Huawei WLAN security configuration

1.交换机的基础配置
配置vlan
[SW]vlan batch 10 to 13
[SW-GigabitEthernet0/0/10]port link-type trunk
[SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/10]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/1]port link-type trunk
[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[SW-LoopBack1]ip add 101.101.101.101 32
配置各vlan的网关
[SW-Vlanif10]ip add 10.1.10.1 24
[SW-Vlanif11]ip add 10.1.11.1 24
[SW-Vlanif12]ip add 10.1.12.1 24
[SW-Vlanif13]ip add 10.1.13.1 24
2. Basic configuration of
AC [AC]vlan batch 10 to 13
[AC-GigabitEthernet0/0/8]port link-type trunk
[AC-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13
View vlan configuration

Configure the three-layer interface ip address
[AC-Vlanif10]ip add 10.1.10.100 24
[AC-Vlanif11]ip add 10.1.11.100 24
[AC-Vlanif12]ip add 10.1.12.100 24
[AC-Vlanif13]ip add 10.1.13.100 24
Check the Layer 3 interface configuration

[AC]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 //Configure the default route to point to the switch
Check whether the AC and the Layer 3 interface on the switch are reachable

3. Configure AC remote login
[AC]aaa
[ AC-aaa]local-user a1 password irreversible-cipher abc@123456
[AC-aaa]local-user a1 service-type telnet
[AC-aaa]local-user a1 privilege level 3
[AC]user-interface vty 0 4
[ AC-ui-vty0-4]authentication-mode aaa
<AC>save //Save AC configuration
<SW>telnet 10.1.10.100 //Verify on the switch
4. Create AP group
[AC]wlan
[AC-wlan-view]ap-group name ap-group
5. Configuration The AP goes online to
enable the DHCP service, and assign IP addresses to the STA and AP
[AC]dhcp enable
[AC]ip pool ap
[AC-ip-pool-ap]network 10.1.10.0 mask 24
[AC-ip-pool-ap]gateway- list 10.1.10.1
[AC-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100
[AC]ip pool yw1
[AC-ip-pool-yw1]gateway-list 10.1.11.1
[AC-ip-pool -yw1]network 10.1.11.0 mask 24
[AC]ip pool yw2
[AC-ip-pool-yw2]network 10.1.12.0 mask 24
[AC-ip-pool-yw2]gateway-list 10.1.12.1
[AC-ip- pool-yw2]ip pool yw3
[AC-ip-pool-yw3]gateway-list 10.1.13.1
[AC-ip-pool-yw3] network 10.1.13.0 mask 24
Under each vlanif interface, enable DHCP
[AC-Vlanif10]dhcp select global
[AC-Vlanif11]dhcp select global
[AC-Vlanif12]dhcp select global
[AC -Vlanif13]dhcp select global
configuration domain management template and AC country code
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain]country-code CN
[AC ]capwap source interface Vlanif 10 //Configure AC source interface
[AC-wlan-view]ap auth-mode mac-auth //Configure AP authentication mode,
check AP mac address

, import AP offline on AC
[AC-wlan-view] ap-mac 00e0-fcb5-30f0 ap-id 0
[AC-wlan-ap-0]ap-group ap-group
[AC-wlan-ap-0]ap-name ap1
[AC-wlan-view]ap-mac 00e0-fc68-7480 ap-id 1
[AC-wlan-ap-1]ap-group ap-group
[AC-wlan-ap-1] ap-name ap2
Check AP status

6. Configure WLAN service
configuration SSID profile
[AC-wlan-view]ssid-profile name yw1
[AC-wlan-ssid-prof-yw1]ssid yw1
[ AC-wlan-view]ssid-profile name yw2
[AC-wlan-ssid-prof-yw2]ssid yw2
[AC-wlan-ssid-prof-yw2]ssid-profile name yw3
[AC-wlan-ssid-prof-yw3 ]ssid yw3
Configure VAP template, service data forwarding mode, service vlan, reference ssid template
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1]forward-mode direct-forward
[AC- wlan-vap-prof-yw1]service-vlan vlan-id 11
[AC-wlan-vap-prof-yw1]ssid-profile yw1
[AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof -yw2]forward-mode direct-forward
[AC-wlan-vap-prof-yw2]service-vlan vlan-id 12
[AC-wlan-vap-prof-yw2]ssid-profile yw2
[AC-wlan-vap-prof-yw2]vap-profile name yw3
[AC-wlan-vap-prof-yw3]forward-mode tunnel
[AC-wlan -vap-prof-yw3]service-vlan vlan-id 13
[AC-wlan-vap-prof-yw3]ssid-profile yw3
Configure AP group reference domain management template and VAP template, radio 0 and 1 on AP use VAP The configuration of the template
[AC-wlan-ap-group-ap-group]vap-profile yw1 wlan 1 radio all
[AC-wlan-ap-group-ap-group]vap-profile yw2 wlan 2 radio all
[AC-wlan- ap-group-ap-group]vap-profile yw3 wlan 3 radio all
View the status of vap



after connecting to the wireless terminal,
check the associated user information

, and verify with ping loopback1 port on the wireless terminal

7. Configure
the six types of security supported by the WEP authentication AC Policy, each VAP template can call a

configuration yw3 authentication method and encryption: the authentication method is WEP share-key, and the encryption adopts WEP 40-bit
[AC-wlan-view] security-profile name yw3
[AC-wlan-sec-prof -yw3]security wep
[AC-wlan-sec-prof-yw3]security wep share-key
[AC-wlan-sec-prof-yw3]wep key 0 wep-40 pass-phrase abc123
[AC-wlan-view]vap-profile name yw3
[ AC-wlan-vap-prof-yw3]security-profile yw3
View the security profile configuration

View the summary information of the associated users under the specified ssid

View the detailed terminal related information

8. Configure WPA PSK authentication
Huawei AC supports the WPA option to

configure the authentication and encryption of yw2: The authentication method is WPA1-PSK, and the encryption method is TKIP
[AC-wlan-view]security-profile name yw2
[AC-wlan-sec-prof-yw2]security wpa psk pass-phrase abc2abc2 tkip
[AC-wlan-view]vap -profile name yw2
[AC-wlan-vap-prof-yw2] security-profile yw2
View security profile configuration

View associated user summary information

View terminal associated information

Test connectivity

9. Configure WPA EAP authentication
WLAN EAP authentication architecture requires client, The configuration of the authenticator, authentication server, and authentication function server is omitted
. Configure the radius server gateway address on the switch
[SW]vlan 200
[SW-GigabitEthernet0/0/24]port link-type access
[SW-GigabitEthernet0/0/24]port default vlan 200
[SW]interface Vlanif 200
[SW-Vlanif200]ip address 10.254.1.1 24
Configure radius authentication server and authentication Accounting scheme
[AC]radius-server template rs
[AC-radius-rs]radius-server authentication 10.254.1.100 1812 source ip-address 10.1.10.100
[AC-radius-rs]radius-server accounting 10.254.1.100 1813 source ip -address 10.1.10.100
[AC-radius-rs]radius-server shared-key cipher rs001@123
[AC-radius-rs]undo radius-server user-name domain-included
Configure aaa scheme
[AC]aaa
[AC-aaa ]authentication-scheme radius
[AC-aaa-authen-radius]authentication-mode radius
[AC-aaa]accounting-scheme radius
[AC-aaa-accounting-radius]accounting-mode radius
[AC-aaa-accounting-radius]accounting realtime 15
[AC-aaa]domain default
[AC-aaa-domain-default]authentication-scheme radius
[AC-aaa- domain-default] radius-server rs
test the configuration of aaa
[AC] test-aaa rs rs001@123 radius-template rs
configure access profile
[AC] dot1x-access-profile name yw1
configure the authentication template, and bind the authentication template, radius authentication scheme, accounting scheme and radius authentication used by server template
[AC]authentication-profile name yw1
[AC-authentication-profile-yw1]dot1x-access-profile yw1
[AC-authentication-profile-yw1]authentication-scheme radius
[AC-authentication-profile-yw1] radius-server rs
configure the security profile, define the encryption method as ccmp, and the authentication method as dot1x eap
[AC]wlan
[AC-wlan-view] security-profile name yw1
[AC-wlan-sec-prof-yw1] security wpa2 dot1x aes
vap template reference security profile and authentication profile
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1] security-profile yw1
[AC-wlan-vap-prof-yw1]authentication-profile yw1
verification configuration results

[AC]display access-user ssid yw1 //View user summary information under ssid
[AC]display station sta-mac 5489-98AF-2070 // View detailed information associated with the terminal