第一篇：35-本地Portal認證基于SSID綁定認證頁面典型配置舉例

本地Portal認證基于SSID綁定認證頁面典型配置舉例

Copyright ? 2014 杭州華三通信技術有限公司 版權所有，保留一切權利。

非經本公司書面許可，任何單位和個人不得擅自摘抄、復制本文檔內容的部分或全部，并不得以任何形式傳播。本文檔中的信息可能變動，恕不另行通知。

目 錄 簡介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置舉例 ························································································································· 1

3.1 組網(wǎng)需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 1 3.3 配置注意事項 ················································································································ 2 3.4 配置步驟 ······················································································································ 2

3.4.1 AC的配置 ··········································································································· 2 3.4.2 Switch的配置 ······································································································ 4 3.4.3 RADIUS server的配置 ··························································································· 5 3.5 驗證配置 ······················································································································ 8 3.6 配置文件 ······················································································································ 9 相關資料 ······················································································································· 11

i 1 簡介

本文檔介紹本地Portal認證基于SSID綁定認證頁面的典型配置舉例。配置前提

本文檔不嚴格與具體軟、硬件版本對應，如果使用過程中與產品實際情況有差異，請參考相關產品手冊，或以設備實際情況為準。

本文檔中的配置均是在實驗室環(huán)境下進行的配置和驗證，配置前設備的所有參數(shù)均采用出廠時的缺省配置。如果您已經對設備進行了配置，為了保證配置效果，請確認現(xiàn)有配置和以下舉例中的配置不沖突。

本文檔假設您已了解AAA、WLAN無線接入、Portal認證特性。配置舉例

3.1 組網(wǎng)需求

如圖1所示，RADIUS服務器作為認證/計費服務器，Switch作為DHCP服務器為AP和Client分配IP地址。要求通過基于SSID綁定本地Portal認證頁面的功能，實現(xiàn)：

? ? 當無線客戶端通過名為service1的SSID接入網(wǎng)絡時，Portal認證推出自定義的認證頁面； 當無線客戶端通過名為service2的SSID接入網(wǎng)絡時，Portal認證推出的是系統(tǒng)默認的認證頁面。

圖1 本地Portal認證基于SSID綁定認證頁面組網(wǎng)圖

RADIUS server8.1.1.5/24SSID:service1Vlan-int100188.10.0.6/16Vlan-int300188.30.0.6/16Vlan-int100188.10.0.2/16Client 1AC/Portal serverSwitch/DHCP serverAPSSID:service2Client 2

3.2 配置思路

為了使無線客戶端從service1接入時推出自定義認證頁面，需編輯自定義認證頁面并上傳至AC。3.3 配置注意事項

配置AP的序列號時請確保該序列號與AP唯一對應，AP的序列號可以通過AP設備背面的標簽獲取。

3.4 配置步驟

3.4.1 AC的配置

(1)配置AC的接口

# 創(chuàng)建VLAN 100及其對應的VLAN接口，并為該接口配置IP地址。AC將使用該接口的IP地址與AP建立LWAPP隧道。

system-view [AC] vlan 100 [AC-vlan100] quit [AC] interface vlan-interface 100 [AC-Vlan-interface100] ip address 188.10.0.6 16 [AC-Vlan-interface100] quit # 創(chuàng)建VLAN 200作為ESS口的缺省VLAN。

[AC] vlan 200 [AC-vlan200] quit # 創(chuàng)建VLAN 300作為Client接入的業(yè)務VLAN，并配置其接口IP地址。

[AC] vlan 300 [AC-vlan300] quit [AC] interface vlan-interface 300 [AC-Vlan-interface300] ip address 188.30.0.6 16 [AC-Vlan-interface300] quit # 配置AC連接Switch的GigabitEthernet1/0/1接口的屬性為trunk，并允許VLAN 100、VLAN 200和VLAN 300通過。

[AC] interface GigabitEthernet1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200 300 [AC-GigabitEthernet1/0/1] quit(2)配置認證策略和認證域

# 在AC上創(chuàng)建RADIUS方案office并進入其視圖。

[AC] radius scheme office # 配置RADIUS方案的主認證服務器及其通信密鑰。

[AC-radius-office] primary authentication 8.1.1.5 [AC-radius-office] key authentication 123456 # 配置發(fā)送給RADIUS服務器的用戶名不攜帶ISP域名。

[AC-radius-office] user-name-format without-domain [AC-radius-office] quit # 配置發(fā)送RADIUS報文的源IP地址為188.10.0.6。

[AC] radius nas-ip 188.10.0.6 # 創(chuàng)建并進入名字為office的ISP域視圖。

[AC] domain office # 為Portal用戶配置AAA認證方法為RADIUS認證/授權方案office，不計費。

[AC-isp-office] authentication portal radius-scheme office [AC-isp-office] authorization portal radius-scheme office [AC-isp-office] accounting portal none(3)配置Portal # 配置Portal服務器：名稱為office，IP地址為188.10.0.6。

[AC] portal server office ip 188.10.0.6 # 配置本地Portal服務器支持HTTP協(xié)議。

[AC] portal local-server http # 在用戶所在的VLAN 300接口上使能Portal。

[AC] interface vlan-interface 300 [AC-Vlan-interface300] portal server office method direct # 指定Portal用戶的認證域為office。

[AC-Vlan-interface300] portal domain office [AC-Vlan-interface300] quit(4)配置WLAN服務

# 創(chuàng)建接口WLAN-ESS 1，并設置端口的鏈路類型為Hybrid。

[AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid # 配置當前Hybrid端口的PVID為VLAN 200，禁止VLAN 1通過并允許VLAN 200不帶tag通過。

[AC-WLAN-ESS1] undo port hybrid vlan 1 [AC-WLAN-ESS1] port hybrid vlan 200 untagged [AC-WLAN-ESS1] port hybrid pvid vlan 200 [AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] quit # 創(chuàng)建接口WLAN-ESS 2，并設置端口的鏈路類型為Hybrid。

[AC] interface wlan-ess 2 [AC-WLAN-ESS2] port link-type hybrid # 配置當前Hybrid端口的PVID為VLAN 200，禁止VLAN 1通過并允許VLAN 200不帶tag通過。

[AC-WLAN-ESS2] undo port hybrid vlan 1 [AC-WLAN-ESS2] port hybrid vlan 200 untagged [AC-WLAN-ESS2] port hybrid pvid vlan 200 [AC-WLAN-ESS2] mac-vlan enable [AC-WLAN-ESS2] quit # 配置WLAN服務模板1，SSID為service1，并將接口WLAN-ESS 1與該服務模板綁定，啟用無線服務。

[AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service1 [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # 配置WLAN服務模板2，SSID為service2，并將接口WLAN-ESS 2與該服務模板綁定，啟用無線服務。

[AC] wlan service-template 2 clear [AC-wlan-st-2] ssid service2 [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # 創(chuàng)建AP的管理模板，名稱為officeap，型號名稱選擇WA2620E-AGN，并配置AP的序列號。

[AC] wlan ap officeap model WA2620E-AGN [AC-wlan-ap-officeap] serial-id 21023529G007C000020 # 進入radio 2射頻視圖。

[AC-wlan-ap-officeap] radio 2 # 將服務模板1和2綁定到AP的Radio 2口，配置綁定到Radio 2口的VLAN為VLAN 300，并使能Radio 2。

[AC-wlan-ap-officeap-radio-2] service-template 1 vlan-id 300 [AC-wlan-ap-officeap-radio-2] service-template 2 vlan-id 300 [AC-wlan-ap-officeap-radio-2] radio enable [AC-wlan-ap-officeap-radio-2] quit [AC-wlan-ap-officeap] quit(5)將自定義認證頁面文件上傳至AC # 通過FTP將本地的自定義認證頁面文件ssid1.zip上傳至AC（過程略），并用dir *.zip命令查看上傳完的文件。

dir *.zip Directory of cfa0:/ 0-rw-66127 Nov 27 2013 10:39:08 ssid1.zip 1020068 KB total(502420 KB free)File system type of cfa0: FAT32(6)配置SSID綁定自定義頁面文件

# 將SSID：service 1與頁面文件ssid1.zip綁定。

system-view [AC] portal local-server bind ssid service1 file ssid1.zip 3.4.2 Switch的配置

# 創(chuàng)建VLAN 100和VLAN 300，其中VLAN 100用于轉發(fā)AC和AP間LWAPP隧道內的流量，VLAN 300為無線用戶接入的VLAN。

system-view [Switch] vlan 100 [Switch-vlan100] quit [Switch] vlan 300 [Switch-vlan300] quit # 配置Switch與AC相連的GigabitEthernet1/0/1接口的屬性為trunk，當前trunk口的PVID為100，允許VLAN 100通過。

[Switch] interface GigabitEthernet1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet1/0/1] quit # 配置Switch與AP相連的GigabitEthernet1/0/2接口屬性為access，并允許VLAN 100通過。

[Switch] interface GigabitEthernet1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port access vlan 100 # 使能PoE功能。

[Switch-GigabitEthernet1/0/2] poe enable [Switch-GigabitEthernet1/0/2] quit # 配置Switch使能DHCP服務。

[Switch] dhcp enable # 創(chuàng)建名為vlan100的DHCP地址池，配置地址池范圍為188.10.0.2~188.10.0.5，網(wǎng)關地址為188.10.0.6，為AP分配IP地址。

[Switch] dhcp server ip-pool vlan100 extended [Switch-dhcp-pool-vlan100] network ip range 188.10.0.2 188.10.0.5 [Switch-dhcp-pool-vlan100] network mask 255.255.255.0 [Switch-dhcp-pool-vlan100] gateway-list 188.10.0.6 [Switch-dhcp-pool-vlan100] quit # 創(chuàng)建名為vlan300的DHCP地址池，配置地址池范圍為188.30.0.2~188.30.0.5，網(wǎng)關地址為188.30.0.6，為Client分配IP地址。

[Switch] dhcp server ip-pool vlan300 extended [Switch-dhcp-pool-vlan300] network ip range 188.30.0.2 188.30.0.5 [Switch-dhcp-pool-vlan300] network mask 255.255.255.0 [Switch-dhcp-pool-vlan300] gateway-list 188.30.0.6 [Switch-dhcp-pool-vlan300] quit 3.4.3 RADIUS server的配置

下面以iMC為例（使用iMC版本為：iMC PLAT 7.0(E0202)、iMC UAM 7.0(E0202)，說明RADIUS server的基本配置。# 增加接入設備

登錄進入iMC管理平臺，選擇“用戶”頁簽，單擊導航樹中的[接入策略管理/接入設備管理/接入設備配置]菜單項，單擊“增加”按鈕，進入“增加接入設備”頁面，單擊<手工增加>按鈕，進入“手工增加接入設備”頁面。

? ? ? 填寫起始IP地址為188.10.0.6，該IP地址為AC上配置的radius scheme視圖下的nas-ip地址。

單擊<確定>按鈕完成操作。

在“接入配置”頁面配置共享密鑰為123456，該共享密鑰與AC上配置Radius服務器時的密鑰一致。? ? 其他配置采用頁面默認配置即可。單擊<確定>按鈕完成操作。

# 配置接入策略

選擇“用戶”頁簽，單擊導航樹中的[接入策略管理/接入策略管理]菜單項，點擊<增加>按鈕，進入“增加接入策略”頁面。

? ? ? 接入策略名填寫portal。該名稱可以自行定義。其他配置采用頁面默認配置即可。單擊<確定>按鈕完成操作。

# 配置接入服務

選擇“用戶”頁簽，單擊導航樹中的[接入策略管理/接入服務管理]菜單項，點擊<增加>按鈕，進入“增加接入服務”頁面。

? ? ? ? 服務名填寫portal。該名稱可以自行定義。

缺省接入策略選擇“portal”。即上一步配置的接入策略名。其他配置采用頁面默認配置即可。單擊<確定>按鈕完成操作。

# 配置接入用戶

選擇“用戶”頁簽，單擊導航樹中的[增加用戶]菜單項，進入“增加用戶”頁面。

? ? ? ? 用戶姓名填寫Test。該名稱可以自行定義。證件號碼填寫123。該名稱可以自行定義。其他配置采用頁面默認配置即可。單擊<確定>按鈕完成操作。

添加用戶完成后，會跳轉到“增加用戶結果頁面”，單擊[增加用戶賬號]進入“增加接入用戶”視圖。

在“增加接入用戶”視圖下。

? ? ? ? ? 賬戶名填寫test。該名稱可以自行定義。密碼填寫123456。該名稱可以自行定義。接入服務選擇上一步配置的接入服務“portal”。其他配置采用頁面默認配置即可。單擊<確定>按鈕完成操作。

3.5 驗證配置

# Client 1通過無線服務service 1上線后，進行Portal認證時，彈出自定義的認證頁面。圖2 自定義認證頁面

# Client 2通過無線服務service 2上線后，由于沒有配置其綁定的自定義認證頁面，所以客戶端進行Portal認證時推出的是系統(tǒng)默認的認證頁面。圖3 系統(tǒng)默認認證頁面

3.6 配置文件

?

# radius nas-ip 188.10.0.6 # portal server office ip 188.10.0.6 portal local-server http portal local-server bind ssid service1 file ssid1.zip # vlan 100 # vlan 200 # vlan 300 # radius scheme office primary authentication 8.1.1.5 key authentication cipher $c$3$lRA4cjtdvxqsRUuMR42kkQWa3b9Yw9Hk7A== user-name-format without-domain AC： # domain office authentication portal radius-scheme office authorization portal radius-scheme office accounting portal none access-limit disable state active idle-cut disable self-service-url disable # wlan service-template 1 clear ssid service1 bind WLAN-ESS 1 service-template enable # wlan service-template 2 clear ssid service2 bind WLAN-ESS 2 service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 200 300 # interface Vlan-interface100 ip address 188.10.0.6 255.255.0.0 # interface Vlan-interface300 ip address 188.30.0.6 255.255.0.0 portal server office method direct portal domain office # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # interface WLAN-ESS2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # wlan ap officeap model WA2620E-AGN id 1 serial-id 21023529G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 service-template 2 vlan-id 300 radio enable # ?

# Switch：

vlan 100 # vlan 300 # dhcp server ip-pool vlan100 extended network ip range 188.10.0.2 188.10.0.5 network mask 255.255.255.0 gateway-list 188.10.0.6 # dhcp server ip-pool vlan300 extended network ip range 188.30.0.2 188.30.0.5 network mask 255.255.255.0 gateway-list 188.30.0.6 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 100 port trunk pvid vlan 100 # interface GigabitEthernet1/0/2 port link-mode bridge port access vlan 100 poe enable # 4 相關資料

? ? ? ? 《H3C WX系列無線控制器產品配置指導》“WLAN配置指導”?！禜3C WX系列無線控制器產品命令參考》“WLAN命令參考”。《H3C WX系列無線控制器產品配置指導》“安全配置指導”?！禜3C WX系列無線控制器產品命令參考》“安全命令參考”。

第二篇：45-基于SSID的Web界面訪問控制典型配置舉例

基于SSID的Web界面訪問控制典型配置舉例

Copyright ? 2014 杭州華三通信技術有限公司 版權所有，保留一切權利。

非經本公司書面許可，任何單位和個人不得擅自摘抄、復制本文檔內容的部分或全部，并不得以任何形式傳播。本文檔中的信息可能變動，恕不另行通知。

目 錄 簡介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置舉例 ························································································································· 1

3.1 組網(wǎng)需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 1 3.3 配置注意事項 ················································································································ 1 3.4 配置步驟 ······················································································································ 2

3.4.1 AC的配置 ··········································································································· 2 3.4.2 Switch的配置 ······································································································ 4 3.5 驗證配置 ······················································································································ 4 3.6 配置文件 ······················································································································ 6 相關資料 ························································································································· 7

i 1 簡介

本文檔介紹基于SSID的Web界面訪問控制的典型配置舉例。配置前提

本文檔不嚴格與具體軟、硬件版本對應，如果使用過程中與產品實際情況有差異，請參考相關產品手冊，或以設備實際情況為準。

本文檔中的配置均是在實驗室環(huán)境下進行的配置和驗證，配置前設備的所有參數(shù)均采用出廠時的缺省配置。如果您已經對設備進行了配置，為了保證配置效果，請確認現(xiàn)有配置和以下舉例中的配置不沖突。

本文檔假設您已了解WLAN接入，WLAN ACL和HTTP特性。配置舉例

3.1 組網(wǎng)需求

如圖1所示，AC通過Switch與AP相連，DHCP服務器為AP和Client分配IP地址。需要控制不同SSID接入的無線客戶端通過Web頁面對AC的訪問權限，具體實現(xiàn)如下：

? ? 當Client通過名為“service2”的SSID接入無線網(wǎng)絡時，可以通過Web訪問AC。而當Client通過名為“service1”的SSID接入時，不能通過Web訪問AC。

圖1 基于SSID的Web界面訪問控制組網(wǎng)圖

DHCP serverGE1/0/3Vlan-int100192.168.1.1/24Vlan-int300192.168.3.1/24GE1/0/1GE1/0/2ACSwitchAPClient

3.2 配置思路

為了使關聯(lián)SSID為service2的Client能夠通過Web訪問AC，需要在AC上配置WLAN ACL，僅允許關聯(lián)SSID為service2的Client報文通過，并將HTTP服務與WLAN ACL相關聯(lián)。

3.3 配置注意事項

? WLAN ACL中有默認規(guī)則rule 0 deny，需要執(zhí)行undo rule 0命令刪除該默認規(guī)則。? 配置AP的序列號時請確保該序列號與AP唯一對應，AP的序列號可以通過AP設備背面的標簽獲取。

3.4 配置步驟

3.4.1 AC的配置

(1)配置AC接口

# 創(chuàng)建VLAN 100及其對應的VLAN接口，并為該接口配置IP地址。AC將使用該接口的IP地址與AP建立LWAPP隧道。

system-view [AC] vlan 100 [AC-vlan100] quit [AC] interface vlan-interface 100 [AC-Vlan-interface100] ip address 192.168.1.1 24 [AC-Vlan-interface100] quit # 創(chuàng)建VLAN 200作為WLAN-ESS接口的缺省VLAN。

[AC] vlan 200 [AC-vlan200] quit # 創(chuàng)建VLAN 300作為Client接入的業(yè)務VLAN，配置VLAN 300的接口IP地址。

[AC] vlan 300 [AC-vlan300] quit [AC] interface vlan-interface 300 [AC-Vlan-interface300] ip address 192.168.3.1 24 [AC-Vlan-interface300] quit # 配置GigabitEthernet1/0/1為Trunk類型，禁止VLAN 1報文通過，允許VLAN 100和VLAN 300通過，配置PVID為100。

[AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [AC-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [AC-GigabitEthernet1/0/1] port trunk pvid vlan 100 [AC-GigabitEthernet1/0/1] quit # 創(chuàng)建WLAN-ESS1接口，并設置端口的鏈路類型為Hybrid類型。

[AC] interface wlan-ess 1 [AC-WLAN-ESS1] port link-type hybrid # 配置當前Hybrid端口的PVID為VLAN 200，禁止VLAN 1通過并允許VLAN 200不帶tag通過。

[AC-WLAN-ESS1] undo port hybrid vlan 1 [AC-WLAN-ESS1] port hybrid vlan 200 untagged [AC-WLAN-ESS1] port hybrid pvid vlan 200 # 使能MAC VLAN功能。

[AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] quit # 創(chuàng)建WLAN-ESS2接口，并設置端口的鏈路類型為Hybrid類型。[AC] interface wlan-ess 2 [AC-WLAN-ESS2] port link-type hybrid # 配置當前Hybrid端口的PVID為VLAN 200，禁止VLAN 1通過并允許VLAN 200不帶tag通過。

[AC-WLAN-ESS2] undo port hybrid vlan 1 [AC-WLAN-ESS2] port hybrid vlan 200 untagged [AC-WLAN-ESS2] port hybrid pvid vlan 200 # 使能MAC VLAN功能。

[AC-WLAN-ESS2] mac-vlan enable [AC-WLAN-ESS2] quit(2)配置無線服務

# 創(chuàng)建clear類型的服務模板1。

[AC] wlan service-template 1 clear # 設置當前服務模板的SSID為service1。

[AC-wlan-st-1] ssid service1 # 將WLAN-ESS1接口綁定到服務模板1。

[AC-wlan-st-1] bind wlan-ess 1 # 啟用無線服務。

[AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # 創(chuàng)建clear類型的服務模板2。

[AC] wlan service-template 2 clear # 設置當前服務模板的SSID為service2。

[AC-wlan-st-2] ssid service2 # 將WLAN-ESS2接口綁定到服務模板2。

[AC-wlan-st-2] bind wlan-ess 2 # 啟用無線服務。

[AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit(3)配置射頻接口并綁定服務模板

# 創(chuàng)建AP的管理模板，名稱為officeap，型號選擇WA2620E-AGN。

[AC] wlan ap officeap model WA2620E-AGN # 設置AP的序列號為210235A29G007C000020。

[AC-wlan-ap-officeap] serial-id 210235A29G007C000020 # 進入radio 2射頻視圖。

[AC-wlan-ap-officeap] radio 2 # 將在AC上配置的clear類型的服務模板1和服務模板2與射頻2進行關聯(lián)，設置綁定到射頻接口的VLAN編號為VLAN 300。

[AC-wlan-ap-officeap-radio-2] service-template 1 vlan-id 300 [AC-wlan-ap-officeap-radio-2] service-template 2 vlan-id 300 # 使能AP的radio 2。

[AC-wlan-ap-officeap-radio-2] radio enable [AC-wlan-ap-officeap-radio-2] quit(4)配置WLAN ACL # 創(chuàng)建WLAN ACL 199，并刪除ACL 199中的默認規(guī)則0。

[AC] acl number 199 [AC-acl-wlan-199] undo rule 0 # 配置規(guī)則1：允許SSID名稱為service2的WLAN用戶報文通過。

[AC-acl-wlan-199] rule 1 permit ssid service2 [AC-acl-wlan-199] quit # 將HTTP服務與ACL 199關聯(lián)。

[AC] ip http acl 199 3.4.2 Switch的配置

# 創(chuàng)建VLAN 100和VLAN 300，其中VLAN 100用于轉發(fā)AC和AP間LWAPP隧道內的流量，VLAN 300為無線客戶端接入的VLAN。

system-view [Switch] vlan 100 [Switch-vlan100] quit [Switch] vlan 300 [Switch-vlan300] quit # 配置Switch的GigabitEthernet1/0/1接口屬性Trunk，禁止VLAN 1報文通過，允許VLAN 100和VLAN 300通過，配置PVID為100。

[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet1/0/1] quit # 配置Switch與AP相連的GigabitEthernet1/0/2接口屬性為Access，并允許VLAN 100通過。

[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port access vlan 100 # 配置Switch與AP相連的GigabitEthernet1/0/2接口使能PoE功能。

[Switch-GigabitEthernet1/0/2] poe enable [Switch-GigabitEthernet1/0/2] quit # 配置Switch與DHCP服務器相連的GigabitEthernet1/0/3接口屬性為Access，并允許VLAN 100通過。

[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type access [Switch-GigabitEthernet1/0/3] port access vlan 100 [Switch-GigabitEthernet1/0/3] quit 3.5 驗證配置

# 無線客戶端關聯(lián)SSID service2后，可以通過Web正常訪問AC。

# 無線客戶端關聯(lián)SSID service1后，無法通過Web訪問AC。3.6 配置文件

? AC：

# ip http acl 199 # acl number 199 rule 1 permit ssid service2 # vlan 100 # vlan 200 # vlan 300 # wlan service-template 1 clear ssid service1 bind WLAN-ESS 1 service-template enable # wlan service-template 2 clear ssid service2 bind WLAN-ESS 2 service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface Vlan-interface100 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface300 ip address 192.168.3.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # interface WLAN-ESS2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # wlan ap officeap model WA2620E-AGN id 1 serial-id 210235A29G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 service-template 2 vlan-id 300 radio enable # ?

# Switch：

vlan 100 # vlan 300 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface GigabitEthernet1/0/2 port link-type access port access vlan 100 poe enable # interface GigabitEthernet1/0/3 port link-type access port access vlan 100 # 4 相關資料

? ? ? ? ? ? 《H3C WX系列無線控制器產品配置指導》“基礎配置指導”。《H3C WX系列無線控制器產品命令參考》“基礎配置命令參考”?！禜3C WX系列無線控制器產品配置指導》“ACL和QoS配置指導”?！禜3C WX系列無線控制器產品命令參考》“ACL和QoS命令參考”?！禜3C WX系列無線控制器產品配置指導》“WLAN配置指導”?！禜3C WX系列無線控制器產品命令參考》“WLAN命令參考”。

第三篇：AR典型配置案例 RADIUS認證登錄其他設備的示例

004km.cn

配置設備作為客戶端，采用RADIUS認證登錄其他設備的示例

規(guī)格

適用于所有版本、所有形態(tài)的AR路由器。組網(wǎng)需求

用戶使用STelnet方式連接SSH服務器（即AR設備），要求在SSH認證過程中，配置SSH服務器支持SSH客戶端通過RADIUS服務器進行遠端認證。

RADIUS服務器認證該用戶，將認證結果返回給SSH服務器。SSH服務器根據(jù)認證結果決定是否允許SSH客戶端建立連接。組網(wǎng)圖

圖1 配置SSH支持RADIUS認證組網(wǎng)圖

操作步驟

1.在SSH服務器端生成本地密鑰對

system-view

[Huawei] sysname ssh server

[ssh server] rsa local-key-pair create The key name will be: Host The range of public key size is(512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 2048]: 2048 Generating keys..........++++++++++++..........++++++++++++...................................++++++++......++++++++ 2.SSH Server的不同版本的配置存在差異，請關注對應版本的配置 3.# 4.user-interface vty 0 4 5.authentication-mode aaa //指定配置VTY0～4用戶的驗證方式為AAA 6.protocol inbound ssh //配置VTY支持SSH協(xié)議 004km.cn

7.8.9.# aaa local-user ssh1@ssh.com password cipher %@%@0qu:lj

# SSH客戶端采用RADIUS認證連接SSH服務器。

system-view

[ssh client] stelnet 10.164.39.222

Please input the username: ssh1@ssh.com Trying 10.164.39.222...Press CTRL+K to abort Connected to 10.164.39.222...The server is not authenticated.Do you continue to access it?(Y/N):y Save the server's public key? [Y/N] :y The server's public key will be saved with the name: 10.164.39.222.Please wait...004km.cn

Enter password: 輸入密碼huawei，顯示登錄成功信息如下：

Info: The max number of VTY users is 10, and the current number of VTY users on line is 2.# 在SSH服務器端執(zhí)行display radius-server configuration命令和display ssh server session命令，可以查看到SSH服務器端關于RADIUS服務器的配置，并且看到STelnet客戶端采用RADIUS認證已經成功連接到SSH服務器。

[ssh server] display ssh server session

------Conn Ver Encry State Auth-type Username------VTY 0 2.0 AES run password ssh1@ssh.com------配置注意事項

在RADIUS服務器端添加對應客戶端的用戶名。? 在RADIUS服務器端指定SSH服務器的地址和密鑰。? 如果配置SSH客戶端用戶使用password驗證，只需在SSH服務器端生成本地RSA密鑰。如果配置SSH客戶端用戶使用RSA驗證，則在SSH服務器端和客戶端都需生成本地RSA密鑰，并將客戶端上產生的RSA公鑰輸入到服務器端。?