1.交换机的基础配置
配置vlan
[SW]vlan batch 10 to 13
[SW-GigabitEthernet0/0/10]port link-type trunk
[SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/10]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/1]port link-type trunk
[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[SW-LoopBack1]ip add 101.101.101.101 32
配置各vlan的网关
[SW-Vlanif10]ip add 10.1.10.1 24
[SW-Vlanif11]ip add 10.1.11.1 24
[SW-Vlanif12]ip add 10.1.12.1 24
[SW-Vlanif13]ip add 10.1.13.1 24
2.AC的基础配置
[AC]vlan batch 10 to 13
[AC-GigabitEthernet0/0/8]port link-type trunk
[AC-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13
查看vlan的配置
配置三层接口ip地址
[AC-Vlanif10]ip add 10.1.10.100 24
[AC-Vlanif11]ip add 10.1.11.100 24
[AC-Vlanif12]ip add 10.1.12.100 24
[AC-Vlanif13]ip add 10.1.13.100 24
查看三层接口配置
[AC]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 //配置默认路由指向交换机
检查AC和交换机上三层接口是否可达
3.配置AC远程登录
[AC]aaa
[AC-aaa]local-user a1 password irreversible-cipher abc@123456
[AC-aaa]local-user a1 service-type telnet
[AC-aaa]local-user a1 privilege level 3
[AC]user-interface vty 0 4
[AC-ui-vty0-4]authentication-mode aaa
<AC>save //保存AC的配置
<SW>telnet 10.1.10.100 //在交换机上进行验证
4.创建AP组
[AC]wlan
[AC-wlan-view]ap-group name ap-group
5.配置AP上线
开启DHCP服务,为STA和AP分配IP地址
[AC]dhcp enable
[AC]ip pool ap
[AC-ip-pool-ap]network 10.1.10.0 mask 24
[AC-ip-pool-ap]gateway-list 10.1.10.1
[AC-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100
[AC]ip pool yw1
[AC-ip-pool-yw1]gateway-list 10.1.11.1
[AC-ip-pool-yw1]network 10.1.11.0 mask 24
[AC]ip pool yw2
[AC-ip-pool-yw2]network 10.1.12.0 mask 24
[AC-ip-pool-yw2]gateway-list 10.1.12.1
[AC-ip-pool-yw2]ip pool yw3
[AC-ip-pool-yw3]gateway-list 10.1.13.1
[AC-ip-pool-yw3]network 10.1.13.0 mask 24
在各vlanif接口下,使能DHCP
[AC-Vlanif10]dhcp select global
[AC-Vlanif11]dhcp select global
[AC-Vlanif12]dhcp select global
[AC-Vlanif13]dhcp select global
配置域管理模板和AC的国家代码
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain]country-code CN
[AC]capwap source interface Vlanif 10 //配置AC源接口
[AC-wlan-view]ap auth-mode mac-auth //配置AP认证方式
查看AP的mac地址
在AC上离线导入AP
[AC-wlan-view]ap-mac 00e0-fcb5-30f0 ap-id 0
[AC-wlan-ap-0]ap-group ap-group
[AC-wlan-ap-0]ap-name ap1
[AC-wlan-view]ap-mac 00e0-fc68-7480 ap-id 1
[AC-wlan-ap-1]ap-group ap-group
[AC-wlan-ap-1]ap-name ap2
检查AP状态
6.配置WLAN业务
配置SSID模板
[AC-wlan-view]ssid-profile name yw1
[AC-wlan-ssid-prof-yw1]ssid yw1
[AC-wlan-view]ssid-profile name yw2
[AC-wlan-ssid-prof-yw2]ssid yw2
[AC-wlan-ssid-prof-yw2]ssid-profile name yw3
[AC-wlan-ssid-prof-yw3]ssid yw3
配置VAP模板、业务数据转发模式、业务vlan、引用ssid模板
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1]forward-mode direct-forward
[AC-wlan-vap-prof-yw1]service-vlan vlan-id 11
[AC-wlan-vap-prof-yw1]ssid-profile yw1
[AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof-yw2]forward-mode direct-forward
[AC-wlan-vap-prof-yw2]service-vlan vlan-id 12
[AC-wlan-vap-prof-yw2]ssid-profile yw2
[AC-wlan-vap-prof-yw2]vap-profile name yw3
[AC-wlan-vap-prof-yw3]forward-mode tunnel
[AC-wlan-vap-prof-yw3]service-vlan vlan-id 13
[AC-wlan-vap-prof-yw3]ssid-profile yw3
配置AP组引用域管理模板和VAP模板,AP上的射频0和1都使用VAP模板的配置
[AC-wlan-ap-group-ap-group]vap-profile yw1 wlan 1 radio all
[AC-wlan-ap-group-ap-group]vap-profile yw2 wlan 2 radio all
[AC-wlan-ap-group-ap-group]vap-profile yw3 wlan 3 radio all
查看vap状态
连接无线终端后
查看关联到的相关用户信息
在无线终端上ping loopback1口进行验证
7.配置WEP认证
AC支持的六种安全策略,每一个VAP模板可以调用一种
配置yw3认证方式和加密:认证方式为WEP share-key,加密采用WEP 40位
[AC-wlan-view]security-profile name yw3
[AC-wlan-sec-prof-yw3]security wep
[AC-wlan-sec-prof-yw3]security wep share-key
[AC-wlan-sec-prof-yw3]wep key 0 wep-40 pass-phrase abc123
[AC-wlan-view]vap-profile name yw3
[AC-wlan-vap-prof-yw3]security-profile yw3
查看安全模板配置
查看指定ssid下面关联用户汇总信息
查看终端关联详细信息
8.配置WPA PSK认证
华为AC支持WPA选项为
配置yw2的认证和加密:认证方式为WPA1-PSK,加密方式为TKIP
[AC-wlan-view]security-profile name yw2
[AC-wlan-sec-prof-yw2]security wpa psk pass-phrase abc2abc2 tkip
[AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof-yw2]security-profile yw2
查看安全模板配置
查看关联用户汇总信息
查看终端关联信息
测试连通性
9.配置WPA EAP认证
WLAN的EAP认证架构需要客户端、认证者、认证服务器,认证功能服务器的配置略
在交换机上配置radius服务器网关地址
[SW]vlan 200
[SW-GigabitEthernet0/0/24]port link-type access
[SW-GigabitEthernet0/0/24]port default vlan 200
[SW]interface Vlanif 200
[SW-Vlanif200]ip address 10.254.1.1 24
配置radius认证服务器和认证计费方案
[AC]radius-server template rs
[AC-radius-rs]radius-server authentication 10.254.1.100 1812 source ip-address 10.1.10.100
[AC-radius-rs]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100
[AC-radius-rs]radius-server shared-key cipher rs001@123
[AC-radius-rs]undo radius-server user-name domain-included
配置aaa方案
[AC]aaa
[AC-aaa]authentication-scheme radius
[AC-aaa-authen-radius]authentication-mode radius
[AC-aaa]accounting-scheme radius
[AC-aaa-accounting-radius]accounting-mode radius
[AC-aaa-accounting-radius]accounting realtime 15
[AC-aaa]domain default
[AC-aaa-domain-default]authentication-scheme radius
[AC-aaa-domain-default]radius-server rs
测试aaa的配置
[AC]test-aaa rs rs001@123 radius-template rs
配置接入模板
[AC]dot1x-access-profile name yw1
配置认证模板,并绑定认证模板、radius认证方案、计费方案和服务器模板指定使用的radius认证
[AC]authentication-profile name yw1
[AC-authentication-profile-yw1]dot1x-access-profile yw1
[AC-authentication-profile-yw1]authentication-scheme radius
[AC-authentication-profile-yw1]radius-server rs
配置安全模板,定义加密方式为ccmp,认证方式为dot1x eap
[AC]wlan
[AC-wlan-view]security-profile name yw1
[AC-wlan-sec-prof-yw1]security wpa2 dot1x aes
vap模板引用安全模板和认证模板
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1]security-profile yw1
[AC-wlan-vap-prof-yw1]authentication-profile yw1
验证配置结果
[AC]display access-user ssid yw1 //查看ssid下面用户汇总信息
[AC]display station sta-mac 5489-98AF-2070 //查看终端关联的详细信息
华为WLAN安全配置
猜你喜欢
转载自blog.51cto.com/13699905/2620775
今日推荐
周排行