华三AC对接外部Portal开通aWiFi手册

华三AC对接外部Portal

开通aWiFi

操作手册

杭州华三通信技术有限公司

2015年06月

1

华三AC开通aWiFi操作手册

1 BAS侧准备工作说明

1、提前规划好aWiFi所用的业务vlan，须与目前ChinaNet的内外层业务vlan均不相同。

2、分配给无线客户端的公网IP地址在BAS上可以和ChinaNet共用地址池。

2 AC版本要求

华三AC的软件版本应为V5.20-R2308P14版本，如低于此版本则无法与Aruba的认证平台互通，请各分公司联系华三升级AC版本。

3AC插卡全局设置

1、在AC插卡的上联端口开启dhcp-snooping trust信任端口功能。

WCMB型号AC插卡：

[H3C-AC]interface Ten-GigabitEthernet1/0/1

[H3C-AC-Ten-GigabitEthernet1/0/1]dhcp-snooping trust

WCMD型号AC插卡：

[H3C-AC]interface BridgeAggrigation1

[H3C-AC-BridgeAggrigation1]dhcp-snooping trust

注：WX6103、S7506E和WX7306型号机框配套的都是WCMB型号的AC插卡，仅有Ten-GigabitEthernet1/0/1上联。

而WX6108E型号机框配套的是WCMD型号AC插卡，dhcp-snooping trust仅需在BridgeAggrigation1汇聚端口下启用，无需在其成员的Ten-GigabitEthernet 1/0/1和1/0/2接口下启用，否则会造成ChinaNet用户获取不到IP地址。

2、全局开启DHCP-SNOOPING功能。

[H3C-AC]dhcp-snooping

注：必须先启用上联端口的trust功能再全局启用dhcp-snooping功能，否则会造成 2

ChinaNet用户获取不到IP地址。

3、创建用于aWiFi的无线业务接口，并设置归属具体vlan，如vlan1500。

[H3C-AC]interface wlan-ess2

[H3C-AC-wlan-ess2]port access vlan 1500

注：wlan-ess接口号由于部分AC有双SSID热点需求，可能已经占用一些端口号，需各分公司做好规划。

4、创建用于aWiFi的无线服务模板，并定义SSID，设置每AP下允许连接该SSID的客户端数量，绑定无线业务接口，启用用户隔离，最后启用该服务模板。

[H3C-AC] wlan service-template 2 clear

[H3C-AC-wlan-st-2] ssid aWiFi

[H3C-AC-wlan-st-2] client max-count 40

[H3C-AC-wlan-st-2] bind WLAN-ESS 2

[H3C-AC-wlan-st-2] user-isolation enable

[H3C-AC-wlan-st-2] service-template enable

注：service-template模板号由于部分AC有双SSID热点需求，可能已经占用一些模板号，需各分公司做好规划。

无线服务模板号与无线业务接口号不强制要求相同，但建议设置为相同方便维护。

5、创建名为awifi的Portal服务，设置IP地址为外部Portal服务器IP，指定登录页面的url。然后全局启用依据dhcp-snooping表项查询Portal终端IP地址的功能。

[H3C-AC]portal server chinanetmobile ip 61.160.137.241 url

/wifiPortal/ server-type imc

[H3C-AC]portal host-check dhcp-snooping

6、设置Portal的免认证规则，包含认证页面url的IP地址和省内DNS地址。

[H3C-AC] portal free-rule 0 source interface Ten-GigabitEthernet1/0/1

destination any

3

[H3C-AC] portal free-rule 0 source interface BridgeAggrigation1 destination

any

[H3C-AC] portal free-rule 1 source any destination ip 61.160.137.241 mask

255.255.255.255

[H3C-AC] portal free-rule 3 source any destination ip 218.2.2.2 mask

255.255.255.255

[H3C-AC] portal free-rule 4 source any destination ip 218.2.135.1 mask

255.255.255.255

[H3C-AC] portal free-rule 5 source any destination ip 218.4.4.4 mask

255.255.255.255

[H3C-AC] portal free-rule 6 source any destination ip 61.177.7.1 mask

255.255.255.255

[H3C-AC] portal free-rule 7 source any destination ip 61.147.37.1 mask

255.255.255.255

注：WCMB型号的AC插卡，设置Ten-GigabitEthernet 1/0/1为免认证端口，WCMD型号的AC插卡则设置BridgeAggrigation1为免认证端口。

7、设置AC的Portal上传AP或者用户参数的功能。

[H3C-AC] portal url-param include nas-id param-name apName

[H3C-AC] portal url-param include user-mac param-name mac

[H3C-AC] portal url-param include nas-ip param-name h3cacip

8、创建一个名为awifi的Radius策略，设置Radius认证平台为指定的Aruba平台。

[H3C-AC] radius scheme awifi

[H3C-AC-radius-awifi] primary authentication 202.102.41.110

[H3C-AC-radius-awifi] primary accounting 202.102.41.110

[H3C-AC-radius-awifi] key authentication simple haobai

[H3C-AC-radius-awifi] key accounting simple haobai

[H3C-AC-radius-awifi] nas-ip 58.215.135.123

4

注：Aruba认证平台有多个IP地址，注意按需设置，认证key目前设置均为haobai。NAS-IP则指定为AC自身的公网管理IP。

9、创建一个名为awifi的domain策略，配置Portal认证使用名为lan的Radius策略。

[H3C-AC] domain awifi

[H3C-AC-isp-awifi] authentication portal radius-scheme lan

[H3C-AC-isp-awifi] authorization portal radius-scheme lan

[H3C-AC-isp-awifi] accounting portal radius-scheme lan

4AC插卡上为AP应用aWiFi的业务设置

1、创建业务vlan，如某aWiFi应用热点的业务vlan为101。

[H3C-AC] vlan 1500

2、创建业务vlan对应的vlan-interface，并应用portal服务和对应的domain，设置portal的NAS-IP地址。

[H3C-AC]interface Vlan-interface1500

[H3C-AC] portal server awifi method direct

[H3C-AC] portal domain lan

[H3C-AC] portal nas-ip 58.215.135.123

3、进入某AP设置视图，下发aWiFi对应的服务模板和nas-id及nas-port-id。

[H3C-AC] wlan ap jstelecom32f

[H3C-AC-wlan-ap-jstelecom32f] nas-port-id I-WiFi

[H3C-AC-wlan-ap-jstelecom32f] radio 1

[H3C-AC-wlan-ap-jstelecom32f-radio-1] service-template 2 nas-id

jstelecom32f

5

附：AC相关配置完整举例如下：

dis cur

#

version 5.20, Release 2308P14

#

sysname GuoMai_AC1

#

domain default enable system

#

telnet server enable

#

port-security enable

#

dot1x authentication-method eap

#

portal server awifi ip 61.160.137.241 url

/wifiPortal/ server-type imc

portal server cgbwx ip 58.215.135.123 url

202.102.41.110// server-type

imc

portal server bcmwx ip 58.215.135.123 url

202.102.41.110// server-type imc

portal free-rule 0 source interface Ten-GigabitEthernet1/0/1 destination

any

portal free-rule 1 source any destination ip 61.160.137.241 mask

255.255.255.255

portal free-rule 3 source any destination ip 218.2.2.2 mask 255.255.255.255

portal free-rule 4 source any destination ip 218.2.135.1 mask

255.255.255.255

portal free-rule 5 source any destination ip 218.4.4.4 mask 255.255.255.255

portal free-rule 6 source any destination ip 61.177.7.1 mask 255.255.255.255

portal free-rule 7 source any destination ip 61.147.37.1 mask

255.255.255.255

portal url-param include nas-id param-name apName

portal url-param include user-mac param-name mac

portal url-param include nas-ip param-name h3cacip

portal host-check dhcp-snooping

#

vlan 1

#

vlan 48

#

6

vlan 1500

#

vlan 701to 740

#

vlan 2661

description BoComm WIFI

#

vlan 2662

#

radius scheme awifi

primary authentication 202.102.41.111

primary accounting 202.102.41.111

key authentication cipher $c$3$vGFyx/fzlfE/dXmzeqEU7RGkWM+A3Ty+

key accounting cipher $c$3$FlsQFdUxFhrjbvW73BU+X6K3nfnGLIlD

user-name-format without-domain

nas-ip 58.215.135.123

radius scheme eap

server-type extended

primary authentication 221.231.151.10

primary accounting 221.231.151.10

key authentication cipher $c$3$AuF7b+i09ifHBB6uQtGc14YxKbMj0JL3+no=

key accounting cipher $c$3$o1jrlBnKIVhr5s6BS5Ck3pd5XjFre666mlM=

user-name-format keep-original

nas-ip 58.215.135.123

retry stop-accounting 10

#

domain eap

authentication lan-access radius-scheme eap

authorization lan-access radius-scheme eap

accounting lan-access radius-scheme eap

access-limit disable

state active

idle-cut disable

self-service-url disable

domain awifi

authentication portal radius-scheme awifi

authorization portal radius-scheme awifi

accounting portal radius-scheme awifi

access-limit disable

state active

idle-cut disable

self-service-url disable

domain system

7

access-limit disable

state active

idle-cut disable

self-service-url disable

#

user-group system

group-attribute allow-guest

#

local-user admin

password cipher $c$3$JvB3TU6DkwokktR2uX/6vloG5N7C0oxWMv6VxiZU

authorization-attribute level 3

service-type ssh telnet terminal

service-type web

local-user daiwei

password cipher $c$3$Z1zIrkz90lRdPADqe7perTGkIZXFSGcL1ILvMA==

authorization-attribute level 1

service-type telnet

service-type web

#

wlan rrm

dot11a mandatory-rate 6 12 24

dot11a supported-rate 9 18 36 48 54

dot11b mandatory-rate 5.5

dot11b supported-rate 11

dot11b disabled-rate 1 2

dot11g mandatory-rate 6 9

dot11g supported-rate 12 18 24 36 48 54

dot11g disabled-rate 1 2 5.5 11

dot11n max-bandwidth 180000

dot11bg calibrate-channel

#

wlan radio-policy test

beacon-interval 1000

#

wlan service-template 1 clear

ssid ChinaNet

bind WLAN-ESS 1

client max-count 30

user-isolation enable

service-template enable

#

wlan service-template 2 clear

ssid aWiFi

8

bind WLAN-ESS 2

client max-count 30

user-isolation enable

service-template enable

#

wlan service-template 101 clear

ssid BoComm

bind WLAN-ESS 101

client max-count 30

user-isolation enable

service-template enable

#

wlan service-template 102 clear

ssid CGB_WIFI

bind WLAN-ESS 102

client max-count 30

user-isolation enable

service-template enable

#

wlan service-template 22 crypto

ssid ChinaNet-AUTO

bind WLAN-ESS 22

cipher-suite ccmp

security-ie rsn

service-template enable

#

interface NULL0

#

interface Vlan-interface48

ip address 58.215.135.123 255.255.255.248

#

interface Vlan-interface1500

portal server awifimethod direct

portal domain awifi

portal nas-ip 58.215.135.123

#

interface Vlan-interface2661

portal server bcmwx method direct

portal domain lan

portal nas-id bcmwx

portal nas-ip 58.215.135.123

#

interface Vlan-interface2662

9

portal server cgbwx method direct

portal domain lan

portal nas-id cgbwx

portal nas-ip 58.215.135.123

#

interface M-GigabitEthernet1/0/0

#

interface Ten-GigabitEthernet1/0/1

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 2 to 4094

dhcp-snooping trust

#

interface WLAN-ESS1

port link-type hybrid

undo port hybrid vlan 1

mac-vlan enable

#

interface WLAN-ESS2

port access vlan 1500

#

interface WLAN-ESS22

description 802.1x

port link-type hybrid

port hybrid vlan 1 untagged

mac-vlan enable

port-security port-mode userlogin-secure-ext

port-security tx-key-type 11key

undo dot1x handshake

dot1x mandatory-domain eap

#

interface WLAN-ESS101

port access vlan 2661

#

interface WLAN-ESS102

port access vlan 2662

#

wlan ap 4fenju2f model WA1208E-GP id 1

serial-id 210235A32MC084001696

client idle-timeout 1200

client keep-alive 60

nas-port-id I-WiFi

radio 1

10

channel 6

service-template 1 vlan-id 729

service-template 2 vlan-id 4fenju2f

radio enable

#

dhcp-snooping

#

return

11