Enterprise WLAN Solution V100R001C00. Deployment Guide. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Transcription

1 V100R001C00 Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

2 All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen People's Republic of China support@huawei.com i

3 Contents Contents 1 Enterprise WLAN Solution Overview Introduction to the WLAN Technology Concepts Advantages and Disadvantages WLAN Architecture Enterprise WLAN Solution Middle- or Large-scale Campus Network WLAN Solution Small-scale Campus Network Solution SOHO WLAN Solution Branch WLAN Solution Overview Introduction to Independent AC Deployment Typical Networking Applicable Products and Versions Deployment Roadmap Configuring ACs and APs for Network Layer Connectivity Configuring an AP to Discover an AC Overview Configuring Option 43 for AC Discovery Configuring DHCP Option 15 and DNS for AC Discovery Configuring an AC Configuring Basic AC Attributes Configuring AP Attributes on the AC Configuring the WLAN Radio Environment Configuring an ESS Configuring a VAP and Delivering the VAP to an AP Configuring NAC NAC Overview Configuring AAA Configuring Web Authentication Configuring 802.1x Authentication ii

4 Contents 2.6 Configuring a TSM Server Overview Configuring a Common Account Synchronizing Accounts in the Microsoft AD Domain Controller to the TSM Manager by OU Configuring Web Authentication Configuring 802.1x Authentication Configuring STAs Configuring a WLAN Configuring the Authentication Client Configuration Examples Integrated AC Deployment Overview Introduction to Integrated AC Deployment Typical Networking Applicable Products and Versions Deployment Roadmap Configuring ACs and APs for Network Layer Connectivity Configuring an AP to Discover an AC Overview Configuring DHCP Option 43 for AC Discovery Configuring DHCP Option 15 and DNS for AC Discovery Configuring an AC Configuring Basic AC Attributes Configuring AP Attributes on the AC Configuring the WLAN Radio Environment Configuring an ESS Configuring a VAP and Delivering the VAP to an AP Configuring NAC Configuring the TSM Server Configuring STAs Configuration Examples WLAN Network Management esight Overview Introduction to the esight Typical Networking Applicable Products and Versions Deployment Roadmap Configuring the WLAN Service Creating and Configuring an AC Configuring an AP Region Configuring Profiles iii

5 Contents Enabling an AP to Go Online Monitoring the WLAN Service Viewing the WLAN Summary Viewing AC Information Viewing AP Information Viewing STA Information Viewing SSID Information Viewing Information About a Rogue AP iv

6 1 Enterprise WLAN Solution Overview 1 Enterprise WLAN Solution Overview 1.1 Introduction to the WLAN Technology ConceptsA wireless local area network (WLAN) is a network that uses wireless channels such as radio waves, laser, and infrared rays to replace some or all transmission media on a wired LAN. In a narrow sense, a WLAN is a LAN using high radio frequency signals (for example, 2.5 GHz or 5 GHz) as transmission channels. A WLAN complies with various standards, for example, Bluetooth, IEEE series, and HiperLAN2. As the technologies develop, standards have become the mainstream standards used on WLANs because of compliant devices are simple, reliable, and flexible to use, easy to install, movable, and have high throughput. In this document, the WLAN technology complies with standards. IEEE is a series of WLAN communication standards. IEEE includes , a, b, e, g, i, and n b is also called Wi-Fi standard Advantages and Disadvantages Advantages Disadvantages WLAN has the following advantages: Flexible usage: Wireless access is not restricted by positions of cables and ports. WLANs are especially applicable in public places such as office buildings, airports, resorts, and hotels. Low network constriction costs and convenient communication: WLAN saves the costs on cables between terminals and switching devices, so it can provide network access in places where network cables are difficult to deploy, such as tunnels, docks, and highways. High efficiency: Users can connect to a WLAN anytime and anywhere, for example, sports stadium, exhibition halls, production workshops, and logistics. WLAN has the following disadvantages: 1

7 1 Enterprise WLAN Solution Overview Low performance: A WLAN uses radio waves to transmit data. Radio waves are transmitted by wireless transmission devices. Buildings, vehicles, trees, and obstacles may block radio waves, making network performance deteriorate. Low rate: The transmission rate of radio channels is much smaller than that of wired channels such as fibers. Currently, the highest transmission rate on a WLAN is 600 Mbit/s (802.11n). Low security: Radio waves do not require setup of channels. They are propagated; therefore, it is easy to intercept signals in the propagation range, causing information leakages WLAN Architecture Autonomous Architecture An WLAN consists of the following components: Station (STA): access terminal, such as a computer, mobile phone, or PDA. Access point (AP): provides wired connections to upstream devices and wireless access to downstream STAs. An AP connects the wired and wireless networks. Access controller (AC): implements radio management, user authentication, and security management for APs. An AC uses the Controlling and Provisioning of Wireless Access Point (CAPWAP) to manage APs. A WLAN uses autonomous architecture or centralized architecture. In autonomous architecture, fat APs are used to implement all wireless access functions, and no AC is required. Figure 1-1 Autonomous architecture Centralized Architecture The autonomous architecture is widely used in early days. As a large number of APs are deployed, AP configuration and software upgrade bring high costs. Therefore, this architecture is used in fewer applications. In centralized architecture, an AC manages and controls multiple APs (fit APs) in centralized manner, as shown in Figure

8 1 Enterprise WLAN Solution Overview Figure 1-2 Centralized architecture In centralized architecture, the AC and APs implement wireless access. The AC implements functions including mobility management, identity verification, VLAN assignment, radio resource management, and wireless Intrusion Detection System (IDS) and data packet forwarding. APs control air interfaces, including radio signal transmission and probe response, data encryption and decryption, data transmission acknowledgement, and data priority management. The AC and APs use CAPWAP to communicate with each other. They can be directly connected or connected across a Layer 2 or Layer 3 network. The centralized architecture is the mainstream architecture of enterprise networks and carrier networks because it allows for centralized management, authentication, and security management. The following WLAN solutions use the centralized architecture. 1.2 Enterprise WLAN Solution WLAN solutions are deployed based on factors such as the size and type of enterprises and organizations Middle- or Large-scale Campus Network WLAN Solution Centralized AC Solution A middle- or large-scale campus network is deployed in headquarters of a middle- or large-scale enterprise, large-scale branch, university, or airport. On a large-scale campus network, a large number of APs are deployed. To facilitate network operation and maintenance and ensure security, the centralized architecture is used. There are two solutions based on the AC deployment mode: centralized AC solution and distributed AC solution. The centralized AC solution deploys independent ACs in a centralized manner to control APs on the network. An AC can be deployed in chain mode (between an AP and an aggregation/core switch) or in branched mode (the AC is connected to only the aggregation/core switch): 3

9 1 Enterprise WLAN Solution Overview The chain mode applies to new networks or networks using Huawei aggregation/core devices. The branched mode applies to networks using non-huawei aggregation/core devices. Figure 1-3 shows the centralized AC solution on a middle- or large-scale campus network. (The branched mode is used as an example.) Figure 1-3 Centralized AC solution Distributed AC Solution The distributed AC solution uses multiple ACs in different areas. Each AC manages APs in its own area. This solution integrates AC functions on aggregation switches to manage all the APs connected to the aggregation switches, but does not use independent ACs. Figure 1-4 shows the distributed AC solution. 4

10 1 Enterprise WLAN Solution Overview Figure 1-4 Distributed AC solution Small-scale Campus Network Solution A small-scale campus network is deployed in a middle- or small-scale enterprise. Its WLAN deployment scale is smaller than that on a large-scale campus network and is greater than that on a SOHO network. To reduce costs, a small-scale campus network does not use specialized NMS devices or authentication servers, resulting in low reliability. A small-scale campus network often uses the centralized AC solution that deploys independent ACs or switches with AC functions. In Figure 1-5, the aggregation switch integrates AC functions. 5

11 1 Enterprise WLAN Solution Overview Figure 1-5 WLAN solution on a small-scale campus network SOHO WLAN Solution The SOHO WLAN solution applies to independent small-scale networks, for example, small-scale enterprise, store, cafe bar, SOHO office, or enterprise branch where WLAN services are deployed independently. A SOHO WLAN does not use independent authentication servers or NMS devices. The SOHO WLAN solution often uses the autonomous architecture. Huawei AR routers or non-huawei fat APs can be used in this architecture. Figure 1-6 SOHO WLAN solution CAUTION If AR routers are used as fat APs, configure the AR routers according to the AR router documentation. 6

12 1 Enterprise WLAN Solution Overview Branch WLAN Solution The branch WLAN solution applies to the scenario where WLANs are deployed on the headquarters and branches and the headquarters need to manage branch WLANs. Large-scale and small-scale branch WLAN solutions are defined based on the AC deployment mode but not the network size. Figure 1-7 Large-scale branch WLAN solution Figure 1-8 Small-scale branch WLAN solution CAUTION The following sections describe a large- or middle-scale campus network WLAN solution that uses an independent AC or a device integrating AC functions. The configuration provided in this document can be used as a reference for different types of enterprise networks. For example, if a small-scale campus network does not require a TSM server or NMS server, skip the configuration of the TSM server or NMS server. 7

13 2.1 Overview Introduction to Independent AC Deployment A WLAN involves two key components: AP and AC. The independent AC solution uses an AC (such as the WS6603) connected to a gateway in chain mode or branched mode to manage all the APs. In chain mode, an AC is deployed between an AP and a user gateway (aggregation or core switch) to manage all the APs. In branched mode, an AC is deployed at the side of a user gateway (aggregation or core switch) to manage all the APs connected to the user gateway. The independent AC solution is used in centralized architecture. The independent AC solution provides large capacity and high performance, but takes higher costs compared with the integrated AC solution. Select the AC solution according to enterprises' requirements Typical Networking Figure 2-1 shows typical networking of the independent AC solution. 8

14 Figure 2-1 Typical networking of the independent AC solution The independent AC solution uses fit APs (for example, WA603DN) to connect to STAs. An independent AC (WS6603) is deployed at the side of the user gateway (aggregation or core switch) to manage all the APs connected to the user gateway. A TSM server authenticates access users and control user rights. If a user is not authenticated or fails to be authenticated, the user is allowed to access only the pre-authentication domain. If a user is authenticated but fails security check, the user is allowed to access the isolation domain. If a user is authenticated and passes security check, the user is allowed to access the post-authentication domain. The independent AC solution uses specialized enterprise NMS system esight for network management Applicable Products and Versions Table 2-1 Applicable products and versions Component Product Version AP WA603SN WA603DN WA633SN WA653SN WA653DN WA653EN V100R003C01 AC WS6603 V100R003C05 Access switch Aggregation switch Non-specific (S2700/S3700 is recommended) Non-specific (S5700/S9300 is recommended) Non-specific Non-specific 9

15 Component Product Version NAC server TSM V100R002C06 NMS server esight V200R001C00 DHCP server Non-specific (external DHCP server, or built-in DHCP server of the switch or AC) Non-specific DNS server Non-specific Non-specific Deployment Roadmap Prerequisites Each network element or component has been installed and commissioned and connected using cables, and each network element has been powered on and works properly. The operating system and TSM software have been installed on the TSM server. The operating system and the esight software have been installed on the esight server. The VLAN IDs, SSIDs, and IP addresses have been planned. Configuration Roadmap Configuration Roadmap Configure interfaces, VLAN IDs, IP addresses, and routes for network elements or components. Configure the mode in which an AP discovers an AC. An AP can discover an AC in the following modes: An AP obtains the AC's IP address through Option 43 in a DHCP Reply packet from the DHCP server. An AP obtains the AC's DNS domain name through Option 15 in a DHCP Reply packet from the DHCP server, and then sends a DNS request packet to the DNS server to obtain the AC's IP address. Configure an AC to manage APs. Configure basic AC attributes. Configure AP attributes on the AC. Configure the WLAN radio environment. Configure an extended service set (ESS). Configure a VAP and deliver the VAP to APs. Precautions None. Option 43 carrying the AC's IP address must be configured on the DHCP server. Option 15 carrying the AC's DNS domain name must be configured on the DHCP server. A DNS server must be configured and the mapping between the AC domain name and the IP address must be configured on the DNS server. For details about the AC configuration procedure, see Figure

16 Configuration Roadmap (Optional) Configure NAC on the service gateway to authenticate and authorize WLAN users. (Optional) Configure the terminal security management (TSM) server. Configure the authentication server (web or 802.1x authentication server) to authenticate terminals. Configure information about the isolation domain and post-authentication domain. Configure a policy profile and apply the policy profile to the user domain. Configure user accounts including common accounts, MAC accounts, AD accounts, and LDAP accounts, and configure the isolation domain and post-authentication domain for the user accounts to control user rights. Configure a mobile terminal that has the 802.1x client software (for example, 802.1x dialup software) installed. (Optional) Use the esight to manage the WLAN. Precautions Configure AAA, a domain that users belong to, authentication and authorization modes, and the AAA server. Configure 802.1x authentication on the access switch or web authentication on the aggregation switch. The DHCP server, DNS server, and TSM server belong to the pre-authentication domain. The patch server or antivirus server belongs to the isolation domain. Other application servers belong to the post-authentication domain. If a common account is configured, configure the user name and password on the TSM server. If an AD account is configured, deploy a domain control server and configured the user name and password on the server. Then synchronize the account to the TSM server. If web authentication is used, you do not need to perform configurations on the terminals. (Some systems may provide the web client.) If 802.1x authentication is used, install the 802.1x client software. If the TSM is used as the authentication server, the client must use the TSM agent. The TSM agent provides the web or 802.1x client. You can use the esight to view the following information: WLAN summary Status of and basic information about all ACs Detailed information about a specified AC AC alarm information AC performance indicators For details, see chapter 4 "WLAN Network Management." 11

17 Figure 2-2 AC configuration procedure in the independent AC solution 2.2 Configuring ACs and APs for Network Layer Connectivity Configure interfaces, VLAN IDs, IP addresses, and routes on network devices and configure IP addresses on servers so that terminals, network devices, and servers can communicate at the network layer. The detailed configuration procedure is not mentioned here. See corresponding product documentation. 12

18 2.3 Configuring an AP to Discover an AC Overview After a fit AP goes online, it must obtain the AC's IP address to obtain parameters from the AC. An AP discovers an AC in the following modes: Broadcast mode The AP broadcasts a CAPWAP request to all the ACs. After an AC sends a response message, a CAPWAP tunnel is set up between the AC and AP. In this mode, you do not need to perform any configuration on the AC. DHCP Option 43 The AP sends a DHCP Request packet to a DHCP server to obtain an IP address. A DHCP server sends a DHCP Reply packet that carries the allocated IP address and AC's IP address in Option 43. DHCP Option 15 and DNS The AP sends a DHCP Request packet to a DHCP server to obtain an IP address. A DHCP server sends a DHCP Reply packet that carries the allocated IP address and AC's DNS domain name in Option 15. The AP sends a DNS request to a DNS server. Then the DNS server resolves the DNS domain name into the AC's IP address and sends a response carrying AC's IP address to the AP. Table 2-2 lists the comparisons between AC discovery modes. Table 2-2 Comparisons between AC discovery modes Mode Deployment Requirement Advantage Disadvantage Applicable Network Broadcast mode None. There is no special requirement for the existing network. It can only be applied to Layer 2 networks composed of APs/ACs. Small-scale WLAN and Layer 2 networks composed of APs/ACs Option 43 Option 43 must be enabled on the DHCP server. It is applied to any network composed of APs/ACs. There are deployment requirements for the network. Middle- or large-scale WLAN and Layer 2 or Layer 3 networks composed of APs/ACs Option15 + DNS A DNS server must be deployed and Option 15 must be enabled on the DHCP server. It is applied to any network composed of APs/ACs. There are deployment requirements for the network. Middle- or large-scale WLAN and Layer 2 or Layer 3 networks composed of APs/ACs 13

19 2.3.2 Configuring Option 43 for AC Discovery Background Procedure In this mode, you must configure Option 43 on the DHCP server in addition to the IP address segment and IP address pool. You can use an external DHCP server or the built-in DHCP server on a switch or an AC. Here, the built-in DHCP server on the AC (WS6603) is used as an example. 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the interface vlanif vlan-id command to create a VLANIF interface. 4. Run the ip address ip-address mask command to configure an IP address for the VLANIF interface. 5. Run the wlan ac command to enter the WLAN-AC mode. 6. Run the wlan ac source interface vlanif vlan-id command to specify the IP address of the source interface on the AC. 7. Run the ip-pool pool-name command to create an IP address pool. 8. Run the gateway ip-address mask command to configure a gateway IP address for the IP address pool. 9. Run the section section-id start-ip-address end-ip-address command to configure an IP address segment. 10. Run the option 43 string text command to configure the DHCP server to advertise the AC's IP address using DHCP Option 43. The content of Option 43 must be HuaweiAC-X.X.X.X. X.X.X.X indicates the IP address of the AC. If multiple IP addresses are used, the content of Option 43 is HuaweiAC-X.X.X.X,X.X.X.X. Each two IP addresses are separated by a comma (,). CAUTION 14

20 2.3.3 Configuring DHCP Option 15 and DNS for AC Discovery Background Procedure You must configure Option 15 on the DHCP server in addition to the IP address segment and IP address pool. You also need to specify the DNS server to resolve AC's domain name into the IP address. You can use an external DHCP server or the built-in DHCP server on a switch or an AC. Here, the built-in DHCP server on the AC (WS6603) is used as an example. For details about the DNS server deployment and configuration, see the corresponding documents. 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the interface vlanif vlan-id command to create a VLANIF interface. 4. Run the ip address ip-address mask command to configure an IP address for the VLANIF interface. 5. Run the wlan ac command to enter the WLAN-AC mode. 6. Run the wlan ac source interface vlanif vlan-id command to specify the IP address of the source interface on the AC. 7. Run the ip-pool pool-name command to create an IP address pool. 8. Run the gateway ip-address mask command to configure a gateway IP address for the IP address pool. 9. Run the section section-id start-ip-address end-ip-address command to configure an IP address segment. 10. Run the dns-suffix suffix-content command to configure the DNS suffix for the IP address pool. 11. Run the dns-server ip-address [ secondary third ] command to configure the DNS server address for the IP address pool. 2.4 Configuring an AC Configuring Basic AC Attributes 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac-global { carrier id { cmcc ctc cuc other } ac id ac-id } * command to configure the AC ID and carrier ID. 15

21 4. Run the wlan ac command to enter the WLAN-AC mode. 5. Run the wlan ac source interface { loopback loopback-num vlanif vlanif-num } command to configure the loopback or VLANIF interface address as the source IP address of the AC. You must specify the source IP address of each AC so that all APs connected to the AC can learn this IP address Configuring AP Attributes on the AC Configuring Common Attributes of APs 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ap-type { id type-id type ap-type }* command to configure an AP type. 5. Run the max-sta-num max-sta-num command to set the maximum number of APs allowed by an AC. 6. Run the ap-update mode { ftp-mode ac-mode } command to configure the AP upgrade mode. 7. Run the ap-update update-filename filename ap-type type-id command to specify the AP upgrade file. When the AC mode is used, upload the upgrade file to the AC. When the FTP mode is used, run the ap-update ftp-server server-ip-address [ ftp-username ftp-username ftp-password ftp-password ] * command to configure the FTP server's IP address, FTP user name, and password. Adding APs to the Blacklist and Whitelist 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ap-whitelist { mac ap-mac1 [ to ap-mac2 ] sn ap-sn1 [ to ap-sn2 ] } command to add the MAC address or SN of an authorized AP to the whitelist. You can add MAC addresses or SNs of authorized APs in batches. 5. Run the ap-blacklist { mac ap-mac1 [ to ap-mac2 ] sn ap-sn1 [ to ap-sn2 ] } command to add the MAC address or SN of an unauthorized AP to the blacklist. You can add MAC addresses or SNs of authorized APs in batches. 16

22 (Optional) Configuring an AP Offline After common attributes of an AP is configured and the whitelist and blacklist are configured, an AC discover APs automatically when the APs go online. You can also add APs to the AC offline. 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ap-auth-mode auth-mode to set the AP authentication mode to MAC address authentication or SN authentication. 5. Run the ap id ap-id [ { type-id type-id ap-type ap-type } { mac ap-mac snap-sn } *] command to add an AP offline. 6. (Optional) Run the region-id region-id command to add the AP to a region. 7. (Optional) Run the profile-id profile-id command to bind the AP to an AP profile. 8. (Optional) Run the cpu warn-threshold threshold-num command to set the alarm threshold of the CPU usage for the AP. 9. (Optional) Run the mem warn-threshold threshold-num command to set the alarm threshold of the memory usage for the AP. Configuring an AC to Automatically Discover APs 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. (Optional) Run the ap-type { id type-id type ap-type }* command to create an type. 5. Run the ap-auth-mode auth-mode command to configure the AP authentication mode. The system supports MAC address authentication, SN authentication, and non-authentication. (Optional) Confirming APs' Identities If an AP is not in the whitelist, the AP is in unauthorized state after going online. To authorize the AP, confirm the AP's identity on the AC. 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ap-confirm { all { mac ap-mac sn ap-sn } [ id ap-id ] } command to confirm the AP's identity. 17

23 After the AP's identity is confirmed, the MAC address or SN of the AP is added to the whitelist. The AP is added to the default region and bound to the default AP profile, and its attributes retain the default values. The AP then enters the normal state Configuring the WLAN Radio Environment Configuring a WMM Profile 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the wmm-profile { id profile-id name profile-name }* command to configure a WMM profile. 5. Run the wmm enable command to enable WMM. 6. Run the wmm mandatory enable command to enable mandatory WMM. 7. (Optional) Run the wmm edca client { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax-value txoplimit txoplimit-value }* command to set EDCA parameters for the four WMM queues of a STA. 8. (Optional) Run the wmm edca ap { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax-value txoplimit txoplimit-value ack-policy { normal noack } }* command to set EDCA parameters for the four WMM queues of an AP. Configuring a Radio Profile and Binding a WMM Profile to the Radio Profile 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the radio-profile { id profile-id name profile-name }* command to configure a radio profile. 5. (Optional) Run the radio-type { 80211a 80211an 80211gn 80211b 80211bg 80211bgn 80211g 80211n } command to configure the radio type. 6. (Optional) Run the power-mode { auto fixed } command to configure the radio power mode. 7. (Optional) Run the channel-mode { auto fixed } command to configure the channel mode. 8. Run the wmm-profile { id profile-id name profile-name } command to bind a WMM profile to a radio profile. A radio profile can be applied to a radio only after a WMM profile is bound to the radio profile. 18

24 Applying a Radio Profile to a Radio 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ap ap-id radio radio-id command to enter the radio mode. 5. Run the bind radio-profile { id profile-id name profile-name } command to bind a radio profile to the radio. (Optional) Configuring AP Radio Resource Management 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the radio-profile { id profile-id name profile-name }* command to configure a radio profile. 5. Run the channel-mode auto command to configure the automatic channel mode for the radio profile. In this mode, an AP automatically selects a channel for a radio based on the WLAN radio environment. 6. Run the power-mode auto command to configure the automatic power mode for the radio profile. In this mode, an AP automatically sets the transmit power for a radio based on the WLAN radio environment. 7. Run the calibrate-interval calibrate-interval command to set the calibration interval and enable partial radio calibration. 8. Manually enable global radio calibration in an AP region. a. Run the quit command to return to the WLAN mode. b. Run the calibrate startup region region-id [ listen-uncontrol-neighbor ] command to enable global radio calibration in an AP region. c. Run the calibrate auto-startup region region-id time time [ listen-uncontrol -neighbor ] command to enable scheduled radio calibration in an AP region. (Optional) Configuring an AP Load Balancing Group 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the load-balance-group { name group-name id group-id }* command to create a load balancing group. 19

25 5. Run the member ap-id ap-id radio-id radio-id command to add a radio to the load balancing group. 6. Set the load balancing mode. Run the traffic gap gap-threshold command to set the load balancing mode to traffic mode. Run the session gap gap-threshold command to set the load balancing mode to session mode. By default, the session mode is used for load balancing. 7. Run the associate-threshold associate-threshold command to set the threshold for the number of association requests Configuring an ESS Configuring a Security Profile 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the security-profile { id profile-id name profile-name }* command to configure a security profile. 5. Configure a security policy. WEP open system authentication Run the security-policy wep command to configure a WEP security policy. Run the wep authentication-methodopen-system [ data-encrypt ] command to configure WEP open system authentication. WEP shared key authentication Run the security-policy wep command to configure a WEP security policy. Run the wep authentication-method share-key command to configure WEP shared key authentication. Run the wep key { wep-40 wep-104 } { pass-phrase hex } key-id key-value command to configure the WEP shared key. Run the wep default-key key-id command to set the WEP key ID. WPA/WPA2 authentication Run the security-policy wep command to configure a WEP security policy. Run the { wpa wpa2 } authentication-method dot1x { peap tls } encryption-method { tkip ccmp } command to configure 802.1x authentication and the corresponding encryption mode for the WPA/WPA2 policy. Run the { wpa wpa2 } authentication-method psk { pass-phrase hex } key encryption-method { tkip ccmp } command to configure shared key authentication and the corresponding encryption mode for the WPA/WPA2 policy. WAPI authentication Run the security-policy wapi command to configure a WAPI security policy. 20

26 Run the wapi authentication-method { certificate psk { pass-phrase hex } key } command to configure the authentication mode for the WAPI security policy. Run the wapi import certificate { ac asu issuer } file-name file-name command to import the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file. Run the wapi import private-key file-name file-name command to import the AC private key file. Run the wapi asuip ip-address command to configure the ASU server's IP address. Configuring a Traffic Profile 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the traffic-profile { name profile-name id profile-id }* command to configure a traffic profile. 5. (Optional) Run the 8021p { designate value up-mapping value0 value1 value2 value3 value4 value5 value6 value7 } command to set the 802.1p priority of the packets sent from an AP to an AC. 6. (Optional) Run the 8021p-map-up value0 value1 value2 value3 value4 value5 value6 value7 command to set the mappings from 802.1p priorities to user priorities. 7. (Optional) Run the rate-limit { client vap } { up down } ratelimit-value command to set the rate limit for upstream or downstream packets for a single STA or all STAs associated with a VAP. 8. (Optional) Run the tunnel-priority up designate { tos 8021p } priority-value command to set the upstream tunnel priority. Or run the tunnel-priority up map { tos-tos tos-8021p 8021p-tos 8021p-8021p } value0 value1 value2 value3 value4 value5 value6 value7 command to set the mappings from 802.1p priorities to user priorities. Configuring an ESS and Binding a Traffic Profile and a Security Profile to the ESS 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the ess name ess-name [ id ess-id ] ssid ssid traffic-profile traffic-profile-name security-profile security-profile-name [ ssid-hide { enable disable } user-isolate { enable disable } type { service ap-management ac-management } max-user-number user-number association-timeout time igmp-mode { proxy snooping off } ] * command to configure an ESS and bind a traffic profile and a security profile to the ESS. 21

27 2.4.5 Configuring a VAP and Delivering the VAP to an AP Configuring a VAP and Binding the VAP to an ESS 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the vap ap ap-id radio radio-id ess { id ess-id name ess-name } [wlan wlan-id ] command to create a VAP or run the vap batch ap { ap-id [ to ap-id ] } &<1-10> radio { radio-id [ to radio-id ] } &<1-10> ess { ess-id [ to ess-id ] } &<1-10> command to create multiple VAPs. NOTE You can also run the service-batch ap-type { id ap-type-id name ap-type-value } radio radio-id radio-profile { id profile-id name radio-profile-name } ess id { ess-id [ to ess-id ] } &<1-10> command to create VAPs in batches. Delivering the VAP to APs 1. Run the enable command to enter the privilege mode. 2. Run the config command to enter the global config mode. 3. Run the wlan ac command to enter the WLAN-AC mode. 4. Run the commit { all ap ap-id } command to deliver the VAP to an AP or all APs. 2.5 Configuring NAC NAC Overview Introduction to NAC Security is a major concern for enterprise customers. Senior administrators and IT departments require that employees enjoy convenient office environment, share network resources, and isolate unauthorized terminals. This ensures that only authorized terminals and terminals passing security check are allowed to obtain network resources. Generally, the Network Access/Admission Control (NAC) system is deployed to authenticate and authorize users on an enterprise network. The NAC system consists of the following components: Terminal proxy A terminal proxy is the specialized client software that is installed on a user terminal. It works with the NAC server to authenticate users, check terminal security, repair and upgrade the system, and monitor and audit user actions. NAC device 22

28 An NAC device allows, rejects, isolates, or restricts users based on the policies defined on the NAC server. An NAC device is also called service gateway. The aggregation switch or access switch often functions as an NAC device. NAC server The NAC server implements security management and control. It can perform user management, add, delete, or modify user rights and user department configuration, and define and manage security policies. It can also authenticate users and perform security audit, enforce security policies, and work with the NAC device to deliver user rights. The NAC server includes the antivirus server and patch server used to repair terminals. The NAC server is also called an AAA server and communicates with a user service gateway using RADIUS to perform authentication, accounting, and authorization. Figure 2-3 NAC system This section describes the configuration the NAC device. For details about the configuration of the terminal proxy, see section "Configuring the Authentication Client." For details about the configuration of the NAC server, see section 2.6 "Configuring a TSM Server." Configuring NAC on a Service Gateway To deploy NAC on a service gateway (for example, S9300): Configure AAA, a domain that users belong to, authentication and authorization modes, and the AAA server. Configure 802.1x or web authentication on the user access interface. Here, the S9300 is used as the service gateway. If another device is used as the service gateway, see the corresponding documents. 23

29 2.5.2 Configuring AAA Configuring an Authentication Scheme 1. Run the system-view command to enter the system view. 2. Run the aaa command to enter the AAA view. 3. Run the authentication-scheme authentication-scheme-name command to create an authentication scheme and enter the authentication scheme view. 4. Run the authentication-mode { hwtacacs radius local }* [ none ] command to configure an authentication mode. Configuring an Authorization Scheme 1. Run the system-view command to enter the system view. 2. Run the aaa command to enter the AAA view. 3. Run the authorization-scheme authorization-scheme-name command to create an authorization scheme and enter the authorization scheme view. 4. Run the authorization-mode [ hwtacacs ] { if-authenticated local none } command to configure an authorization mode. Configuring an Accounting Scheme 1. Run the system-view command to enter the system view. 2. Run the aaa command to enter the AAA view. 3. Run the accounting-scheme accounting-scheme-name command to create an accounting scheme and enter the accounting scheme view. 4. Run the accounting-mode { hwtacacs radius none } command to configure an accounting mode. Configuring a RADIUS Server Template 1. Run the system-view command to enter the system view. 2. Run the radius-server template template-name to create a RADIUS server template and enter the RADIUS server template view. 3. Run the radius-server authentication ip-address port [ source loopback interface-number ] command to configure the RADIUS authentication server. 4. Run the radius-server accounting ip-address port [ source loopback interface-number ] command to configure the RADIUS accounting server. 5. Run the quit command to return to the system view. 24

30 6. Run the radius-server authorization ip-address { server-group group-name shared-key { cipher simple } key-string } * [ ack-reserved-interval interval ] command to configure the RADIUS authorization server. Configuring a Domain 1. Run the system-view command to enter the system view. 2. Run the aaa command to enter the AAA view. 3. Run the domain domain-name command to create a domain and enter the domain view. 4. Run the authentication-scheme authentication-scheme-name command to apply the authentication scheme to the domain. 5. (Optional) Run the authorization-scheme authorization-scheme-name command to apply the authorization scheme to the domain. If RADIUS authentication is used, skip this step. 6. Run the accounting-scheme accounting-scheme-name command to apply the accounting scheme to the domain. 7. Run the radius-server template-name command to apply the RADIUS server to the domain Configuring Web Authentication Configuring a Web Authentication Server 1. Run the system-view command to enter the system view. 2. Run the web-auth-server server-name command to configure a web authentication server and enter the web authentication server view. 3. Run the server-ip ip-address command to specify an IP address for the web authentication server. 4. Run the url url-string command to configure a URL for the web authentication server. 5. Run the port port-number [ all ] command to configure the interface on the web authentication server to which the S9300 sends notification messages. Binding the Web Authentication Server to an InterfaceRun the system-view command to enter the system view. 2. Run the interface interface-type interface-number command to enter the interface view. NOTE Currently, the S9300 can perform web authentication only through VLANIF interfaces. 25

31 3. Run the web-auth-server server-name command to bind the web authentication server to the VLANIF interface. (Optional) Configuring a Web Authentication Free Rule If some users that fail to be authenticated need to obtain certain resources, configure a web authentication free rule. 1. Run the system-view command to enter the system view. 2. Run the portal free-rule rule-id { destination { any ip { ip-address mask { mask-length ip-mask } any } } source { any { interface interface-type interface-number ip { ip-address mask { mask-length ip-mask } any } vlan vlan-id }* } }* command to configure a web authentication free rule Configuring 802.1x Authentication Enabling 802.1x Authentication 1. Run the system-view command to enter the system view. 2. Run the dot1x enable command to enable global 802.1x authentication. 3. Run the interface interface-type interface-number command to enter the interface view. 4. Run the dot1x enable command to enable 802.1x authentication on the interface. Configuring an Authentication Method for 802.1x Users 1. Run the system-view command to enter the system view. 2. Run the dot1x authentication-method { chap eap pap } command to configure an authentication mode for 802.1x users. (Optional) Enabling MAC Address Bypass Authentication If 802.1x authentication on a terminal fails, the access device sends the MAC address of the terminal as the user name and password to the RADIUS server for authentication. This is called MAC address bypass authentication. Some special terminals such as printers that cannot use the 802.1x client software can use MAC address bypass authentication. 1. Run the system-view command to enter the system view. 2. Run the interface interface-type interface-number command to enter the interface view. 26

32 3. Run the dot1x mac-bypass command to enable MAC address bypass authentication on the interface. 2.6 Configuring a TSM Server Overview TSM Overview TSM on a WLAN Huawei Terminal Security Management (TSM) is a terminal security management solution for enterprises, implementing end-to-end control and management. The TSM has the following functions: Implements intranet network management. Ensures reliability and security of the intranet, terminals, and enterprise data. In the TSM solution, a TSM proxy provides six functions: security access control, terminal security management, patch management, terminal user's action management, software distribution, and resource management. The TSM controls network access, including security check, access control, and security vulnerability recovery. The TSM effectively controls network access from the staff, visitors, partners, and temporary employees, detects and isolates malicious terminals, and improves attack defense capabilities. The TSM uses the client/server model and consists of the TSM server and TSM agent. The TSM agent is installed on a terminal. For details, see section2.7.2 "Configuring the Authentication Client." The TSM server is the background server and functions as the NAC server. It provides authentication, right control, terminal management, attack defense, and asset management, and is highly reliable flexible, and open. On a WLAN, the TSM server provides the following functions: Perform user management, add, delete, or modify user rights and user department configuration, and define and manage security policies. Synchronize user accounts from the Microsoft AD Domain Controller. Work with the NAC device to authenticate users based on user accounts (local accounts or external accounts synchronized in the Microsoft AD Domain Controller), perform security audit, enforce security policies, and deliver user rights. To deploy a TSM server, perform the following operations: Configure a common account. Synchronize accounts in the Microsoft AD Domain Controller. Configure web authentication. Configure 802.1x authentication. 27

33 CAUTION On the TSM server, 802.1x authentication and web authentication cannot be configured simultaneously Configuring a Common Account User management involves departments, terminal users, and accounts. A department can contain multiple terminal users and a terminal user can have multiple accounts. Accounts are classified into local accounts and external accounts: Local accounts are common accounts in which user names and passwords are configured on the TSM server. External accounts are synchronized on the TSM server. The external accounts do not contain passwords. Users can log in without using new accounts in the scenario where another authentication server is deployed. Configuring Department Information 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose Department User > User Management. The User Management page is displayed. 3. Click the Department tab in the operation area on the right. 4. Select the superior department of the target department in the department navigation tree. 5. Click Add under the Department tab. The Add dialog box is displayed, as shown in Figure 2-4. Figure 2-4 Creating a department 6. Enter parameters of the department. Click OK. 28

34 The Adding succeeded dialog box is displayed. 7. Click OK. Configuring Terminal User Information 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose Department User > User Management. The User Management page is displayed. 3. Click the User tab in the operation area on the right. 4. In the department navigation tree on the User Management page, select the target department where a terminal user needs to be created. 5. Click Add under the User tab. The Add User dialog box is displayed. Figure 2-5 Adding a user 6. Enter parameters of the user. Click OK. The Adding succeeded dialog box is displayed. 7. Click OK. 29

35 Configuring a Local Account 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose Department User > User Management. The User Management page is displayed. 3. Click the User tab in the operation area on the right. 4. In the department navigation tree on the User Management page, select the target department where a common account needs to be created. All users of the department are displayed on the right of the User Management page, as shown in Figure 2-6. Figure 2-6 Users in the specified department 5. Click on the right of the user whose common account needs to be created. Figure 2-7 lists all the accounts of the user. Figure 2-7 User accounts 6. Click Add. The Add Account dialog box is displayed, as shown in Figure

36 Figure 2-8 Adding a account 7. Enter parameters of a common account. Click OK. The Adding succeeded dialog box is displayed. 8. Click OK Synchronizing Accounts in the Microsoft AD Domain Controller to the TSM Manager by OU For details on how to configure the Microsoft AD Domain Controller and create user accounts, see the corresponding documents or TSM server help. This section describes how to synchronize accounts in the Microsoft AD Domain Controller to the TSM Manager by OU. Enabling Microsoft AD Domain Authentication 1. At the top of the TSM Manager, click System Configuration. 31

37 2. On the left menu bar, choose Terminal > Global Parameters. The Configure Authentication Type of Agent Terminal dialog box is displayed, as shown in Figure 2-9. Figure 2-9 Enabling Microsoft AD Domain authentication 3. Select Domain account. 4. Click OK. The Modify succeeded dialog box is displayed. 5. Click OK. (Optional) Configuring Non-Microsoft AD Domain Users to Log in Using AD Accounts 1. At the top of the TSM Manager, click System Configuration. 2. On the left menu bar, choose Terminal > Global Parameters. The Automatic Startup of Terminal Agent and Settings of the Login of Non-AD Domain Users Through Domain Accounts dialog box is displayed, as shown in Figure Figure 2-10 Permitting or preventing authentication through AD accounts 3. Determine whether to allow terminal users that log in without using Microsoft AD Domain accounts to be authenticated using AD accounts. To permit the terminal users to be authenticated using AD accounts, select Enable on the right of Configure the Login of Non-AD Domain Users Through Domain Accounts. To prevent the terminal users from being authenticated using AD accounts, select Disable on the right of Configure the Login of Non-AD Domain Users Through Domain Accounts. 4. Click OK. The Modify succeeded dialog box is displayed. 32

38 5. Click OK. Setting Connection Parameters of the Microsoft AD Domain Controller 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose External Data Source > AD Server. 3. Click Add. The Add AD dialog box is displayed, as shown in Figure Figure 2-11 Adding an AD server Table 2-3 lists the connection parameters. 33

39 Table 2-3 Connection parameters for the Microsoft AD Domain Controller Parameter Type Description Synchronization Type Authentication Source Mandatory Mandatory Whether to synchronize the node and account from the Microsoft AD Domain Controller. To synchronize Microsoft AD Domain accounts by OU, select By OU. Enter the name of the Microsoft AD Domain Controller. This helps administrators to identify different Microsoft AD Domain Controllers. The name must be different from the existing service. It contains a maximum of 100 bytes. Type N/A Display the type of the external authentication source. Primary Server Address Secondary Server Address Mandatory Optional Enter the IP address of the Microsoft AD Domain Controller. If the Microsoft AD Domain Controllers work in active/standby mode, enter the IP address of the secondary Microsoft AD Domain Controller. Port Mandatory Enter the number of the port that provides the directory service on the Microsoft AD controller. When you install the Microsoft AD domain controller, the Microsoft AD domain controller uses port 389 by default if SSL is not configured. The Microsoft AD domain controller uses port 636 if SSL is configured. The port number can only be changed during installation planning. Server Domain Name Mandatory Enter the domain name of the Microsoft AD Domain Controller. Base DN Mandatory Enter the DN of the superior OU of the target OU. Account Mandatory Enter the synchronization account created in the Microsoft AD Domain Controller. Password Mandatory Enter the password for Account. Service Account Optional Enter the authentication account created in the Microsoft AD Domain Controller. Service Password Optional Enter the password for Service Account. 34

40 Parameter Type Description AD's user pass authentication when AD is malfunction (but kerberos) Optional Whether to cancel the process of verifying terminal user identity in the Microsoft AD Domain Controller when the Microsoft AD Domain Controller malfunctions. This parameter is applicable to non-kerberos authentication procedure only. This parameter is applicable to non-kerberos authentication procedure only. Assume that this option is selected and Kerberos authentication procedure is not used for Microsoft AD Domain account authentication. Terminal users are authenticated only when the used Microsoft AD Domain accounts have been synchronized to the TSM Manager. SSL Enable Optional Whether to enable SSL. Assume that SSL is enabled. When the TSM interworks with the Microsoft AD Domain Controller, SSL is used for encryption to enhance security. The prerequisite for enabling SSL in the TSM is that SSL configuration has been completed in the Microsoft AD Domain Controller. For details about the SSL configuration in the Microsoft AD Domain Controller, see the documents related to the Microsoft AD Domain Controller. 4. Enter connection parameters for the Microsoft AD Domain Controller. Click OK. The Adding succeeded dialog box is displayed. 5. Click OK. Configuring Department Information See Configuring Department Information in section "Configuring a Common Account." Configuring the Access Mode for a Microsoft AD Domain Account 1. At the top of the TSM Manager, click Department. 2. Choose External Data Source > AD server on the left menu bar. Figure 2-12 External authentication source list 3. Click in MS_AD. The Map Data Structure dialog box is displayed, as shown in Figure

41 Figure 2-13 Map Data Structure dialog box 4. Select an access mode in Login Type. 5. Click OK. The Setting succeeded dialog box is displayed. 6. Click OK. (Optional) Associating the TSM Manager with the Microsoft AD Domain Controller 1. At the top of the TSM Manager, click Department. 2. Choose External Data Source > AD server on the left menu bar. 3. Click in MS_AD. 36

42 The Map Data Structure dialog box is displayed, as shown in Figure Figure 2-14 Map Data Structure dialog box 4. Click the Department tab and enter parameters of the department. 5. Click the User tab and enter parameters of the user. 37

43 Figure 2-15 Configuring a user of the Microsoft AD Domain Controller 6. Click the Others tab and set Certificate Revocation List Type and Certificate Revocation List. 38

44 Figure 2-16 Configuring the method for the TSM Manager to identify the revoked certificate of the Microsoft AD Domain Controller 7. Click OK. The Setting succeeded dialog box is displayed. 8. Click OK. Associating the Source DN and the Target Department You can synchronize sub-ous and accounts of the target organization unit (OU) to a target department on the TSM Manager by associating the source distinguished name (DN) with the target department. 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose External Data Source > Synchronization Range. 39

45 3. Click Add OU Synchronization. A dialog box is displayed, as shown in Figure Figure 2-17 Associating the source DN with the target department 4. Set Source DN and Target Department. Click OK. The Adding succeeded dialog box is displayed. 5. Click OK. Setting the Synchronization Period 1. At the top of the TSM Manager, click Department. 2. Choose External Data Source > AD server on the left menu bar. 40

46 Figure 2-18 External authentication source list 3. Click in MS_AD. The Auto Synchronization Settings dialog box is displayed, as shown in Figure Figure 2-19 Synchronization settings 4. Set automatic synchronization parameters. Click OK. The Adding succeeded dialog box is displayed. 5. Click OK. Synchronizing Sub-OUs and Accounts Immediately 1. At the top of the TSM Manager, click Department. 2. Choose External Data Source > AD server on the left menu bar. Figure 2-20 External authentication source list 3. Click in MS_AD. A dialog box is displayed, saying The synchronization task start. 4. Click OK. 41

47 2.6.4 Configuring Web Authentication Configuring a Portal Gateway 1. At the top of the TSM Manager, click Access Control. 2. On the left menu bar, choose Access Control > PORTAL Gateway. 3. Click the PORTAL Gateway tab. 4. Click Add. The Access Device Config dialog box is displayed, as shown in Figure Figure 2-21 Setting parameters for the portal gateway 5. Enter parameters of a portal gateway. 6. Click Add. The Add Ip Addresses dialog box is displayed. 42

48 Figure 2-22 Adding an IP address segment 7. Enter the start and end IP addresses. 8. Click OK. Add the network segment where terminals are located to the IP address list so that the portal gateway authenticates these terminals. 9. Click OK. The Adding succeeded dialog box is displayed. 10. Click OK. Configuring an Isolation Domain 1. Click Access Control at the top of the TSM Manager. 2. On the left menu bar, choose Access Control > PORTAL Gateway. 3. Click the Isolation Domain tab. 4. Click Add. The isolation domain configuration dialog box is displayed. 43

49 Figure 2-23 Setting parameters of an isolation domain 5. Set the parameters of the isolation domain. 6. Click Add. The Add Rule dialog box is displayed. 44

50 Figure 2-24 Adding rules 7. Set rule parameters. Click OK. The isolation domain configuration dialog box is displayed. 8. Click OK. The Adding succeeded dialog box is displayed. 9. Click OK. Configuring a Post-authentication Domain 1. Click Access Control at the top of the TSM Manager. 2. On the left menu bar, choose Access Control > PORTAL Gateway. 3. Click the Post-Authentication Domain tab. 4. Click Add. The post-authentication configuration dialog box is displayed. 45

51 Figure 2-25 Setting parameters of the post-authentication domain 5. Set parameters of the post-authentication domain. 6. Click Add. The Add Rule dialog box is displayed. 46

52 Figure 2-26 Adding rules 7. Set rule parameters. Click OK. The post-authentication domain configuration dialog box is displayed. 8. Click OK. The Adding succeeded dialog box is displayed. 9. Click OK. Applying an Isolation Domain and a Post-authentication Domain to a Department 1. At the top of the TSM Manager, click Department. 2. On the left menu bar, choose Department User > User Management. 3. Click the Department tab. 4. Select the target department in the department navigation tree and then click SACG on the toolbar. 5. Click Customize. 6. Click the PORTAL Gateway tab. 7. Select the isolation domain and post-authentication domain for the R&D department. 47

53 Figure 2-27 Selecting the isolation domain and post-authentication domain 8. Click OK. The Setting succeeded dialog box is displayed. 9. Click OK Configuring 802.1x Authentication CAUTION In this section, 802.1x-compliant switches (Huawei switches except for the NAC series) are used. The switches cannot control user rights based on departments and roles. If Huawei NAC series are selected, you can configure an isolation domain and a post-authentication domain and apply the domains to a department or account. For details, see the TSM server help. Configuring a Switch Group 1. At the top of the TSM Manager, click Access Control. 48

54 2. On the left menu bar, choose Access Control > 802.1x Switch. 3. Click the Switch Group tab. 4. Click Add and enter parameters of the switch group. Figure 2-28 Entering parameters of the switch group Table 2-4 Parameters of a switch group Parameter Group Name Switch Type Authentication Key Enable Charging Charging Key Access Control Description Enter the unique name of the switch group. Select types of switches in the switch group. If some switch types are not listed in the drop-down list box, select Others. Enter the authentication encryption key configured on the switch and used for the switch to communicate with the TSM Controller. The accounting function needs to be enabled on some switches so that ports on the authenticated terminals can be opened for a long period of time. The accounting function needs to be enabled on the server to implement accounting with the switch. Enter the accounting encryption key on the switch if the accounting function is enabled. Select Dynamic VLAN or Dynamic ACL for access control when Switch Type is set to Huawei NAC Series. When the 802.x-compliant switches are used to implement access control, you cannot select the access control mode. 5. Click OK. 49

55 The Saving configuration information succeeded dialog box is displayed. 6. Click OK. Configuring a Switch List After a switch group is configured successfully, the switch list page is displayed. Figure 2-29 Switch list 2. Click Add. The Add Switch dialog box is displayed. Figure 2-30 Adding a switch 3. Enter parameters of the switch. 50

56 Table 2-5 Parameters for adding a switch Parameter Address Type Description Description IP Address: add a switch's IP address. IP Address Segment: specify an IP address segment to add all switches with IP addresses in this IP address segment. Subnet: specify a subnet in IP address + mask mode to add all switches with IP addresses on this subnet. A switch may have multiple IP addresses. The NAS IP address is used by the switch to communicate with the RADIUS server. The added IP address must be the NAS IP address. Otherwise, an error message "radius no response" is displayed. If a switch does not provide the command used to set the NAS IP address, obtain the outbound interface from the route to the TSM server in the routing table and enter the IP address of the outbound interface to add this switch. Enter the description of switches so that the administrator can maintain the switch list easily. 4. Click OK. The Adding succeeded dialog box is displayed. 5. Click OK. 2.7 Configuring STAs A STA must have the WLAN hardware module supporting (for example, wireless network adapter) so that it can connect to an AP. On a STA, you must configure the WLAN parameters, for example, the SSID, password, and encryption mode. If the NAC system is deployed on an enterprise network, users must be authenticated before connecting to the enterprise network. You must configure the authentication client (for example, 802.1x authentication) on STAs so that users can connect to the enterprise network Configuring a WLAN A WLAN can be discovered automatically or added manually. When a STA discovers a WLAN, connect to the WLAN as prompted (passwords may be required). NOTE It is recommended that STAs discover WLANs automatically. For details about the configuration of a WLAN, see the documentation of the STA. 51

57 2.7.2 Configuring the Authentication Client Overview TSM Agent On enterprise networks, web authentication and 802.1x authentication are often used. Web authentication does not require any special client. Users only need to use a web browser to access the web server and enter user names and passwords on the authentication page. Then users can be authenticated x authentication requires client software. Users enter user names and passwords on the software page, and dial up to initiate authentication to the server. For details about the client, see the instruction or help. Huawei TSM Agent is used as an example to describe how to configure the authentication client. Huawei TSM is attack defense software that provides device protection and centralized security management. It is a terminal security management solution for enterprises. The TSM uses the client/server model and consists of the TSM server and TSM agent. The TSM agent is installed on a STA. The TSM agent provides the following terminal security management functions: Authenticates users' identities Checks for security risks of terminals and helps users remove security risks to improve security. Manages users' actions and provides guidance for users to take actions in accordance with security policies. Monitors the running status of terminals. Helps users to install patches of the Microsoft Windows operating system and other software. Obtains remote instructions from administrators when terminals are faulty. Registers assets by specifying the asset locations and owners. Diagnoses the fault when STAs cannot connect to the TSM server. Downloads and displays the bulletins published by the TSM Manager. Authentication Function of the TSM Agent The TSM agent supports multiple authentication modes including web authentication, 802.1x authentication, and MAC address authentication. You do not need to use a web browser or install independent 802.1x client software. TSM Agent Configuration Procedure 52

58 CAUTION In most situations, the installation program of the TSM agent has been customized by network administrators or Huawei technical support personnel according to enterprise deployment requirements. End users only need to install the TSM agent software. Then they can be authenticated and access the Internet. 1. Install the TSM agent software on a terminal. The configuration procedure is not mentioned here. After the installation is complete, the TSM agent icon indicates that the terminal user is not authenticated. is displayed in the tray. This icon 2. Double-click the TSM agent icon to open the TSM agent authentication page, as shown in Figure Figure 2-31 TSM agent authentication page 3. Enter the user name and password in the Account and Password text boxes. Then select Save password or Auto authentication. NOTE The user name and password must have been registered on the TSM server. For details, see section "Configuring a Common Account" or section "Synchronizing Accounts in the Microsoft AD Domain Controller to the TSM Manager by OU." 4. If the TSM agent is used for the first time, click Advanced to expand advanced settings, as shown in Figure a. Enter the IP address of the TSM authentication server in Server. b. If 802.1x authentication is used, select Enable 802.1x. Select Enable security authentication (recommended) and configure the access protocol (standard protocol is recommended) according to enterprises' requirements. If web authentication is used, skip the preceding operations. c. Click Save to save the advanced settings. 53

59 Figure 2-32 Advanced settings of the TSM agent 5. Click Login. The TSM agent initiates authentication, as shown in Figure Figure 2-33 TSM Agent initiates authentication If authentication is successful, the icon in the tray changes to, indicating that the terminal user has passed identity authentication and security authentication. The user can log in to the network. 54

60 NOTE : indicates that the user passes security authentication, but the STA violates some security specifications. : indicates that the user fails to pass security authentication, and network access of the STA is restricted. CAUTION The preceding configuration uses a common account as an example. On an enterprise network, a terminal user can also use an AD account for authentication, as shown in Figure When an AD account is used for authentication, pay attention to the following points: You must configure a domain control server and configure the user name and password on the domain control server. For details about the configuration of the domain control server, see the documentation of the server. On the TSM server, you only need to synchronize the AD account. For details, see section "Synchronizing Accounts in the Microsoft AD Domain Controller to the TSM Manager by OU." You must add STAs to the domain. For details, see the terminal operating system help. Figure 2-34 Using an AD account for authentication 55

61 2.8 Configuration Examples Networking Requirements An Internet service provider (ISP) provides the WLAN service for two remote areas A and B. AP1 provides the WLAN service for area A, and AP2 provides the WLAN service for area B. The WS6603 functions as the AC and is connected to the Layer 3 switch in branched mode. As shown in Figure 2-35, the AC delivers service VLANs, and the Layer 2 switch transparently transmits packets from all service VLANs and tags AP management packets with the management VLAN ID. The AC functions as the DHCP server to allocate IP addresses to APs and advertises its IP address to APs through DHCP Option 43. The AC only manages APs, but does not forward data for APs. APs' management streams are transmitted over a CAPWAP tunnel and terminated on the AC; APs' service streams are directly forwarded by the APs to the Layer 3 switch, and then are transparently transmitted by the Layer 3 switch to the upper-layer device. Figure 2-35 Branched networking STA Area A STA Area B AP1 (service VLAN 101) Eth0/0/1 Eth0/0/2 Layer 2 switch (management VLAN 800) AP2 (service VLAN 101) GE0/0/1 GE1/0/1 Layer 3 switch AC WS6603 GE1/0/3 GE1/0/2 Service port 0/2/0 esight Core network RADIUS server Management streams Data streams NOTE In this example, the NAC configuration is not mentioned. Data Preparation Table 2-6 Data plan Configuration Item WLAN service Data AP authentication type: WEP policy and open system authentication Encryption type: non-encryption Management VLAN of APs VLAN 800 (the Layer 2 switch adds VLAN tags to packets) 56

62 Configuration Item Data AP region AP1: 101 AP2: 102 ESS Name: huawei-1 SSID: huawei-f4 Mapping mode: AP region mapping Mapping VLAN ID: VLAN 101 Data forwarding mode: direct forwarding Name: huawei-2 SSID: huawei-f5 Mapping mode: AP region mapping Mapping VLAN ID: VLAN 102 Data forwarding mode: direct forwarding Service VLAN ID STA1/STA2: VLAN 101 (delivered by the AC) STA3/STA4: VLAN 102 (delivered by the AC) VLAN on the Layer 2 switch VLAN on the Layer 3 switch AC carrier ID/AC ID IP address of the management interface (loopback interface) on the AC IP address pool of the management interface on the AP Gateway IP address of the management interface on the AP Port (Eth0/0/1) connected to AP1: Its link type is trunk and default VLAN ID is 800; it allows packets from VLANs 101 and 800 to pass through. Port (Eth0/0/2) connected to AP2: Its link type is trunk and default VLAN ID is 800; it allows packets from VLANs 102 and 800 to pass through. Port (GE0/0/1) connected to the Layer 3 switch: Its link type is trunk and it allows packets from VLANs 101, 102, and 800 to pass through. Port (GE1/1/1) connected to the Layer 2 switch: Its link type is trunk and it allows packets from VLANs 101, 102, and 800 to pass through. Port (GE 0/1/2) connected to the AC: Its link type is trunk and it allows packets from VLAN 800 to pass through. Port (GE 0/1/3) connected to the upper-layer device: Its link type is trunk and it allows packets from VLANs 101 and 102 to pass through. CTC/ / to / /24 (Layer 3 switch) 57

63 Configuration Item DHCP server Data AC functioning as the DHCP server to allocate IP addresses to APs Procedure 1. Configure the switches to enable APs to communicate with the AC. a. Configure Eth0/0/1 and Eth0/0/2 of the Layer 2 switch connected to APs as trunk interfaces, set the default VLAN ID of the trunk interfaces to 800, and allow packets from VLAN101/800 and VLAN102/800 to pass through. NOTE In this example, a Huawei S3300 series switch is used. For details about switches of other types, see these switches' documents. CAUTION Isolate the ports of all the Layer 2 switches that connect to the downstream ports within the APs' management and service VLANs. Otherwise, unnecessary packets are broadcast in the VLAN or WLAN users of different APs cannot communicate with each other at Layer 2. [huawei] vlan 101 [huawei-vlan101] quit [huawei] vlan 102 [huawei-vlan102] quit [huawei] vlan 800 [huawei-vlan800] quit [huawei] interface Ethernet 0/0/1 [huawei-ethernet0/0/1] port link-type trunk [huawei-ethernet0/0/1] port trunk pvid 800 [huawei-ethernet0/0/1] port trunk allow-pass vlan 101 [huawei-ethernet0/0/1] port trunk allow-pass vlan 800 [huawei-ethernet0/0/1] port-isolate enable [huawei-ethernet0/0/1] quit [huawei] interface Ethernet 0/0/2 [huawei-ethernet0/0/2] port link-type trunk [huawei-ethernet0/0/2] port trunk pvid 800 [huawei-ethernet0/0/2] port trunk allow-pass vlan 102 [huawei-ethernet0/0/2] port trunk allow-pass vlan 800 [huawei-ethernet0/0/2] port-isolate enable [huawei-ethernet0/0/2] quit b. Configure Layer 2 switch's interface GE0/0/1, which is connected to the Layer 3 switch, to transparently transmit packets of all service VLANs and the management VLAN. [huawei] interface GigabitEthernet 0/0/1 [huawei-gigabitethernet0/0/1] port link-type trunk [huawei-gigabitethernet0/0/1] port trunk allow-pass vlan 101 [huawei-gigabitethernet0/0/1] port trunk allow-pass vlan 102 [huawei-gigabitethernet0/0/1] port trunk allow-pass vlan

64 [huawei-gigabitethernet0/0/1] quit c. Configure Layer 3 switch's interface GE0/1/1, which is connected to the Layer 2 switch, to transparently transmit packets of all service VLANs and the management VLAN. NOTE In this example, a Huawei S9300 series switch is used as the Layer 3 switch. For details about switches of other types, see these switches' documents. [huawei] interface GigabitEthernet 1/0/1 [huawei-gigabitethernet1/0/1] port link-type trunk [huawei-gigabitethernet1/0/1] port trunk allow-pass vlan 101 [huawei-gigabitethernet1/0/1] port trunk allow-pass vlan 102 [huawei-gigabitethernet1/0/1] port trunk allow-pass vlan 800 [huawei-gigabitethernet1/0/1] quit d. Configure Layer 3 switch's interface GE0/1/2, which is connected to the AC, to transparently transmit packets of the management VLAN. [huawei] interface GigabitEthernet 1/0/2 [huawei-gigabitethernet1/0/2] port link-type trunk [huawei-gigabitethernet1/0/2] port trunk allow-pass vlan 800 [huawei-gigabitethernet1/0/2] quit e. Configure Layer 3 switch's interface GE0/1/3, which connected to the upstream device, to transparently transmit packets of service VLANs. [huawei] interface GigabitEthernet 1/0/3 [huawei-gigabitethernet1/0/3] port link-type trunk [huawei-gigabitethernet1/0/3] port trunk allow-pass vlan 101 [huawei-gigabitethernet1/0/3] port trunk allow-pass vlan 102 [huawei-gigabitethernet1/0/3] quit f. Enable DHCP relay on the Layer 3 switch. [huawei] dhcp enable [huawei] interface vlanif 800 [huawei-vlanif800] ip address [huawei-vlanif800] dhcp select relay [huawei-vlanif800] dhcp relay server-ip [huawei-vlanif800] quit g. Set the IP address of VLANIF 1 to [huawei] interface vlanif 1 [huawei-vlanif1] ip address [huawei-vlanif1] quit h. Configure the Layer 3 switch to relay DHCP packets to the AC so that the AC functions as the DHCP server. [huawei] dhcp server group AC-srv1 [huawei-dhcp-server-group-ac-srv1] dhcp-server [huawei-dhcp-server-group-ac-srv1] quit i. Configure the route from the Layer 3 switch to the AC. NOTE The IP address of the AC's loopback interface is [huawei] ip route Configure the AC. a. Set global AC parameters (carrier ID and AC ID) to facilitate identification and management. 59

65 # Set the carrier ID to CTC and AC ID to 1. huawei(config)# wlan ac-global carrier id ctc ac id 1 b. Configure VLANs for ports between the AC and the Layer 2 switch. # Create VLANs 101, 102, and 800. huawei(config)# vlan 101 huawei(config)# vlan 102 huawei(config)# vlan 800 # Add service port 0/2/0 to VLAN 800. huawei(config)# port vlan 800 0/2 0 c. Create a VLANIF interface on the AC. # Set the IP address of VLANIF 1 to huawei(config)# interface vlanif 1 huawei(config-if-vlanif1)# ip address { <cr> description<k> sub<k> }: Command: ip address Enable DHCP on the VLANIF interface so that the AC can function as the DHCP server to allocate IP addresses to the APs. huawei(config-if-vlanif1)# dhcp enable huawei(config-if-vlanif1)# quit NOTE An AP can set up a connection with an AC only after obtaining an IP address from the AC, a broadband remote access server (BRAS), or a DHCP server. When the AC is configured as a DHCP server, it can allocate IP addresses to APs. d. Configure the IP address of the loopback interface as the source IP address of the AC. This IP address is used to create tunnels between APs and the AC. NOTE The IP address of the loopback interface must use the 32-bit subnet mask. huawei(config)# interface loopback 0 huawei(config-if-loopback0)# ip address huawei(config-if-loopback0)# quit e. Configure the source IP address for the AC. # Configure the loopback interface' IP address as the AC's source IP address. NOTE You must specify the source IP address of each AC so that all APs connected to the AC can learn this IP address. huawei(config)# wlan ac huawei(config-wlan-ac-view)# wlan ac source interface loopback 0 huawei(config-wlan-ac-view)# quit f. Configure an IP address pool for APs on the AC. # Configure IP address pool ctc-ap-server on the loopback0 interface. huawei(config)# ip pool ap-server It's successful to create an IP address pool 60

66 huawei(config-ip-pool-ap-server)# gateway huawei(config-ip-pool-ap-server)# section huawei(config-ip-pool-ap-server)# quit # Configure DHCP Option 43 that contains the AC's IP address and Option 60. huawei(config-ip-pool-ap-server)# option 60 string Huawei AP huawei(config-ip-pool-ap-server)# option 43 string HuaweiAC huawei(config-ip-pool-ap-server)# quit NOTE The content of Option 60 must be Huawei AP. The content of Option 43 must be HuaweiAC-X.X.X.X. X.X.X.X indicates the IP address of the AC. g. Configure the route from the AC to huawei(config)# ip route Set the connection parameters between AC and APs. a. Set the authentication mode for APs to sn-auth. huawei(config)# wlan ac huawei(config-wlan-ac-view)# ap-auth-mode sn-auth huawei(config-wlan-ac-view)# quit b. Add APs offline. # Query the AP device type. huawei(config-wlan-ac-view)# display ap-type all All AP types information: ID Type WA601 1 WA631 2 WA651 3 WA602 4 WA632 5 WA652 6 WA603SN 7 WA603DN 8 WA633SN 11 WA603DE 12 WA653DE 14 WA653SN 15 SRG1201GW Total number: 13 # Add AP1 and AP2 of the WA601 type offline based on the queried device type ID (0). The AP ID for AP1 is 1 and for AP2 is 2, and the SN for AP1 is SN and for AP2 is SN huawei(config-wlan-ac-view)# ap id 1 type-id 0 sn SN huawei(config-wlan-ac-view)# ap id 2 type-id 0 sn SN # Enable the APs to go online. Then the APs enter the normal state. huawei(config-wlan-ac-view)# display ap all 61

67 All AP information: AP AP Profile Region AP ID Type ID ID State WA normal 2 WA normal Total number: 2 c. Configure AP regions. # Set AP region IDs to 101 and 102. huawei(config-wlan-ac-view)# ap-region id 101 huawei(config-wlan-ap-region-101)# quit huawei(config-wlan-ac-view)# ap-region id 102 huawei(config-wlan-ap-region-102)# quit d. Add AP1 to AP region 101 and AP2 to AP region 102. huawei(config-wlan-ac-view)# ap id 1 { <cr> ap-type<k> type-id<k> }: Command: ap id 1 huawei(config-wlan-ap-1)# region-id 101 huawei(config-wlan-ap-1)# quit huawei(config-wlan-ac-view)# ap id 2 { <cr> ap-type<k> type-id<k> }: Command: ap id 2 huawei(config-wlan-ap-2)# region-id 102 huawei(config-wlan-ap-2)# quit 4. Configure radios for APs. a. # Create a WMM profile wmm-1 and use the default settings. huawei(config-wlan-ac-view)# wmm-profile name wmm-1 id 1 huawei(config-wlan-wmm-prof-wmm-profile-1)# quit b. # Create a radio profile radio-1 and bind the WMM profile wmm-1 to it. huawei(config-wlan-ac-view)# radio-profile name radio-1 id 1 huawei(config-wlan-radio-prof-radio-1)# bind wmm-profile name wmm-1 huawei(config-wlan-radio-prof-radio-1)# quit c. Bind the radios of AP1 and AP2 to the radio profile radio-1. huawei(config-wlan-ac-view)# radio ap-id 1 radio-id 0 huawei(config-wlan-radio-1/0)# bind radio-profile name radio-1 huawei(config-wlan-radio-1/0)# quit huawei(config-wlan-ac-view)# radio ap-id 2 radio-id 0 huawei(config-wlan-radio-2/0)# bind radio-profile name radio-1 huawei(config-wlan-radio-2/0)# quit NOTE You can specify different radios for an AP or specify the same radio for multiple APs. 5. Configure ESSs for APs. a. Create a security profile. 62

68 # Create a security profile security-1, and set the authentication mode to WEP open system authentication and the encryption mode to no encryption. huawei(config-wlan-ac-view)# security-profile name security-1 id 1 huawei(config-wlan-security-prof-security-1)# authentication policy wep huawei(config-wlan-security-prof-security-1)# policy wep open-system huawei(config-wlan-security-prof-security-1)# quit b. Create a traffic profile (QoS profile). # Create a traffic profile traffic-1 and use the default settings. huawei(config-wlan-ac-view)# traffic-profile name traffic-1 id 1 huawei(config-wlan-traffic-prof-traffic-1)# quit c. Create ESSs for AP1 and AP2 and bind them to the traffic profile and security profile. # Create an ESS huawei-1, specify SSID huawei-f4 for it, and bind the traffic profile traffic-1 and the security profile security-1 to it. huawei(config-wlan-ac-view)# ess name huawei-1 ssid huawei-f4 traffic-profile traffic-1 security-profile security-1 # Create an ESS huawei-2, specify SSID huawei-f5 for it, and bind the traffic profile traffic-1 and the security profile security-1 to it. huawei(config-wlan-ac-view)# ess name huawei-2 ssid huawei-f5 traffic-profile traffic-1 security-profile security-1 NOTE An ESS defines service parameters and VAP attributes. When an ESS is bound to a specified radio of an AP, all the ESS parameters are applied to a WLAN service entity, a VAP. The AP provides differentiated wireless functions for users based on these parameters. d. Configure mappings between VLANs and APs in each ESS. # Set the VLAN mapping mode to AP region mapping. Map AP region 101 to VLAN 101. huawei(config-wlan-ac-view)# vlan-mapping ess name huawei-1 mode region huawei(config-wlan-ac-view)# vlan-mapping ess name huawei-1 type tag region 101 vlan101 Success: 1 Failure: 0 huawei(config-wlan-ac-view)# vlan-mapping ess name huawei-2 mode region huawei(config-wlan-ac-view)# vlan-mapping ess name huawei-2 type tag region 102 vlan102 Success: 1 Failure: 0 6. Set the data forwarding mode. # Set the data forwarding mode to ESS-based forwarding. huawei(config-wlan-ac-view)# forward-mode type ess # Configure ESSs huawei-1 and huawei-2 to use direct forwarding. huawei(config-wlan-ac-view)# forward-mode ess 0 mode direct-forward huawei(config-wlan-ac-view)# forward-mode ess 1 mode direct-forward 7. Configure VAPs for APs and deliver VAP parameters. a. Create VAPs for AP1 and AP2 and specify radios and ESSs. huawei(config-wlan-ac-view)# vap ap 1 radio 0 ess name huawei-1 wlan 1 huawei(config-wlan-ac-view)# vap ap 2 radio 0 ess name huawei-2 wlan 1 63

69 A VAP is the binding between an AP, a radio, and an ESS profile. When an ESS profile is bound to a radio of an AP, a VAP is generated in the system. The VAP functions as a radio instance of the ESS profile on the AP, has all attributes of the ESS profile, and uses the radio hardware of the AP. b. Deliver VAP parameters to APs. huawei(config-wlan-ac-view)# commit ap 1 huawei(config-wlan-ac-view)# commit ap 2 huawei(config-wlan-ac-view)# quit NOTE Configuration Files Configuration file of the AC # wlan ac-global carrier id ctc ac id 1 vlan 101 vlan 102 vlan 800 port vlan 800 0/2 0 interface vlanif 1 ip address dhcp enable quit nterface loopback 0 ip address quit wlan ac wlan ac source interface loopback 0 quit ip pool ap-server gateway section quit option 60 string Huawei AP option 43 string HuaweiAC quit ip route wlan ac ap-auth-mode sn-auth quit ap id 1 type-id 0 sn SN ap id 2 type-id 0 sn SN ap-region id 101 quit ap-region id 102 quit ap id 1 region-id 101 quit ap id 2 region-id

70 quit wmm-profile name wmm-1 id 1 quit radio-profile name radio-1 id 1 bind wmm-profile name wmm-1 quit radio ap-id 1 radio-id 0 bind radio-profile name radio-1 quit radio ap-id 2 radio-id 0 bind radio-profile name radio-1 quit security-profile name security-1 id 1 authentication policy wep policy wep open-system quit traffic-profile name traffic-1 id 1 quit ess name huawei-1 ssid huawei-f4 traffic-profile traffic-1 security-profile security-1 ess name huawei-2 ssid huawei-f5 traffic-profile traffic-1 security-profile security-1 vlan-mapping ess name huawei-1 mode region vlan-mapping ess name huawei-1 type tag region 101 vlan 101 vlan-mapping ess name huawei-2 mode region vlan-mapping ess name huawei-2 type tag region 102 vlan 102 forward-mode type ess forward-mode ess 0 mode direct-forward forward-mode ess 1 mode direct-forward vap ap 1 radio 0 ess name huawei-1 wlan 1 vap ap 2 radio 0 ess name huawei-2 wlan 1 commit ap 1 commit ap 2 quit 65

71 3 Integrated AC Deployment 3 Integrated AC Deployment 3.1 Overview Introduction to Integrated AC Deployment A WLAN involves two key components: AP and AC. The integrated AC solution uses the integrated AC card on a switch (for example, SPU of the S9300) to manage all the APs connected to the switch. The integrated AC can be used in both the centralized and distributed AC deployment solutions. The integrated AC can be deployed easily at low costs, but its performance is lower than that of the independent AC. Select the integrated AC solution according to enterprise requirements Typical Networking Figure 3-1 shows typical networking of the integrated AC solution. Figure 3-1 Typical networking of the integrated AC solution 66

72 3 Integrated AC Deployment In the integrated AC solution, the centralized architecture is used and fit APs (for example, WA603DN) connect to STAs. The SPU on the S9300 functions as an AC to manage APs. A TSM server authenticates access users and control user rights. If a user is not authenticated or fails to be authenticated, the user is allowed to access only the pre-authentication domain. If a user is authenticated but fails security check, the user is allowed to access the isolation domain. If a user is authenticated and passes security check, the user is allowed to access the post-authentication domain. The independent AC solution uses specialized enterprise NMS system esight for network management Applicable Products and Versions Table 3-1 Applicable products and versions Component Product Version AP Access switch Aggregation switch WA603SN WA603DN WA633SN WA653SN WA653DN WA653EN Non-specific (S2700/S3700 is recommended) S9300 V100R003C01 Non-specific V100R006C00 AC S9300 SPU V100R006C00 NAC server TSM V100R002C06 NMS server esight V200R001C00 DHCP server Non-specific (external DHCP server, or built-in DHCP server of the switch or AC) Non-specific DNS server Non-specific Non-specific Deployment Roadmap Prerequisites Each network element or component has been installed and commissioned and connected using cables, and each network element has been powered on and works properly. The operating system and TSM software have been installed on the TSM server. 67

73 3 Integrated AC Deployment Configuration Roadmap The operating system and the esight software have been installed on the esight server. The VLAN IDs, SSIDs, and IP addresses have been planned. Configuration Roadmap Configure an interface, a VLAN ID, an IP address, and a route for each network element or component. Configure the mode in which an AP discovers an AC. An AP can discover an AC in the following modes: An AP obtains the AC's IP address through Option 60 in a DHCP Reply packet from the DHCP server. An AP obtains the AC's DNS domain name through Option 15 in a DHCP Reply packet from the DHCP server, and then sends a DNS request packet to the DNS server to obtain the AC's IP address. Configure AP attributes on the AC. Configure basic AC attributes. Configure AP attributes on the AC. Configure the WLAN radio environment. Configure an ESS. Configure a VAP and deliver the VAP to APs. (Optional) Configure NAC on the service gateway to authenticate and authorize WLAN users. (Optional) Configure the TSM server. Configure the authentication server (web or 802.1x authentication server) to authenticate terminals. Configure information about the isolation domain and post-authentication domain. Configure a policy profile and apply the policy profile to the user domain. Configure user accounts including common accounts, MAC accounts, AD accounts, and LDAP accounts, and configure the isolation domain and post-authentication domain for the user accounts to control user rights. Precautions None. Option 60 carrying the AC's IP address must be configured on the DHCP server. Option 15 carrying the AC's DNS domain name must be configured on the DHCP server. A DNS server must be configured and the mapping between the AC domain name and the IP address must be configured on the DNS server. For details about the AC configuration procedure, see Figure 3-2. Configure AAA, a domain that users belong to, authentication and authorization modes, and the AAA server. Configure 802.1x or web authentication on the user access interface. The DHCP server, DNS server, and TSM server belong to the pre-authentication domain. The patch server or antivirus server belongs to the isolation domain. Other application servers belong to the post-authentication domain. If a common account is configured, configure the user name and password on the TSM server. If an AD account is configured, deploy a domain control server and configured the user name and password on the server. Then synchronize the account to the TSM server. 68

74 3 Integrated AC Deployment Configuration Roadmap Configure a mobile terminal that has the 802.1x client software (for example, 802.1x dialup software) installed. (Optional) Use the esight to manage the WLAN. Precautions If web authentication is used, you do not need to perform configurations on the terminals. (Some systems may provide the web client.) If 802.1x authentication is used, install the 802.1x client software. If the TSM is used as the authentication server, the client must use the TSM agent. The TSM agent provides the web or 802.1x client. You can use the esight to view the following information: WLAN summary Status of and basic information about all ACs Detailed information about a specified AC AC alarm information AC performance indicators For details, see chapter 4 "WLAN Network Management." 69

75 3 Integrated AC Deployment Figure 3-2 Configuration flowchart of the centralized AC solution 3.2 Configuring ACs and APs for Network Layer Connectivity See section 2.2 "Configuring ACs and APs for Network Layer Connectivity." 3.3 Configuring an AP to Discover an AC Overview After a fit AP goes online, it must obtain the AC's IP address to obtain parameters from the AC. An AP discovers an AC in the following modes: Broadcast mode The AP broadcasts a CAPWAP request to all the ACs. After an AC sends a response message, a CAPWAP tunnel is set up between the AC and AP. In this mode, you do not need to perform any configuration on the AC. 70

76 3 Integrated AC Deployment DHCP Option 43 After a fit AP is powered on, it sends a DHCP Request packet to obtain an IP address. A DHCP server sends a DHCP Reply packet that carries the allocated IP address and AC's IP address in Option 43. DHCP Option 15 and DNS After a fit AP is powered on, it sends a DHCP Request packet to obtain an IP address. A DHCP server sends a DHCP Reply packet that carries the allocated IP address and AC's DNS domain name in Option 15. The AP sends a DNS request to a DNS server. Then the DNS server resolves the DNS domain name into the AC's IP address and sends a response carrying AC's IP address to the AP Configuring DHCP Option 43 for AC Discovery Background Procedure You must configure Option 43 on the DHCP server in addition to the IP address segment and IP address pool. You can use an external DHCP server or the built-in DHCP server on a switch or an AC. Here, the built-in DHCP server on the S9300 is used as an example. 1. Run the system-view command to enter the system view. 2. Run the dhcp enable command to enable DHCP. 3. Run the interface vlanif vlan-id command to enter the VLANIF interface view. 4. Run the ip address ip-address { mask mask-length } [ sub ] command to assign an IP address to the VLANIF interface. 5. Run the dhcp select interface command to configure the AC to use the interface address pool. 6. Run the dhcp server option 43 sub-option 3 ascii X.X.X.X command to configure DHCP Option Configuring DHCP Option 15 and DNS for AC Discovery Background You must configure Option 15 on the DHCP server in addition to the IP address segment and IP address pool. You also need to specify the DNS server to resolve AC's domain name into the IP address. You can use an external DHCP server or the built-in DHCP server on a switch or an integrated AC (SPU). Here, the built-in DHCP server on the S9300 is used as an example. 71

77 3 Integrated AC Deployment For details about the DNS server deployment and configuration, see the corresponding documents. Procedure 1. Run the system-view command to enter the system view. 2. Run the dhcp enable command to enable DHCP. 3. Run the interface vlanif vlan-id command to enter the VLANIF interface view. 4. Run the ip address ip-address { mask mask-length } [ sub ] command to assign an IP address to the VLANIF interface. 5. Run the dhcp select interface command to configure the AC to use the interface address pool. 6. Run the dhcp server domain-name domain-name command to configure the DNS domain name in the IP address pool. The configured DNS domain name is the AC's domain name. You must configure the mapping between the domain name and the AC's IP address on the DNS server. 7. Run the dhcp server dns-list ip-address &<1-8> command to specify the DNS server's address for the DHCP client. NOTE 3.4 Configuring an AC Configuring Basic AC Attributes 1. Run the system-view command to enter the system view. 2. Run the wlan ac-global ac id ac-id [ carrier id { cmcc ctc cuc other } ] command to configure the AC ID and carrier ID. To facilitate AC management, configure an AC ID and a carrier ID on each AC. By default, the AC ID is 0, and the carrier ID is other. 3. Run the wlan ac-global country-code country-code command to configure the country code of the AC. 4. Run the wlan command to enter the WLAN mode. 5. Run the wlan ac source interface { loopback loopback-num vlanif vlan-id } command to specify the source IP address on an AC. You must specify the source IP address of each AC so that all APs connected to the AC can learn this IP address. 72

78 3 Integrated AC Deployment Configuring AP Attributes on the AC Configuring Common Attributes of APs 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap-license ap-license number command to set the number of AP licenses. An AP license controls the number of APs supported by an AC. 4. Run the ap-type { id type-id type ap-type }* command to configure an AP type. 5. Run the ap-update mode { ftp-mode ac-mode } command to configure the AP upgrade mode. 6. Run the ap-update update-filename filename ap-type type-id command to specify the AP upgrade file. When the AC mode is used, upload the upgrade file to the AC. When the FTP mode is used, run the ap-update ftp-server server-ip-address [ ftp-username ftp-username ftp-password ftp-password ] * command to configure the FTP server's IP address, FTP user name, and password. Adding an AP to the Whitelist 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap-whitelist { mac ap-mac1 [ to ap-mac2 ] sn ap-sn1 [ to ap-sn2 ] } command to add the MAC address or SN of an authorized AP to the whitelist. You can add MAC addresses or SNs of authorized APs in batches. (Optional) Configuring an AP Offline 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap id ap-id [ { type-id type-id ap-type ap-type } { mac ap-mac snap-sn } *] command to add an AP offline. 4. (Optional) Run the region-id region-id command to add the AP to a region. 5. (Optional) Run the profile-id profile-id command to bind the AP to an AP profile. 6. (Optional) Run the ap-threshold { cpu-usage memory-usage } threshold-value command to set the alarm thresholds of the CPU usage and memory usage for the AP. 7. (Optional) Run the ap-threshold temperature high-value [ low-value ] command to set the temperature alarm threshold for the AP. 73

79 3 Integrated AC Deployment Configuring an AC to Automatically Discover APs 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. (Optional) Run the ap-type { id type-id type ap-type }* command to configure an AP type. 4. Run the ap-auth-mode auth-mode command to configure the AP authentication mode. The system supports MAC address authentication, SN authentication, and non-authentication. (Optional) Confirming APs' Identities 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap-confirm { all { mac ap-mac sn ap-sn } [ id ap-id ] } command to confirm the AP's identity. After the AP's identity is confirmed, the MAC address or SN of the AP is added to the whitelist. The AP is added to the default region and bound to the default AP profile, and its attributes retain the default values. The AP then enters the normal state Configuring the WLAN Radio Environment Configuring a WMM Profile 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the wmm-profile { id profile-id name profile-name }* command to configure a WMM profile. 4. Run the wmm enable command to enable WMM. 5. (Optional) Run the wmm edca client { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax-value txoplimit txoplimit-value }* command to set EDCA parameters for the four WMM queues of a STA. 6. (Optional) Run the wmm edca ap { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax-value txoplimit txoplimit-value ack-policy { normal noack } }* command to set EDCA parameters for the four WMM queues of an AP. Configuring a Radio Profile and Binding a WMM Profile to the Radio Profile 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 74

80 3 Integrated AC Deployment 3. Run the radio-profile { id profile-id name profile-name }* command to configure a radio profile. 4. (Optional) Run the radio-type { 80211a 80211an 80211gn 80211b 80211bg 80211bgn 80211g 80211n } command to configure the radio type. 5. (Optional) Run the power-mode { auto fixed } command to configure the radio power mode. 6. (Optional) Run the channel-mode { auto fixed } command to configure the channel mode. 7. Run the wmm-profile { id profile-id name profile-name } command to bind a WMM profile to a radio profile. A radio profile can be applied to a radio only after a WMM profile is bound to the radio profile. Applying a Radio Profile to a Radio 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap ap-id radio radio-id command to enter the radio mode. 4. Run the radio-profile { id profile-id name profile-name } command to bind a radio profile to the radio. (Optional) Configuring AP Radio Resource Management 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the radio-profile { id profile-id name profile-name }* command to configure a radio profile. 4. Run the channel-mode auto command to configure the automatic channel mode for the radio profile. In this mode, an AP automatically selects a channel for a radio based on the WLAN radio environment. 5. Run the power-mode auto command to configure the automatic power mode for the radio profile. In this mode, an AP automatically sets the transmit power for a radio based on the WLAN radio environment. 6. Run the calibrate-interval calibrate-interval command to set the calibration interval and enable partial radio calibration. 7. Manually enable global radio calibration in an AP region. a. Run the quit command to return to the WLAN mode. b. Run the calibrate startup region region-id [ listen-uncontrol-neighbor ] command to enable global radio calibration in an AP region. c. Run the calibrate auto-startup region region-id time time [ listen-uncontrol -neighbor ] command to enable scheduled radio calibration in an AP region. 75

81 3 Integrated AC Deployment (Optional) Configuring an AP Load Balancing Group 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the load-balance-group { name group-name id group-id }* command to create a load balancing group. 4. Run the member ap-id ap-id radio-id radio-id command to add a radio to the load balancing group. 5. Set the load balancing mode. Run the traffic gap gap-threshold command to set the load balancing mode to traffic mode. Run the session gap gap-threshold command to set the load balancing mode to session mode. By default, the session mode is used for load balancing. 6. Run the associate-threshold associate-threshold command to set the threshold for the number of association requests Configuring an ESS Configuring a WLAN-ESS Interface 1. Run the system-view command to enter the system view. 2. Run the interface wlan-ess wlan-ess-number command to create a WLAN-ESS interface. 3. Configure the authentication mode on the WLAN-ESS interface. Run the dot1x-authentication enable command to enable 802.1x authentication. Run the mac-authentication enable command to enable MAC address authentication. Run the web-authentication enable command to enable web authentication. 4. If 802.1x authentication is used, perform the following operations: a. Run the dot1x authentication-method { chap eap pap } command to configure an authentication mode for 802.1x users. b. (Optional) Run the dot1x guest-vlan vlan-id command to configure a guest VLAN on the WLAN-ESS interface. c. (Optional) Run the dot1x restrict-vlan vlan-id command to configure a restrict VLAN on the WLAN-ESS interface. d. (Optional) Run the dot1x authentication domain domain-name command to bind a domain to the WLAN-ESS interface. 5. (Optional) Run the port-isolate enable command to enable port isolation on the AC. 76

82 3 Integrated AC Deployment Configuring a Security Profile 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the security-profile { id profile-id name profile-name }* command to configure a security profile. 4. Configure a security policy. WEP open system authentication Run the security-policy wep command to configure a WEP security policy. Run the wep authentication-methodopen-system [ data-encrypt ] command to configure WEP open system authentication. WEP shared key authentication Run the security-policy wep command to configure a WEP security policy. Run the wep authentication-method share-key command to configure WEP shared key authentication. Run the wep key { wep-40 wep-104 } { pass-phrase hex } key-id key-value command to configure the WEP shared key. Run the wep default-key key-id command to set the WEP key ID. WPA/WPA2 authentication Run the security-policy wep command to configure a WEP security policy. Run the { wpa wpa2 } authentication-method dot1x { peap tls } encryption-method { tkip ccmp } command to configure 802.1x authentication and the corresponding encryption mode for the WPA/WPA2 policy. Run the { wpa wpa2 } authentication-method psk { pass-phrase hex } key encryption-method { tkip ccmp } command to configure shared key authentication and the corresponding encryption mode for the WPA/WPA2 policy. WAPI authentication Run the security-policy wapi command to configure a WAPI security policy. Run the wapi authentication-method { certificate psk { pass-phrase hex } key } command to configure the authentication mode for the WAPI security policy. Run the wapi import certificate { ac asu issuer } file-name file-name command to import the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file. Run the wapi import private-key file-name file-name command to import the AC private key file. Run the wapi asuip ip-address command to configure the ASU server's IP address. Configuring a Traffic Profile 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the traffic-profile { name profile-name id profile-id }* command to configure a traffic profile. 77

83 3 Integrated AC Deployment 4. (Optional) Run the 8021p { designate value up-mapping value0 value1 value2 value3 value4 value5 value6 value7 } command to set the 802.1p priority of the packets sent from an AP to an AC. 5. (Optional) Run the 8021p-map-up value0 value1 value2 value3 value4 value5 value6 value7 command to set the mappings from 802.1p priorities to user priorities. 6. (Optional) Run the rate-limit { client vap } { up down } ratelimit-value command to set the rate limit for upstream or downstream packets for a single STA or all STAs associated with a VAP. 7. (Optional) Run the tunnel-priority up designate { tos 8021p } priority-value command to set the upstream tunnel priority. Or run the tunnel-priority up map { tos-tos tos-8021p 8021p-tos 8021p-8021p } value0 value1 value2 value3 value4 value5 value6 value7 command to set the mappings from 802.1p priorities to user priorities. Configuring an ESS and Binding a WLAN-ESS Interface, a Traffic Profile, and a Security Profile to the ESS 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the service-set { name service-set-name id service-set-id }* command to create an ESS. 4. Run the forward-mode { direct-forward tunnel } command to set the data forwarding mode. 5. (Optional) Run the type { ac-management ap-management service } command to set the ESS type. 6. (Optional) Run the ssid ssid command to set the SSID for the ESS. 7. (Optional) Run the service-vlan command to set the VLAN ID for the ESS. 8. Run the wlan-ess wlan-ess-number command to create bind a WLAN-ESS interface to the ESS. 9. Run the security-profile { name profile-name id profile-id } command to bind a security profile to the ESS. 10. Run the traffic-profile { name profile-name id profile-id } command to bind a traffic profile to the ESS Configuring a VAP and Delivering the VAP to an AP Configuring a VAP and Binding the VAP to an ESS 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the ap ap-id radio radio-id command to enter the radio mode. 78

84 3 Integrated AC Deployment 4. Run the service-set { name service-set-name id service-set-id } [ wlan wlan-id ] command to bind an ESS to the radio. NOTE You can also run the batch ap { ap-id [ to ap-id ] } &<1-10> radio { radio-id [ to radio-id ] } &<1-10> service-set { service-set-id [ to service-set-id ] } &<1-10> command in WLAN mode to configure VAPs in batches. Delivering the VAP to APs 1. Run the system-view command to enter the system view. 2. Run the wlan command to enter the WLAN mode. 3. Run the commit { all ap ap-id } command to deliver the VAP to an AP or all APs. 3.5 Configuring NAC See section 2.5 "Configuring NAC." 3.6 Configuring the TSM Server See section 2.6 "Configuring a TSM Server." 3.7 Configuring STAs See section 2.7 "Configuring STAs." 3.8 Configuration Examples Networking Requirements An Internet service provider (ISP) provides the WLAN service for two remote areas A and B. AP1 provides the WLAN service for area A, and AP2 provides the WLAN service for area B. The SPU on the S9300 integrates AC functions and is installed in slot 1, as shown in Figure 3-3. The AC delivers service VLANs, and the S9300 transparently transmits packets from all service VLANs and tags AP management packets with the management VLAN ID. The AC functions as the DHCP server to allocate IP addresses to APs and advertises its IP address to APs through DHCP Option 43. The AC only manages APs, but does not forward data for APs. APs' management streams are transmitted over a CAPWAP tunnel and terminated on the AC; APs' service streams are 79

85 3 Integrated AC Deployment directly forwarded by the APs to the Layer 3 switch, and then are transparently transmitted by the Layer 3 switch to the upper-layer device. Figure 3-3 Integrated AC networking STA AP1 (service VLAN 101) XGE1/0/0 XGE0/0/1 Switch AC (SPU) esight Area A GE2/0/0 GE2/0/1 GE2/0/2 Core network Switch STA AP2 (service VLAN 101) RADIUS server Management streams Area B Data streams NOTE In this example, the NAC configuration is not mentioned. Data Preparation Table 3-2 Data plan Configuration Item WLAN service Management VLAN of APs Data WEP open system authentication and no encryption VLAN 100 (allocated by the switch) AP region AP1: 101 AP2: 102 ESS Name: huawei-1 SSID: huawei-1 WLAN virtual interface: WLAN-ESS 0 Data forwarding mode: tunnel forwarding Name: huawei-2 SSID: huawei-2 WLAN virtual interface: WLAN-ESS 1 Data forwarding mode: tunnel forwarding User VLAN AP1: VLAN 101 AP2: VLAN

86 3 Integrated AC Deployment Configuration Item Data VLAN on the switch VLAN 100/101/102 AC carrier ID/AC ID Management IP address of the AC IP address pool of the management interface on the AP Gateway address for APs DHCP server CTC/1 VLANIF interface: / to / /24 (AC) AC functioning as the DHCP server to allocate IP addresses to APs Configuration Roadmap 1. Configure the switches and the AC to enable APs to communicate with the AC. 2. Configure basic AC attributes, including the AC ID, carrier ID, and source IP address used by the AC to communicate with APs. 3. Set the AP authentication mode and add APs to AP regions. 4. Configure a VAP and deliver VAP parameters so that STAs can access the WLAN. To configure a VAP, perform the following operations: a. Configure a WLAN-BSS interface and bind it to a service set so that radio packets can be sent to the WLAN service module after reaching the AC. b. Configure a radio profile on the AP and bind it to a radio interface to enable STAs to communicate with the AP. c. Configure a service set on the AP, set the direct forwarding mode in the service set, and bind the specified security profile and traffic profile to it to ensure security and QoS for STAs. d. Configure a VAP and deliver VAP parameters so that STAs can connect to the WLAN. Procedure 1. Configure the switches and the AC to enable APs to communicate with the AC. # Configure GE2/0/0 and GE2/0/1 of the switch connected to APs as trunk interfaces, and set the PVID of the trunk interfaces to 100. <Quidway> system-view [Quidway] vlan batch 100 to 102 [Quidway] interface GigabitEthernet 2/0/0 [Quidway-GigabitEthernet2/0/0] port link-type trunk [Quidway-GigabitEthernet2/0/0] port trunk pvid vlan 100 [Quidway-GigabitEthernet2/0/0] port trunk allow-pass vlan

87 3 Integrated AC Deployment [Quidway-GigabitEthernet2/0/0] quit [Quidway] interface GigabitEthernet 2/0/1 [Quidway-GigabitEthernet2/0/1] port link-type trunk [Quidway-GigabitEthernet2/0/1] port trunk pvid vlan 100 [Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan [Quidway-GigabitEthernet2/0/1] quit # Configure XGE1/0/0 of the switch connected to the AC to transparently transmit packets of all service VLANs and the management VLAN. [Quidway] interface XGigabitEthernet 1/0/0 [Quidway-XGigabitEthernet1/0/0] port link-type trunk [Quidway-XGigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 102 # Configure XGE0/0/1 of the AC connected to the switch to transparently transmit packets of all service VLANs and the management VLAN. <Quidway> system-view [Quidway] sysname AC [AC] vlan batch 100 to 102 [AC] interface XGigabitEthernet 0/0/1 [AC-XGigabitEthernet0/0/1] port link-type trunk [AC-XGigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102 [AC-XGigabitEthernet0/0/1] quit 2. Configure basic AC attributes. # Configure the AC ID, carrier ID, and country code. [AC] wlan ac-global ac id 1 carrier id ctc [AC] wlan ac-global country-code cn # Configure a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and enable the DHCP server function on it. Configure an IP address pool on VLANIF 100 to assign IP addresses to APs, configure an IP address pool on VLANIF 101 to assign IP addresses to STAs in area A, and configure an IP address pool on VLANIF 102 to assign IP addresses to STAs in area B. [AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address [AC-Vlanif101] dhcp select interface [AC-Vlanif101] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address [AC-Vlanif102] dhcp select interface [AC-Vlanif102] quit NOTE An AP can set up a connection with an AC only after obtaining an IP address from the AC, a broadband remote access server (BRAS), or a DHCP server. When the AC is configured as a DHCP server, it can allocate IP addresses to APs. # Configure a source interface for the AC to communicate with APs. 82

88 3 Integrated AC Deployment [AC] wlan [AC-wlan-view] wlan ac source interface vlanif 100 [AC-wlan-view] quit NOTE You must specify the source IP address of each AC so that all APs connected to the AC can learn this IP address. 3. Configure APs and enable them to go online. # Set the AP authentication mode to no-auth. [AC-wlan-view] ap-auth-mode no-auth NOTE If the AP authentication mode is set to no-auth, APs of the specified type can go online automatically. After an AP goes online, it is added to the default region and bound to the default AP profile, and its attributes are set to default values. The AP then enters the normal state. # Set AP region IDs to 101 and 102. [AC-wlan-view] ap-region id 101 [AC-wlan-ap-region-101] quit [AC-wlan-view] ap-region id 102 [AC-wlan-ap-region-102] quit # Add AP1 to AP region 101 and AP2 to AP region 102. [AC-wlan-view] ap id 0 [AC-wlan-ap-0] region-id 101 [AC-wlan-ap-0] quit [AC-wlan-view] ap id 1 [AC-wlan-ap-1] region-id 102 [AC-wlan-ap-1] quit 4. Configure WLAN-ESS interfaces. [AC] interface wlan-ess 0 [AC-WLAN-ESS0] port link-type hybrid [AC-WLAN-ESS0] port hybrid untagged vlan 101 [AC-WLAN-ESS0] quit [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid [AC-WLAN-ESS1] port hybrid untagged vlan 102 [AC-WLAN-ESS1] quit 5. Configure radios for APs. # Create a WMM profile wmm-1 and use the default settings. [AC] wlan [AC-wlan-view] wmm-profile name wmm-1 id 1 [AC-wlan-wmm-prof-wmm-1] quit # Create a radio profile radio-1 and bind the WMM profile wmm-1 to it. [AC-wlan-view] radio-profile name radio-1 [AC-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [AC-wlan-radio-prof-radio-1] quit # Bind the radios of AP1 and AP2 to the radio profile radio-1. 83

89 3 Integrated AC Deployment [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] radio-profile name radio-1 [AC-wlan-radio-0/0] quit [AC-wlan-view] ap 1 radio 0 [AC-wlan-radio-1/0] radio-profile name radio-1 [AC-wlan-radio-1/0] quit 6. Configure a service set. # Create a security profile. Create a security profile security-1, and set the authentication mode to WEP open system authentication and the encryption mode to no encryption. [AC-wlan-view] security-profile name security-1 id 1 [AC-wlan-sec-prof-security-1] wep authentication-method open-system [AC-wlan-sec-prof-security-1] security-policy wep [AC-wlan-sec-prof-security-1] quit # Configure a traffic profile to specify the QoS policy. Create a traffic profile traffic-1 and use the default settings. [AC-wlan-view] traffic-profile name traffic-1 [AC-wlan-traffic-prof-traffic-1] quit # Create service sets for AP1 and AP2, and bind the traffic profile, security profile, and WLAN-ESS interface to the service sets.[ac-wlan-view] service-set name huawei-1 [AC-wlan-service-set-huawei-1] ssid huawei-1 [AC-wlan-service-set-huawei-1] traffic-profile name traffic-1 [AC-wlan-service-set-huawei-1] wlan-ess 0 [AC-wlan-service-set-huawei-1] service-vlan 101 [AC-wlan-service-set-huawei-1] forward-mode tunnel [AC-wlan-service-set-huawei-1] quit [AC-wlan-view] service-set name huawei-2 [AC-wlan-service-set-huawei-2] ssid huawei-2 [AC-wlan-service-set-huawei-2] traffic-profile name traffic-1 [AC-wlan-service-set-huawei-2] wlan-ess 1 [AC-wlan-service-set-huawei-2] service-vlan 102 [AC-wlan-service-set-huawei-2] forward-mode tunnel [AC-wlan-service-set-huawei-2] quit Configure VAPs for APs and deliver VAP parameters. # Bind radios of AP1 and AP2 to service sets huawei-1 and huawei-2. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] service-set name huawei-1 [AC-wlan-radio-0/0] quit [AC-wlan-view] ap 1 radio 0 [AC-wlan-radio-1/0] service-set name huawei-2 [AC-wlan-radio-1/0] quit # Deliver VAP parameters to APs. [AC-wlan-view] commit ap 0 [AC-wlan-view] commit ap 1 7. Verify the configuration. 84

90 3 Integrated AC Deployment Wireless access users on AP1 and AP2 can search for WLANs with SSIDs huawei-1 and huawei-2 and then enjoy the WLAN Internet access service without authentication. Configuration Files Configuration file of the AC # sysname AC # vlan batch 100 to 102 # dhcp enable # wlan ac-global carrier id ctc ac id 1 # interface Vlanif100 ip address dhcp select interface # interface Vlanif101 ip address dhcp select interface # interface Vlanif102 ip address dhcp select interface # interface WLAN-ESS0 port hybrid untagged vlan 101 # interface WLAN-ESS1 port hybrid untagged vlan 102 # interface XGigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 102 # wlan wlan ac source interface Vlanif100 ap-region id 101 ap-region id 102 ap-auth-mode no-auth ap id 0 ap id 1 wmm-profile name wmm-1 id 1 traffic-profile name traffic-1 id 1 security-profile name security-1 id 2 service-set name huawei-1 id 3 wlan-ess 0 ssid huawei-1 traffic-profile id 1 service-vlan

91 3 Integrated AC Deployment forward-mode tunnel service-set name huawei-2 id 4 wlan-ess 1 ssid huawei-2 traffic-profile id 2 service-vlan 102 forward-mode tunnel radio-profile name radio-1 id 1 wmm-profile id 1 ap 0 radio 0 radio-profile name radio-1 service-set name huawei-1 wlan 1 ap 1 radio 0 radio-profile name radio-1 service-set name huawei-2 wlan 2 # return Configuration file of the switch # interface GigabitEthernet2/0/0 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet2/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan # interface GigabitEthernet1/0/0 port link-type trunk port trunk allow-pass vlan 100 to 102 # 86

92 4 WLAN Network Management 4 WLAN Network Management 4.1 esight Overview Introduction to the esight Huawei esight is a next-generation network management system for enterprise customers. It manages enterprises' resources, services, and users uniformly. The esight manages the IT systems, IP networks, and third-party devices of enterprises. It also provides an open platform, allowing enterprises to build their own intelligent management systems. The esight is recommended in the enterprise WLAN deployment solution. The esight can monitor resources and nodes including ACs, APs, and STAs, and configure services and nodes including ACs and APs Typical Networking See Figure 2-1 and Figure Applicable Products and Versions Table 4-1 Applicable products and versions Component Product Version NMS server esight V200R001C00 AP WA603SN WA603DN WA633SN WA653SN WA653DN WA653EN V100R003C01 AC S9300 SPU V100R006C00 Access switch WS6603 Non-specific (S2700/S3700 is recommended) V100R003C05 Non-specific 87

93 4 WLAN Network Management Component Product Version Aggregation switch S9300 V100R006C00 NAC server TSM V100R002C06 DHCP server Non-specific (external DHCP server, or built-in DHCP server of the switch or AC) Non-specific DNS server Non-specific Non-specific Deployment Roadmap Prerequisites Each network element or component has been installed and commissioned and connected using cables, and each network element has been powered on and works properly. The operating system and the esight software have been installed on the esight server. Each network element has been added to the esight. Configuration Roadmap Configuration Roadmap Configure the WLAN service. Create and configure an AP. Configure an AP region. Configure an AP profile, radio profile, and ESS profile. Enable the AP to go online. Monitor the WLAN service. Precautions The AP region, AP profile, radio profile, and ESS profile can be configured in any sequence. The configured AP region, AP profile, radio profile, and ESS profile will be referenced or bound when the AP goes online. To enable an AP to go online, configure a whitelist for the AP, add an AP offline, and discover an AP, and identify the AP's identity. If automatic discovery of APs is configured, you do not need to perform the preceding operations. You can use the esight to view the following information: WLAN summary AC information AP information STA information SSID information Rogue AP information 88

94 4 WLAN Network Management 4.2 Configuring the WLAN Service Creating and Configuring an AC 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. 3. Click Create. Click Select in the Create AC window. In the displayed window, select an AC and click OK to create an AC. 4. In the Create AC window, click OK. The AC is created successfully. 5. Click to configure basic AC attributes. 6. Set AP authentication mode and Forwarding type. Figure 4-1 Configuring basic AC attributes NOTE When the authentication mode is set to no-auth, an AP goes online automatically. When the authentication mode is set to MAC address or SN authentication, add an AP, crate an AP offline, add the MAC address or SN in the whitelist, and confirm the AP's identity. When ESS-based forwarding is used, an AP forwards user data based on the data forwarding mode defined in the bound ESS profile. When AP forwarding is used, an AP forwards user data based on the configured data forwarding mode Configuring an AP Region 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose WLAN Management > AP Region. 4. Click Create. Set parameters for the AP region in the displayed window. 89

95 4 WLAN Network Management Figure 4-2 Configuring an AP region You can use the following deployment modes: Sparse mode: All the APs in a region are independently deployed, and therefore there is no signal interference between each AP. Each AP is considered as an AP region. However, if one region is created for each AP, the configuration workload is heavy. Therefore, a special region can be created to contain all these APs. The radio parameters of these APs do not need to be calibrated, and every radio works with the maximum transmit power. Common mode: APs are loosely deployed in a region. Each radio must work with at least 50% of the maximum transmit power. Dense mode: APs in a region are densely located. Each radio must work with at least 25% of the maximum transmit power. 5. Click OK. The added AP region is displayed in the list. NOTE Click Click to modify parameters for the AP region. to configure an AP region as the default AP region Configuring Profiles Configuring an AP Profile You need to configure an AP profile, a radio profile, and an ESS profile, and bind these profiles to an AP to complete the AP configuration. 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose Manage Profile > AP Profile. 4. Click Create. Set parameters for the AP profile in the displayed window. 90

96 4 WLAN Network Management Figure 4-3 Configuring the AP profile 5. Click OK. NOTE Click to modify parameters of the AP profile. Configuring a Radio Profile 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose Manage Profile > RF Profile. 4. Click Create. Set parameters for the radio profile in the displayed window. Figure 4-4 Configuring a radio profile 5. Click OK. 91

97 4 WLAN Network Management NOTE Click to modify parameters of the radio profile. Configuring an ESS Profile 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose Manage Profile > ESS Profile. 4. Click Create. Set parameters for the ESS profile in the displayed window. Figure 4-5 Configuring an ESS profile 5. Click OK. NOTE Click to modify parameters of the ESS profile Enabling an AP to Go Online You can enable an AP to go online in the following scenarios: If the AP has been added offline, it can go online directly. 92

98 4 WLAN Network Management Configuring a Whitelist If the AP is not added offline but its authentication mode is no-auth or the AP's MAC address or SN is in the whitelist, the AP can be added automatically and go online. If the AP is not in the whitelist or AP list and its authentication mode is not no-auth, the AP is in the list of unauthenticated APs. You can manually confirm the list of unauthenticated APs to add the AP. 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose WLAN Management > AP Whitelist. 4. Click Create. Set parameters for the whitelist in the displayed window. Figure 4-6 Configuring a whitelist 5. Click OK. Adding an AP Offline 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose WLAN Management > AP. 4. Click Create. Set parameters for the AP in the displayed window. 93

99 4 WLAN Network Management Figure 4-7 Adding an AP offline 5. Click Select next to AP region to select the region that the AP belongs to. 6. Click Select next to AP profile to bind an AP profile to the AP. 7. Click Select next to Radio profile to bind a radio profile to the AP. 8. Click Select next to ESS profile to bind an ESS profile to the AP. 9. Click OK. Confirming the AP's Identity 1. Choose Network Application > WLAN Management. 2. In the navigation tree, choose Resource Management > AC. Click the name of the AC in the right pane. 3. In the navigation tree, choose WLAN Management > Unauthorized AP. 4. Click Synchronize to synchronize all the AP data. 5. If there are unauthorized APs, click Confirm AP Identities. 94

100 4 WLAN Network Management Figure 4-8 Confirming the AP's identity 4.3 Monitoring the WLAN Service Viewing the WLAN Summary 1. Choose Network Application > WLAN Management. 2. Choose Overview > Overview. In the right pane, you can view the WLAN summery, including: User count trend in the last 24 hours Resource statistics including the numbers of ACs, fit APs, online fit APs, rogue APs, SSIDs, and STAs Top 5 fit APs Top 5 SSIDs Top 5 alarm devices 95

101 4 WLAN Network Management Figure 4-9 WLAN summary Viewing AC Information 1. Choose Network Application > WLAN Management. 2. Choose Resource Management > AC. You can view the AC summary, as shown in Figure

102 4 WLAN Network Management Figure 4-10 AC summary 3. Click the name of an AC to view detailed information about the specified AC, as shown in Figure Figure 4-11 Detailed information about the specified AC Viewing AP Information 1. Choose Network Application > WLAN Management. 97

103 4 WLAN Network Management 2. Choose Resource Management > Fit AP. You can view the AP summary, as shown in Figure Figure 4-12 AP summary 3. Click the name of an AP to view detailed information about the specified AP, as shown in Figure Figure 4-13 Detailed information about the specified AP 98

104 4 WLAN Network Management Viewing STA Information 1. Choose Network Application > WLAN Management. 2. Choose Resource Management > STA. You can view the STA information, as shown in Figure Figure 4-14 STA information Viewing SSID Information 1. Choose Network Application > WLAN Management. 2. Choose Resource Management > SSID. You can view all the SSID information, as shown in Figure Figure 4-15 SSID information 99

105 4 WLAN Network Management Viewing Information About a Rogue AP A rogue AP is an unauthorized AP or an AP where the security configuration is performed incorrectly. A rogue AP can connect to STAs and allows the STAs to obtain network resources without authorization, wasting network resources. 1. Choose Network Application > WLAN Management. 2. Choose Resource Management > Rogue AP. You can view all the rogue APs, as shown in Figure The fields are described as follows: BSSID: MAC address of an unauthorized AP. Channel: APs communicate through channels. When multiple APs exist in a region, at least five channels need to be deployed between two neighboring APs to prevent interference. RSSI: received signal strength indicator. Figure 4-16 Rogue AP information 100