华为WLAN二层组网及安全认证

1.配置交换机 [SW]vlan batch 10 to 13 [SW-GigabitEthernet0/0/1]port link-type trunk [SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13 [SW-GigabitEthernet0/0/10]port link-type trunk [SW-GigabitEthernet0/0/10]port trunk pvid vlan 10 [SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13 [SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13 [SW-LoopBack0]ip add 101.101.101.101 32 [SW-Vlanif10]ip add 10.1.10.1 24 [SW-Vlanif11]ip add 10.1.11.1 24 [SW-Vlanif12]ip add 10.1.12.1 24 [SW-Vlanif13]ip add 10.1.13.1 24 2.配置AC1的连通性 [AC1]vlan batch 10 to 13 [AC1-GigabitEthernet0/0/8]port link-type trunk [AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13 [AC1-Vlanif10]ip add 10.1.10.100 24 [AC1-Vlanif11]ip add 10.1.11.100 24 [AC1-Vlanif12]ip add 10.1.12.100 24 [AC1-Vlanif13]ip add 10.1.13.100 24 [AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 3.配置AC远程管理Telnet服务 [AC1]telnet server enable [AC1]aaa [AC1-aaa]local-user ac1 password irreversible-cipher wlan@123 [AC1-aaa]local-user ac1 service-type telnet [AC1-aaa]local-user ac1 privilege level 3 [AC1]user-interface vty 0 4 [AC1-ui-vty0-4]authentication-mode aaa <AC1>save <SW>telnet 10.1.10.100 //远程登录AC 4.配置ap组 [AC1-wlan-view]ap-group name ap-group1 5.AC配置dhcp功能 [AC1]ip pool ap [AC1-ip-pool-ap]network 10.1.10.0 mask 24 [AC1-ip-pool-ap]gateway-list 10.1.10.1 [AC1-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100 //指定AC的地址 [AC1]ip pool employee
[AC1-ip-pool-employee]network 10.1.11.0 mask 24
[AC1-ip-pool-employee]gateway-list 10.1.11.1
[AC1]ip pool voice [AC1-ip-pool-voice]network 10.1.12.0 mask 24 [AC1-ip-pool-voice]gateway-list 10.1.12.1
[AC1]ip pool guest [AC1-ip-pool-guest]network 10.1.13.0 mask 24 [AC1-ip-pool-guest]gateway-list 10.1.13.1 [AC1-Vlanif10]dhcp select global
[AC1-Vlanif11]dhcp select global [AC1-Vlanif12]dhcp select global [AC1-Vlanif13]dhcp select global 6.配置域管理模板 [AC1-wlan-view]regulatory-domain-profile name domain1 [AC1-wlan-regulate-domain-domain1]country-code CN [AC1]capwap source interface Vlanif 10 //配置AC源接口 7.配置AP的认证方式 [AC1-wlan-view]ap auth-mode mac-auth [AC1-wlan-view]ap-mac 00e0-fc9a-7b70 ap-id 0 [AC1-wlan-ap-0]ap-group ap-group1 [AC1-wlan-ap-0]ap-name ap1 [AC1-wlan-view]ap-mac 00e0-fcb9-5f50 ap-id 1 [AC1-wlan-ap-1]ap-group ap-group1 [AC1-wlan-ap-1]ap-name ap2 8.配置SSID模板 [AC1]wlan [AC1-wlan-view]ssid-profile name employee1 [AC1-wlan-ssid-prof-employee1]ssid employee1 [AC1-wlan-view]ssid-profile name voice1
[AC1-wlan-ssid-prof-voice1]ssid voice1
[AC1-wlan-ssid-prof-voice1]ssid-profile name guest1 [AC1-wlan-ssid-prof-guest1]ssid guest1
9.配置VAP模板 [AC1-wlan-view]vap-profile name employee1 [AC1-wlan-vap-prof-employee1]forward-mode direct-forward [AC1-wlan-vap-prof-employee1]service-vlan vlan-id 11 [AC1-wlan-vap-prof-employee1]ssid-profile employee1 [AC1-wlan-vap-prof-voice1]ssid-profile voice1
[AC1-wlan-vap-prof-voice1]forward-mode direct-forward [AC1-wlan-vap-prof-voice1]service-vlan vlan-id 12 [AC1-wlan-vap-prof-voice1]ssid-profile voice1 [AC1-wlan-vap-prof-employee1]vap-profile name guest1 [AC1-wlan-vap-prof-guest1]forward-mode tunnel [AC1-wlan-vap-prof-guest1]service-vlan vlan-id 13 [AC1-wlan-vap-prof-guest1]ssid-profile guest1
10.配置AP组引用模板 [AC1-wlan-view]ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1]vap-profile employee1 wlan 1 radio all [AC1-wlan-ap-group-ap-group1]vap-profile voice1 wlan 2 radio all
[AC1-wlan-ap-group-ap-group1]vap-profile guest1 wlan 3 radio all
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1 11.配置WEB认证 [AC1-wlan-view]security-profile name guest1 [AC1-wlan-sec-prof-guest1]security wep [AC1-wlan-sec-prof-guest1]security wep share-key //配置认证方式 [AC1-wlan-sec-prof-guest1]wep key 0 wep-40 pass-phrase guest //加密采用40位密码，密码为guest [AC1-wlan-view]vap-profile name guest1 [AC1-wlan-vap-prof-guest1]security-profile guest1 //vap模板关联安全模板 12.配置WPA1-PSK认证 [AC1-wlan-view]security-profile name voice1 [AC1-wlan-sec-prof-voice1]security wpa psk pass-phrase voicevoice tkip [AC1-wlan-vap-prof-voice1]security-profile voice1 13.配置WPA EAP认证(通过radius服务器，但由于为搭建服务器，所以无法验证) [AC1]vlan 200 [AC1-GigabitEthernet0/0/1]port link-type access [AC1-GigabitEthernet0/0/1]port default vlan 200 [AC1]int Vlanif 200 [AC1-Vlanif200]ip add 10.254.1.1 24 [AC1]radius-server template huawei //配置服务器 [AC1-radius-huawei]radius-server authentication 10.254.1.1 1812 source ip-address 10.1.10.100 [AC1-radius-huawei]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100 [AC1-radius-huawei]radius-server shared-key cipher huawei [AC1-radius-huawei]undo radius-server user-name domain-included [AC1]aaa //配置aaa认证 [AC1-aaa]authentication-scheme radius //配置认证模板 [AC1-aaa-authen-radius]authentication-mode radius [AC1-aaa]accounting-scheme radius [AC1-aaa-accounting-radius]accounting-mode radius [AC1-aaa-accounting-radius]accounting realtime 15 [AC1-aaa]domain default [AC1-aaa-domain-default]authentication-scheme radius [AC1-aaa-domain-default]radius-server huawei [AC1]test-aaa huawei huawei@123 radius-template Huawei //测试aaa配置 [AC1]dot1x-access-profile name employee1 //配置接入模板 [AC1]authentication-profile name employee1 //配置认证模板 [AC1-authentication-profile-employee1]dot1x-access-profile employee1 [AC1-authentication-profile-employee1]authentication-scheme radius [AC1-authentication-profile-employee1]accounting-scheme radius [AC1-authentication-profile-employee1]radius-server Huawei [AC1-wlan-view]security-profile name employee1 //配置安全模板 [AC1-wlan-sec-prof-employee1]security wpa2 dot1x aes //定义加密方式为ccmp,认证方式为dot1x esp [AC1-wlan-view]vap-profile name employee1 //引用安全和认证模板 [AC1-wlan-vap-prof-employee1]security-profile employee1 [AC1-wlan-vap-prof-employee1]authentication-profile employee1