华为WLAN二层组网及安全认证

1.配置交换机
[SW]vlan batch 10 to 13
[SW-GigabitEthernet0/0/1]port link-type trunk
[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/10]port link-type trunk
[SW-GigabitEthernet0/0/10]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[SW-LoopBack0]ip add 101.101.101.101 32
[SW-Vlanif10]ip add 10.1.10.1 24
[SW-Vlanif11]ip add 10.1.11.1 24
[SW-Vlanif12]ip add 10.1.12.1 24
[SW-Vlanif13]ip add 10.1.13.1 24
2.配置AC1的连通性
[AC1]vlan batch 10 to 13
[AC1-GigabitEthernet0/0/8]port link-type trunk
[AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13

[AC1-Vlanif10]ip add 10.1.10.100 24
[AC1-Vlanif11]ip add 10.1.11.100 24
[AC1-Vlanif12]ip add 10.1.12.100 24
[AC1-Vlanif13]ip add 10.1.13.100 24

[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1

3.配置AC远程管理Telnet服务
[AC1]telnet server enable
[AC1]aaa
[AC1-aaa]local-user ac1 password irreversible-cipher wlan@123
[AC1-aaa]local-user ac1 service-type telnet
[AC1-aaa]local-user ac1 privilege level 3
[AC1]user-interface vty 0 4
[AC1-ui-vty0-4]authentication-mode aaa
<AC1>save
<SW>telnet 10.1.10.100 //远程登录AC
4.配置ap组
[AC1-wlan-view]ap-group name ap-group1
5.AC配置dhcp功能
[AC1]ip pool ap
[AC1-ip-pool-ap]network 10.1.10.0 mask 24
[AC1-ip-pool-ap]gateway-list 10.1.10.1
[AC1-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100 //指定AC的地址
[AC1]ip pool employee
[AC1-ip-pool-employee]network 10.1.11.0 mask 24
[AC1-ip-pool-employee]gateway-list 10.1.11.1
[AC1]ip pool voice
[AC1-ip-pool-voice]network 10.1.12.0 mask 24
[AC1-ip-pool-voice]gateway-list 10.1.12.1
[AC1]ip pool guest
[AC1-ip-pool-guest]network 10.1.13.0 mask 24
[AC1-ip-pool-guest]gateway-list 10.1.13.1
[AC1-Vlanif10]dhcp select global
[AC1-Vlanif11]dhcp select global
[AC1-Vlanif12]dhcp select global
[AC1-Vlanif13]dhcp select global
6.配置域管理模板
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code CN
[AC1]capwap source interface Vlanif 10 //配置AC源接口
7.配置AP的认证方式
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-mac 00e0-fc9a-7b70 ap-id 0
[AC1-wlan-ap-0]ap-group ap-group1
[AC1-wlan-ap-0]ap-name ap1
[AC1-wlan-view]ap-mac 00e0-fcb9-5f50 ap-id 1
[AC1-wlan-ap-1]ap-group ap-group1
[AC1-wlan-ap-1]ap-name ap2

8.配置SSID模板
[AC1]wlan
[AC1-wlan-view]ssid-profile name employee1
[AC1-wlan-ssid-prof-employee1]ssid employee1
[AC1-wlan-view]ssid-profile name voice1
[AC1-wlan-ssid-prof-voice1]ssid voice1
[AC1-wlan-ssid-prof-voice1]ssid-profile name guest1
[AC1-wlan-ssid-prof-guest1]ssid guest1
9.配置VAP模板
[AC1-wlan-view]vap-profile name employee1
[AC1-wlan-vap-prof-employee1]forward-mode direct-forward
[AC1-wlan-vap-prof-employee1]service-vlan vlan-id 11
[AC1-wlan-vap-prof-employee1]ssid-profile employee1
[AC1-wlan-vap-prof-voice1]ssid-profile voice1
[AC1-wlan-vap-prof-voice1]forward-mode direct-forward
[AC1-wlan-vap-prof-voice1]service-vlan vlan-id 12
[AC1-wlan-vap-prof-voice1]ssid-profile voice1
[AC1-wlan-vap-prof-employee1]vap-profile name guest1
[AC1-wlan-vap-prof-guest1]forward-mode tunnel
[AC1-wlan-vap-prof-guest1]service-vlan vlan-id 13
[AC1-wlan-vap-prof-guest1]ssid-profile guest1
10.配置AP组引用模板
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile employee1 wlan 1 radio all
[AC1-wlan-ap-group-ap-group1]vap-profile voice1 wlan 2 radio all
[AC1-wlan-ap-group-ap-group1]vap-profile guest1 wlan 3 radio all
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1





11.配置WEB认证
[AC1-wlan-view]security-profile name guest1
[AC1-wlan-sec-prof-guest1]security wep
[AC1-wlan-sec-prof-guest1]security wep share-key //配置认证方式
[AC1-wlan-sec-prof-guest1]wep key 0 wep-40 pass-phrase guest //加密采用40位密码，密码为guest
[AC1-wlan-view]vap-profile name guest1
[AC1-wlan-vap-prof-guest1]security-profile guest1 //vap模板关联安全模板



12.配置WPA1-PSK认证
[AC1-wlan-view]security-profile name voice1
[AC1-wlan-sec-prof-voice1]security wpa psk pass-phrase voicevoice tkip
[AC1-wlan-vap-prof-voice1]security-profile voice1




13.配置WPA EAP认证(通过radius服务器，但由于为搭建服务器，所以无法验证)
[AC1]vlan 200
[AC1-GigabitEthernet0/0/1]port link-type access
[AC1-GigabitEthernet0/0/1]port default vlan 200
[AC1]int Vlanif 200
[AC1-Vlanif200]ip add 10.254.1.1 24
[AC1]radius-server template huawei //配置服务器
[AC1-radius-huawei]radius-server authentication 10.254.1.1 1812 source ip-address 10.1.10.100
[AC1-radius-huawei]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100
[AC1-radius-huawei]radius-server shared-key cipher huawei
[AC1-radius-huawei]undo radius-server user-name domain-included
[AC1]aaa //配置aaa认证
[AC1-aaa]authentication-scheme radius //配置认证模板
[AC1-aaa-authen-radius]authentication-mode radius
[AC1-aaa]accounting-scheme radius
[AC1-aaa-accounting-radius]accounting-mode radius
[AC1-aaa-accounting-radius]accounting realtime 15
[AC1-aaa]domain default
[AC1-aaa-domain-default]authentication-scheme radius
[AC1-aaa-domain-default]radius-server huawei
[AC1]test-aaa huawei huawei@123 radius-template Huawei //测试aaa配置
[AC1]dot1x-access-profile name employee1 //配置接入模板
[AC1]authentication-profile name employee1 //配置认证模板
[AC1-authentication-profile-employee1]dot1x-access-profile employee1
[AC1-authentication-profile-employee1]authentication-scheme radius
[AC1-authentication-profile-employee1]accounting-scheme radius
[AC1-authentication-profile-employee1]radius-server Huawei
[AC1-wlan-view]security-profile name employee1 //配置安全模板
[AC1-wlan-sec-prof-employee1]security wpa2 dot1x aes //定义加密方式为ccmp,认证方式为dot1x esp
[AC1-wlan-view]vap-profile name employee1 //引用安全和认证模板
[AC1-wlan-vap-prof-employee1]security-profile employee1
[AC1-wlan-vap-prof-employee1]authentication-profile employee1