorization Based on ACL Numbers or Dynamic
VLANs (Web)
3.7 Example for Configuring User Authorization Based on User Groups (CLI)
3.8 Example for Configuring User Authorization Based on User Groups (Web)

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 428

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

3.1 Example for Configuring 802.1x Authentication (CLI)

For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.

For details about how to configure the authentication on the Aruba ClearPass server, see
Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-1 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 429

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

l Service data forwarding mode: direct forwarding

l WLAN authentication mode: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 430

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-1 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 431

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Planning

Table 3-2 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 432

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 3-3 Data planning on the Aruba ClearPass

Configuration Item Data

Account Account: huawei

Password: huawei123

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: 802.1X Wireless – Identity Only
l Authentication method:
– EAP MSCHAPv2
– EAP PEAP
l Authentication source: Local User
Respository[Local SQL DB]

l Name: TEST-AAA
l Type: 802.1X Wireless – Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 433

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 434

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 435

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 436

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.

[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 437

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 6 Configure the Aruba ClearPass.

1. Log in to the Aruba ClearPass server.
# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.
# Choose ClearPass Policy Manager.
# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Create a local account.
# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.

3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 438

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On the Authentication tab, add EAP PEAP and EAP MSCHAPv2 to

Authentication Methods and [Local User Respository][Local SQL DB] to
Authentication Sources. Then, click Save.

# On other tabs, use default settings.

5. Configure the service TEST-AAA.
NOTE

The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the
AC.
Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP
protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS
authentication.

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 439

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On other tabs, use default settings.

Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net pap
Info: Account test succeed.

Step 8 Verify the configuration.

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 440

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

UserID Username IP address MAC

Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

l SwitchB configuration file

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 441

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 442

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

vap-profile wlan-net wlan 1

ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

3.2 Example for Configuring 802.1x Authentication (Web)

For details about how to configure 802.1x authentication on the AC, see Configure WLAN
services.

For details about how to configure the authentication on the Aruba ClearPass server, see
Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-4 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 443

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 444

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-2 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 445

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Planning

Table 3-5 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 446

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 3-6 Data planning on the Aruba ClearPass

Configuration Item Data

Account Account: huawei

Password: huawei123

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: 802.1X Wireless – Identity Only
l Authentication method:
– EAP MSCHAPv2
– EAP PEAP
l Authentication source: Local User
Respository[Local SQL DB]

l Name: TEST-AAA
l Type: 802.1X Wireless – Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]

Context
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure the Aruba ClearPass server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 447

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 448

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 2 Configure a DHCP server to assign IP addresses to STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 449

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 450

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 451

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 452

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 453

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the Aruba ClearPass.
1. Log in to the Aruba ClearPass server.
# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.
# Choose ClearPass Policy Manager.
# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Create a local account.
# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 454

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius.

# On the Authentication tab, add EAP PEAP and EAP MSCHAPv2 to

Authentication Methods and [Local User Respository][Local SQL DB] to
Authentication Sources. Then, click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 455

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On other tabs, use default settings.

5. Configure the service TEST-AAA.
NOTE

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 456

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 8 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 9 Verify the configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 457

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

l After the authentication succeeds, choose Monitoring > User on the AC. Information
about online employees is displayed.

----End

3.3 Example for Configuring MAC Address

MAC address authentication is applicable to dumb terminals such as printers and fax
machine.

For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.

For details about how to configure MAC address authentication on the Aruba ClearPass
server, see Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-7 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 458

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

l Service data forwarding mode: direct forwarding

l Authentication mode: open system authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 459

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-3 Networking diagram for configuring MAC address authentication

Internet

Router

GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA

Management VLAN：VLAN 100

Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 460

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Planning

Table 3-8 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

MAC access profile Name: wlan-net

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: MAC
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 461

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 3-9 Data planning on the Aruba ClearPass

Configuration Item Data

Terminals MAC addresses (use the actual MAC

addresses of devices)

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: MAC authentication
l Authentication method: MAC AUTH
l Authentication source: [Endpoints
Repository][Local SQL DB]

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure MAC address authentication on the AC.
5. Configure the Aruba ClearPass server.

Procedure
Step 1 Configure network interworking.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 462

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 463

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 464

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

clear channel, power and antenna gain configuration

s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure MAC address authentication on the AC.

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 465

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

2. Configure a MAC access profile.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.

# Create the MAC access profile wlan-net.

[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

Step 6 Configure the Aruba ClearPass.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 466

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

2. Add STAs.
# Choose Configuration > Identity > Endpoints. In the pane on the right side, click
Add. In the Add Endpoint dialog box, set MAC Address and click Add.

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to MAC Authentication and Name to Radius.

# On the Authentication tab, add [MAC AUTH] to Authentication Methods and

[Endpoints Repository][Local SQL DB] to Authentication Sources. Then, click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 467

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On other tabs, use default settings.

Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.

Step 8 Verify the configuration.

----End

l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 100 to 104
#
dhcp enable
#

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 468

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
radius-attribute set Service-Type 10 auth-type mac
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 469

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

ip address 10.23.100.1 255.255.255.0

dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
mac-access-profile name wlan-net
#
return

3.4 Example for Configuring MAC Address

MAC address authentication is applicable to dumb terminals such as printers and fax
machine.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 470

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

For details about how to configure MAC address authentication on the AC, see Configure
WLAN services.
For details about how to configure MAC address authentication on the Aruba ClearPass
server, see Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-10 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 471

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-4 Networking diagram for configuring MAC address authentication

Internet

Router

GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA

Management VLAN：VLAN 100

Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 472

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Planning

Table 3-11 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

MAC access profile Name: wlan-net

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: MAC
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 473

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Table 3-12 Data planning on the Aruba ClearPass

Configuration Item Data

Terminals MAC addresses (use the actual MAC

addresses of devices)

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: MAC authentication
l Authentication method: MAC AUTH
l Authentication source: [Endpoints
Repository][Local SQL DB]

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select MAC address and RADIUS authentication, and set the RADIUS
server parameters.
5. Configure the Aruba ClearPass server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 474

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 475

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 476

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 477

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 478

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
MAC authentication profile wlan-net, RADIUS server template wlan-net, and
authentication scheme profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 479

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Set Mode to Batch import and click to download the AP template file to your
local computer.

# Click next to Import AP file, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 480

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the Aruba ClearPass.

1. Log in to the Aruba ClearPass server.

# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.

# Choose ClearPass Policy Manager.

# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Add STAs.

# Choose Configuration > Identity > Endpoints. In the pane on the right side, click
Add. In the Add Endpoint dialog box, set MAC Address and click Add.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 481

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

3. Add the AC so that the Aruba ClearPass can interwork with the AC.

# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to MAC Authentication and Name to Radius.

# On the Authentication tab, add [MAC AUTH] to Authentication Methods and

[Endpoints Repository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

Step 8 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 482

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

3.5 Example for Configuring User Authorization Based on

ACL Numbers or Dynamic VLANs (CLI)
Introduction to User Authorization
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication. After an 802.1x user is successfully authenticated on a
RADIUS server, the server sends authorization information to the access device of the user.
When the Aruba ClearPass functions as a RADIUS server, it can deliver multiple
authorization parameters. The following example uses ACL numbers and dynamic VLANs to
control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
The ACL numbers supported by the AC range from 3000 to 3031.
l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 483

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.

For details about how to configure user authorization based on ACL numbers on the Aruba
ClearPass server, see Aruba ClearPass configuration.

Applicable Products and Versions

Table 3-13 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.

A large number of employees use wireless terminals to access an enterprise network. To

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 484

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-5 Networking for configuring user authorization based on ACL numbers or dynamic
VLANs

Data Planning

Table 3-14 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to
assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 485

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

10.23.20.101-10.23.20.254/24

RADIUS authentication parameters l RADIUS server template name: wlan-

net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x
+AES

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and
authentication profile wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 486

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Table 3-15 Data planning on the Aruba ClearPass

Configuration Item Data

Account l Account: huawei

l Password: huawei123

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: 802.1x Wireless-Identity Only
l Authentication method:
– MS-CHAPv2
– PEAP
l Authentication source: Local User
Respository[Local SQL DB]

l Name: TEST-AAA
l Type: 802.1x Wireless-Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]

Authorization ACL 3002

Dynamic VLAN VLAN 20

Configuration Roadmap
1. Configure network interworking.
2. Configure basic WLAN services.
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
4. Configure the Aruba ClearPass server.
– Add users.
– Add the AC.
– Configure configuration files.
– Configure policies.
– Configure services.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 487

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 20 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/3] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 488

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 489

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 490

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure 802.1x authentication on the AC.

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.
[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 491

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Step 7 Configure the Aruba ClearPass server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 492

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.

# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.

# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 493

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On other tabs, use default settings. Click Save.

5. Configure the service TEST-AAA.
NOTE

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

6. Configure the ACL and dynamic VLAN for authorization.
# Choose Configuration > Enforcement > Profiles. In the pane on the right side, click
Add.
# On the Profile tab, set Template to RADIUS Based Enforcement, and enter
ACLVLAN in the Name field.
# On the Attributes tab, configure attributes and values. Then, click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 494

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# For parameters on other tabs, use the default settings.

# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add.

# On the Enforcement tab, enter ACLVLAN in the Name field, set Enforcement Type
to RADIUS and Default Profile to Allow Access Profile.

# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS]ACLVLAN. This configuration is used to deliver the
authorization ACL and dynamic VLAN to user huawei. Then, click Save.

# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to NOT_EQUALS, Value to huawei,
and Profile Names to [RADIUS][Allow Access Profile]. This configuration is used to
allow users to pass authentication without authorization operations. Then, click Save.

# Click Save to complete the configuration.

7. Bind authorization policies.

# Choose Configuration > Services. In the pane on the right side, click service name
Radius to open the Edit tab. Select the Enforcement tab, set Enforcement Policy to
ACLVLAN, and then click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 495

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net pap
Info: Account test succeed.

Step 9 Verify the configuration.

----End

l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 20 100 to 105
#
dhcp enable
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 496

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

dhcp select interface

dhcp server excluded-ip-address 10.23.20.2 10.23.20.100
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface Vlanif105
ip address 10.23.105.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 105
port trunk allow-pass vlan 105
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 497

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

radius-server template wlan-net

radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

3.6 Example for Configuring User Authorization Based on

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 498

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

RADIUS server, the server sends authorization information to the access device of the user.
When the Aruba ClearPass functions as a RADIUS server, it can deliver multiple
authorization parameters. The following example uses ACL numbers and dynamic VLANs to
control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
The ACL numbers supported by the AC range from 3000 to 3031.
l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.

For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.

For details about how to configure user authorization based on ACL numbers on the Aruba
ClearPass server, see Aruba ClearPass configuration.

Applicable Products and Versions

Table 3-16 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 499

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.
A large number of employees use wireless terminals to access an enterprise network. To
ensure network security, the administrator needs to control network access rights of terminals.
After successful authentication, terminals can access the service server (with IP address
10.23.105.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
10.23.20.2-10.23.20.100).

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 500

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-6 Networking for configuring user authorization based on ACL numbers or dynamic
VLANs

Data Planning

Table 3-17 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to
assign IP addresses to STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 501

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

10.23.20.101-10.23.20.254/24

RADIUS authentication parameters l RADIUS server template name: wlan-

net
l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x
+AES

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and
authentication profile wlan-net

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 502

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Table 3-18 Data planning on the Aruba ClearPass

Configuration Item Data

Account l Account: huawei

l Password: huawei123

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Service l Name: Radius

l Type: 802.1x Wireless-Identity Only
l Authentication method:
– MS-CHAPv2
– PEAP
l Authentication source: Local User
Respository[Local SQL DB]

l Name: TEST-AAA
l Type: 802.1x Wireless-Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]

Authorization ACL 3002

Dynamic VLAN VLAN 20

Configuration Roadmap
1. Configure network interworking.
2. Configure basic WLAN services.
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
4. Configure the Aruba ClearPass server.
– Add users.
– Add the AC.
– Configure configuration files.
– Configure policies.
– Configure services.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 503

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 504

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 2 Configure SwitchB to function as a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 505

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 506

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 507

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 508

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch import and click to download the AP template file to your
local computer.

# Click next to Import AP file, select the AP template file, and click Import.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 509

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On the page that displays the template import result, click OK.
Step 6 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 510

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click Apply. In the dialog box that is displayed, click OK.

# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3002. On the Add Rule page that is displayed, add an ACL
rule.

# Click OK. On the Advanced ACL Settings page that is displayed, add another ACL rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 511

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.

Step 8 Configure the Aruba ClearPass server.

1. Log in to the Aruba ClearPass server.

# Choose ClearPass Policy Manager.

# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Create a local account.

# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.

3. Add the AC so that the Aruba ClearPass can interwork with the AC.

# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 512

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.

# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.

# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.

# On other tabs, use default settings. Click Save.

5. Configure the service TEST-AAA.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 513

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

# For parameters on other tabs, use the default settings.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 514

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add.
# On the Enforcement tab, enter ACLVLAN in the Name field, set Enforcement Type
to RADIUS and Default Profile to Allow Access Profile.

# Click Save to complete the configuration.

7. Bind authorization policies.
# Choose Configuration > Services. In the pane on the right side, click service name
Radius to open the Edit tab. Select the Enforcement tab, set Enforcement Policy to
ACLVLAN, and then click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 515

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 9 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 10 Verify the configuration.

l An employee can access the service server, and laboratory after passing authentication.
l After the authentication succeeds, choose Monitoring > User on the AC. Information
about online employees is displayed.

----End

3.7 Example for Configuring User Authorization Based on

A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 516

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

When the AC is interconnected with the Aruba ClearPass, three authentication methods, that
is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Aruba
ClearPass server, see Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-19 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 517

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-7 Networking for configuring user authorization based on user groups

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 518

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Plan

Table 3-20 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1X+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 519

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

Table 3-21 Data planning on the Aruba ClearPass

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

User group User-group

Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure the Aruba ClearPass server.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 520

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.

Procedure
Step 1 Configure network interworking.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 521

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

[AC-GigabitEthernet0/0/1] port link-type trunk

Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.

# On the AC, configure the VLANIF 100 to assign IP addresses to APs.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 522

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

Step 4 Configure the AP channel and power.

NOTE

The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

# Disable the automatic channel and power calibration functions.

# Configure the channel and power for radio 0.

# Configure the channel and power for radio 1.

Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 523

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.

[AC] dot1x-access-profile name wlan-net

# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit

4. Configure WLAN service parameters.

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 524

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 6 Configure a user group.

# Configure the user group group1 that can access the post-authentication domain. Enable
users in group1 to access network resources on the network segment 10.23.200.0/24.

NOTE

Step 7 Configure the Aruba ClearPass.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 525

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.

# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.

# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.

# On other tabs, use default settings. Click Save.

5. Configure the service TEST-AAA.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 526

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

6. Configure an authorized user group.
# Choose Configuration > Enforcement > Profiles. In the pane on the right side, click
Add. On the Profile tab, set Template to RADIUS Based Enforcement and Name to
User-group.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 527

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On the Attributes tab, set Type to Radius:IETF and Filter-ID to group1. Then, click
Save.

# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add. Set Name to User-group, Enforcement Type to RADIUS, and Default Profile to
[Allow Access Profile].

# On the Rules tab, click Add Rule. On the displayed Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS] User-group. This configuration is used to deliver rights
configured for User-group to user huawei. Click Save.

# Use the same method to add a new rule. Set Type to Authentication, Name to
Username, Operator to NOT_EQUALS, Value to huawei, Profile Names to
[RADIUS] [Allow Access Profile]. This configuration is used to allow users to pass
authentication without authorization operations. Click Save.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 528

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click Save in the lower right corner.

7. Bind authorization policies.

# Choose Configuration > Services. Click service Radius to open the edit tab. Select
the Enforcement tab, and then set Enforcement Policy to User-group. Click Save.

Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net pap
Info: Account test succeed.

Step 9 Verify the configuration.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 529

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

ii. Click Change connection settings. On the Wireless Network Properties

----End

l SwitchB configuration file

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 530

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 531

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

vap-profile name wlan-net

3.8 Example for Configuring User Authorization Based on

User Groups (Web)
Introduction to User Authorization Based on User Groups
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication.
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
When the AC is interconnected with the Aruba ClearPass, three authentication methods, that
is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Aruba
ClearPass server, see Configure the Aruba ClearPass.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 532

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Applicable Products and Versions

Table 3-22 Applicable products and versions

Product Version

Huawei AC V200R007C10 and later versions

Aruba ClearPass Policy Manager 6.5.0.71095

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 533

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Figure 3-8 Networking for configuring user authorization based on user groups

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 534

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Data Plan

Table 3-23 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1X+AES

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 535

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

Table 3-24 Data planning on the Aruba ClearPass

Configuration Item Data

Department R&D

Account Account: huawei

Password: huawei123

Device profile Huawei

Device name AC6605

Device's IP address 10.23.102.2/32

RADIUS shared key huawei@123

Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)

User group User-group

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 536

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 537

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Step 2 Configure a DHCP server to assign IP addresses to STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 538

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 539

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 540

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 541

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 542

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click Apply. In the dialog box that is displayed, click OK.

# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed, add an
ACL rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 543

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK. On the Advanced ACL Settings page that is displayed, add another ACL
rule.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 544

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click OK.
Step 8 Configure the Aruba ClearPass.
1. Log in to the Aruba ClearPass server.
# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.
# Choose ClearPass Policy Manager.
# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Create a local account.
# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 545

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.

# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.

# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.

# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.

# On other tabs, use default settings. Click Save.

5. Configure the service TEST-AAA.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 546

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

NOTE

# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.

# On other tabs, use default settings.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 547

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# On the Attributes tab, set Type to Radius:IETF and Filter-ID to group1. Then, click
Save.

# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add. Set Name to User-group, Enforcement Type to RADIUS, and Default Profile to
[Allow Access Profile].

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 548

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

# Click Save in the lower right corner.

7. Bind authorization policies.

# Choose Configuration > Services. Click service Radius to open the edit tab. Select
the Enforcement tab, and then set Enforcement Policy to User-group. Click Save.

Step 9 On the AC, check that users can pass RADIUS authentication.

# Choose Diagnosis > Diagnosis Tool > AAA Test. The AAA Test page is displayed.

# Configure the RADIUS server template, authentication mode, user name, and password.

# Click Start.

Step 10 Verify the configuration.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 549

Copyright © Huawei Technologies Co., Ltd.
3 Typical Configuration for Interconnection Between AC
WLAN Product Interoperation Configuration Guide and Aruba ClearPass Server

----End

Issue 03 (2017-04-20) Huawei Proprietary and Confidential 550

Introduction To Srcum (Scrum Fundamentals Certified)
33% (3)
Introduction To Srcum (Scrum Fundamentals Certified)
63 pages
Acuson - P500 Seimens
100% (1)
Acuson - P500 Seimens
52 pages
Introduction To Scrum (Principles)
No ratings yet
Introduction To Scrum (Principles)
10 pages
CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04 PDF
No ratings yet
CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04 PDF
200 pages
HCSA-Intelligent Collaboration Certification
100% (1)
HCSA-Intelligent Collaboration Certification
14 pages
Intro To Database Systems & DBMS
No ratings yet
Intro To Database Systems & DBMS
17 pages
Test - Palo Alto Networks Certified Network Security Engineer (PCNSE) : Exam Practice Questions
No ratings yet
Test - Palo Alto Networks Certified Network Security Engineer (PCNSE) : Exam Practice Questions
19 pages
Base Station Antennas
No ratings yet
Base Station Antennas
16 pages
Istqb Advanced Level Sample Papers
100% (1)
Istqb Advanced Level Sample Papers
10 pages
14 WLAN Typical Configuration Examples PDF
No ratings yet
14 WLAN Typical Configuration Examples PDF
2,135 pages
WLAN V200R009C00 Typical Configuration Examples PDF
No ratings yet
WLAN V200R009C00 Typical Configuration Examples PDF
1,749 pages
CloudEngine 6800 V200R005C20 Configuration Guide - IP Multicast
No ratings yet
CloudEngine 6800 V200R005C20 Configuration Guide - IP Multicast
544 pages
00-2 About This Document
No ratings yet
00-2 About This Document
3 pages
HUAWEI USG6000 Series Interoperability Configuration Guide For VPN 01 PDF
No ratings yet
HUAWEI USG6000 Series Interoperability Configuration Guide For VPN 01 PDF
185 pages
00-2 About This Document
No ratings yet
00-2 About This Document
4 pages
WX3800X SAC WLAN Adv Features Configuration Guide
No ratings yet
WX3800X SAC WLAN Adv Features Configuration Guide
143 pages
00-2 About This Document PDF
No ratings yet
00-2 About This Document PDF
4 pages
00-2 About This Document
No ratings yet
00-2 About This Document
4 pages
00479814-ME60 Configuration Guide - Security (V100R006C05 - 05)
No ratings yet
00479814-ME60 Configuration Guide - Security (V100R006C05 - 05)
241 pages
CloudEngine 7800&6800&5800 V100R005 (C00&C10) Configuration Guide - Ethernet Switching
No ratings yet
CloudEngine 7800&6800&5800 V100R005 (C00&C10) Configuration Guide - Ethernet Switching
637 pages
CloudEngine 8800, 7800, 6800, and 5800 V200R005C10 Configuration Guide - Ethernet Switching
No ratings yet
CloudEngine 8800, 7800, 6800, and 5800 V200R005C10 Configuration Guide - Ethernet Switching
769 pages
S1720, S2700, S5700, And S6720 V200R011C10 Configuration Guide - Ethernet Switching
No ratings yet
S1720, S2700, S5700, And S6720 V200R011C10 Configuration Guide - Ethernet Switching
1,274 pages
S5700 Configuration Guide - WLAN-AC
No ratings yet
S5700 Configuration Guide - WLAN-AC
1,404 pages
00-2 About This Document
No ratings yet
00-2 About This Document
4 pages
H3C MSR Router Series: Comware 5 WLAN Configuration Guide
No ratings yet
H3C MSR Router Series: Comware 5 WLAN Configuration Guide
80 pages
Example For Configuring 802
No ratings yet
Example For Configuring 802
11 pages
S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide - Interface Management
No ratings yet
S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide - Interface Management
123 pages
HCIP-WLAN V1.0 CEWA Constructing Enterprise WLAN Architecture
No ratings yet
HCIP-WLAN V1.0 CEWA Constructing Enterprise WLAN Architecture
629 pages
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009 CLI-based Configuration Guide - Network Management and Monitoring
No ratings yet
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009 CLI-based Configuration Guide - Network Management and Monitoring
419 pages
CloudEngine 12800 V100R001C00 Configuration Guide - Reliability 03
No ratings yet
CloudEngine 12800 V100R001C00 Configuration Guide - Reliability 03
126 pages
S1720 S2700 S5700 S6720 V200R009C00 Configuration Guide Basic Configuration PDF
No ratings yet
S1720 S2700 S5700 S6720 V200R009C00 Configuration Guide Basic Configuration PDF
462 pages
99-Book 1718674 294551 0
No ratings yet
99-Book 1718674 294551 0
9 pages
01.10 GLOBAL RED Especificacoes Tecnicas
No ratings yet
01.10 GLOBAL RED Especificacoes Tecnicas
368 pages
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 Web-Based Typical Configuration Examples PDF
No ratings yet
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 Web-Based Typical Configuration Examples PDF
251 pages
CloudEngine 6800&5800 V100R001C00 Configuration Guide - Interface Management 04 PDF
No ratings yet
CloudEngine 6800&5800 V100R001C00 Configuration Guide - Interface Management 04 PDF
48 pages
Web Configuration Guide (V100R001C01 - 01) PDF
No ratings yet
Web Configuration Guide (V100R001C01 - 01) PDF
110 pages
Configuration Guide - Ethernet Switching
100% (1)
Configuration Guide - Ethernet Switching
1,226 pages
S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Basic Configuration PDF
No ratings yet
S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Basic Configuration PDF
474 pages
S2750&S5700&S6700 V200R003 (C00&C02&C10) Configuration Guide - IP Service
No ratings yet
S2750&S5700&S6700 V200R003 (C00&C02&C10) Configuration Guide - IP Service
248 pages
01-01 About This Document
No ratings yet
01-01 About This Document
4 pages
About This Document: Intended Audience
No ratings yet
About This Document: Intended Audience
3 pages
01-01 About This Document
No ratings yet
01-01 About This Document
4 pages
Examples For WEB Configurations
No ratings yet
Examples For WEB Configurations
46 pages
01-03 Configuration Examples
No ratings yet
01-03 Configuration Examples
732 pages
S6700 V100R006C00 Typical Configuration Examples 02
No ratings yet
S6700 V100R006C00 Typical Configuration Examples 02
857 pages
NE9000 V800R023C00SPC500 Configuration Guide 12 Application Awareness
No ratings yet
NE9000 V800R023C00SPC500 Configuration Guide 12 Application Awareness
54 pages
LV423
No ratings yet
LV423
110 pages
99-Book 1658948 294551 0
No ratings yet
99-Book 1658948 294551 0
230 pages
Configuration Guide - WLAN (V200R002C01 - 01)
No ratings yet
Configuration Guide - WLAN (V200R002C01 - 01)
56 pages
Quidway S3000-EI Series Ethernet Switches Command Manual (V1.04)
No ratings yet
Quidway S3000-EI Series Ethernet Switches Command Manual (V1.04)
518 pages
HUAWEI Firewall Comprehensive Configuration Examples
No ratings yet
HUAWEI Firewall Comprehensive Configuration Examples
680 pages
WX3800X SAC Radio Resources Management Configuration Guide
No ratings yet
WX3800X SAC Radio Resources Management Configuration Guide
146 pages
S300, S500, S2700, S5700, and S6700 V200R020C10 Configuration Guide - Basic Configuration
No ratings yet
S300, S500, S2700, S5700, and S6700 V200R020C10 Configuration Guide - Basic Configuration
447 pages
04-Layer 2—LAN Switching Configuration Guide-book
No ratings yet
04-Layer 2—LAN Switching Configuration Guide-book
221 pages
00-2 About This Document
No ratings yet
00-2 About This Document
4 pages
Huawei Usg6000v v500r001c10spc100 Administrator Guide
No ratings yet
Huawei Usg6000v v500r001c10spc100 Administrator Guide
3,169 pages
Wireless H3C
No ratings yet
Wireless H3C
40 pages
S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Interoperation and Replacement Guide
No ratings yet
S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Interoperation and Replacement Guide
337 pages
Quidway S3000-EI Series Ethernet Switches Operation Manual (V1.04)
No ratings yet
Quidway S3000-EI Series Ethernet Switches Operation Manual (V1.04)
383 pages
S2350&S5300&S6300 V200R003 (C00&C02) Typical Configuration Examples 04
No ratings yet
S2350&S5300&S6300 V200R003 (C00&C02) Typical Configuration Examples 04
2,309 pages
AC6605 V200R002C00 Configuration Guide 04 PDF
No ratings yet
AC6605 V200R002C00 Configuration Guide 04 PDF
2,356 pages
Deploying WLAN AP: About This Chapter
No ratings yet
Deploying WLAN AP: About This Chapter
21 pages
S6700 Typical Configuration Examples PDF
No ratings yet
S6700 Typical Configuration Examples PDF
993 pages
S6720 V200R008C00 Configuration Guide - MPLS
No ratings yet
S6720 V200R008C00 Configuration Guide - MPLS
599 pages
NetEngine 8000 F1A V800R022C10 Product Description
No ratings yet
NetEngine 8000 F1A V800R022C10 Product Description
21 pages
Cloud Computing: A Comprehensive Guide to Cloud Computing (Your Roadmap to Cloud Computing, Big Data and Linked Data)
From Everand
Cloud Computing: A Comprehensive Guide to Cloud Computing (Your Roadmap to Cloud Computing, Big Data and Linked Data)
Murray Turner
No ratings yet
Cyber Safe: Protecting Your Digital Life in an Interconnected World
From Everand
Cyber Safe: Protecting Your Digital Life in an Interconnected World
Nolan Blackwood
No ratings yet
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
From Everand
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
Jake T Mills
No ratings yet
Oracle: Oracle Cloud Infrastructure 2019 Cloud Operations Associate
No ratings yet
Oracle: Oracle Cloud Infrastructure 2019 Cloud Operations Associate
36 pages
Fortinet Partner Code of Conduct
No ratings yet
Fortinet Partner Code of Conduct
7 pages
HCSA-Digital Power
No ratings yet
HCSA-Digital Power
19 pages
AZ-500: Microsoft Azure Security Technologies Practice Test - 1 - Results
No ratings yet
AZ-500: Microsoft Azure Security Technologies Practice Test - 1 - Results
66 pages
Monitoring and Evaluation Plan Template: Activity 1
No ratings yet
Monitoring and Evaluation Plan Template: Activity 1
1 page
Question Text: Correct 1 Points Out of 1
100% (1)
Question Text: Correct 1 Points Out of 1
6 pages
Question Text: Correct 1 Points Out of 1
No ratings yet
Question Text: Correct 1 Points Out of 1
17 pages
4.3.2.3 Lab - Using Steganography PDF
No ratings yet
4.3.2.3 Lab - Using Steganography PDF
3 pages
Sysgauge Manual
No ratings yet
Sysgauge Manual
86 pages
Question Text: Correct 1 Points Out of 1
No ratings yet
Question Text: Correct 1 Points Out of 1
4 pages
3.3.2.7 Packet Tracer - WEP WPA2 PSK WPA2 RADIUS PDF
No ratings yet
3.3.2.7 Packet Tracer - WEP WPA2 PSK WPA2 RADIUS PDF
4 pages
Question Text: Correct 1 Points Out of 1
No ratings yet
Question Text: Correct 1 Points Out of 1
4 pages
Nse-3 Fortivoice Q&A: Question Text
67% (3)
Nse-3 Fortivoice Q&A: Question Text
11 pages
Optical Distribution Frame Solutions
No ratings yet
Optical Distribution Frame Solutions
5 pages
NSE3-FortiGate High End
No ratings yet
NSE3-FortiGate High End
14 pages
Lession 2.1 1: Welcome To This Lesson
No ratings yet
Lession 2.1 1: Welcome To This Lesson
19 pages
9-Fiber Inspection & Testing
No ratings yet
9-Fiber Inspection & Testing
13 pages
3-Fiber Types
No ratings yet
3-Fiber Types
42 pages
Learning Materials Link and Files
No ratings yet
Learning Materials Link and Files
2 pages
Lesson 5: Connectors: 1: Welcome To This Lesson
No ratings yet
Lesson 5: Connectors: 1: Welcome To This Lesson
21 pages
6-Admin Solutions
No ratings yet
6-Admin Solutions
13 pages
Drop Cabling Question
No ratings yet
Drop Cabling Question
14 pages
s71200 Motion Control Function Manual en-US en-US
No ratings yet
s71200 Motion Control Function Manual en-US en-US
295 pages
IT Essentials Module 3 Study Guide Answer: Caution
No ratings yet
IT Essentials Module 3 Study Guide Answer: Caution
5 pages
MEC 308 Computer Aided Manufacturing-1
No ratings yet
MEC 308 Computer Aided Manufacturing-1
36 pages
Id GP1003
No ratings yet
Id GP1003
1 page
Group 16 - Compiler Design
No ratings yet
Group 16 - Compiler Design
31 pages
AKF1 Manual en
No ratings yet
AKF1 Manual en
5 pages
By Geodb Foundation LTD: Odinprotocol - Io
No ratings yet
By Geodb Foundation LTD: Odinprotocol - Io
36 pages
Multiple Sequence Alignments - Bioinformatics
No ratings yet
Multiple Sequence Alignments - Bioinformatics
42 pages
Serial Install Manual PDF
No ratings yet
Serial Install Manual PDF
7 pages
English 10 19-20
No ratings yet
English 10 19-20
4 pages
In - gov.cbse-SSCER-40413652018 03062018 162214
No ratings yet
In - gov.cbse-SSCER-40413652018 03062018 162214
1 page
Cyberark Cpm-Supported-Devices Datasheet PDF
100% (1)
Cyberark Cpm-Supported-Devices Datasheet PDF
5 pages
Production Logging Tools 2014
No ratings yet
Production Logging Tools 2014
2 pages
Upgrading Autonomous Cisco AP To LWAPP
No ratings yet
Upgrading Autonomous Cisco AP To LWAPP
27 pages
Readme Crack
100% (1)
Readme Crack
3 pages
Pro-Face Product Guide 2008
100% (1)
Pro-Face Product Guide 2008
10 pages
Sophos
No ratings yet
Sophos
4 pages
GridBank Web Access User Manual 4.0
No ratings yet
GridBank Web Access User Manual 4.0
192 pages
Essential Guide BEP
0% (2)
Essential Guide BEP
40 pages
FlexPDE User Guide
No ratings yet
FlexPDE User Guide
61 pages
PPV by Rudra Prasanna Mohapatra
No ratings yet
PPV by Rudra Prasanna Mohapatra
4 pages
8-Device Universal Remote Control: User's Guide
No ratings yet
8-Device Universal Remote Control: User's Guide
44 pages
New PDD 4
No ratings yet
New PDD 4
27 pages
Manual ABB
100% (2)
Manual ABB
1,042 pages
SCORM 2004 Overview
No ratings yet
SCORM 2004 Overview
57 pages
UX Design 2020 For Beginners To Pro A No-Fluff Beginners Guide
100% (1)
UX Design 2020 For Beginners To Pro A No-Fluff Beginners Guide
78 pages
Basic Programming Lab 2
No ratings yet
Basic Programming Lab 2
6 pages
Administration Fundamentals v7.4 - Student
No ratings yet
Administration Fundamentals v7.4 - Student
240 pages