华为WLAN安全配置

1.交换机的基础配置 配置vlan [SW]vlan batch 10 to 13 [SW-GigabitEthernet0/0/10]port link-type trunk [SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13 [SW-GigabitEthernet0/0/10]port trunk pvid vlan 10 [SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10 [SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13 [SW-GigabitEthernet0/0/1]port link-type trunk
[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13 [SW-LoopBack1]ip add 101.101.101.101 32 配置各vlan的网关 [SW-Vlanif10]ip add 10.1.10.1 24 [SW-Vlanif11]ip add 10.1.11.1 24 [SW-Vlanif12]ip add 10.1.12.1 24 [SW-Vlanif13]ip add 10.1.13.1 24 2.AC的基础配置 [AC]vlan batch 10 to 13 [AC-GigabitEthernet0/0/8]port link-type trunk [AC-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13 查看vlan的配置 配置三层接口ip地址 [AC-Vlanif10]ip add 10.1.10.100 24 [AC-Vlanif11]ip add 10.1.11.100 24 [AC-Vlanif12]ip add 10.1.12.100 24 [AC-Vlanif13]ip add 10.1.13.100 24 查看三层接口配置 [AC]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 //配置默认路由指向交换机 检查AC和交换机上三层接口是否可达 3.配置AC远程登录 [AC]aaa [AC-aaa]local-user a1 password irreversible-cipher abc@123456 [AC-aaa]local-user a1 service-type telnet [AC-aaa]local-user a1 privilege level 3 [AC]user-interface vty 0 4 [AC-ui-vty0-4]authentication-mode aaa <AC>save //保存AC的配置 <SW>telnet 10.1.10.100 //在交换机上进行验证 4.创建AP组 [AC]wlan [AC-wlan-view]ap-group name ap-group 5.配置AP上线 开启DHCP服务，为STA和AP分配IP地址 [AC]dhcp enable [AC]ip pool ap [AC-ip-pool-ap]network 10.1.10.0 mask 24 [AC-ip-pool-ap]gateway-list 10.1.10.1 [AC-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100 [AC]ip pool yw1 [AC-ip-pool-yw1]gateway-list 10.1.11.1
[AC-ip-pool-yw1]network 10.1.11.0 mask 24
[AC]ip pool yw2
[AC-ip-pool-yw2]network 10.1.12.0 mask 24 [AC-ip-pool-yw2]gateway-list 10.1.12.1
[AC-ip-pool-yw2]ip pool yw3
[AC-ip-pool-yw3]gateway-list 10.1.13.1 [AC-ip-pool-yw3]network 10.1.13.0 mask 24 在各vlanif接口下，使能DHCP [AC-Vlanif10]dhcp select global
[AC-Vlanif11]dhcp select global [AC-Vlanif12]dhcp select global [AC-Vlanif13]dhcp select global 配置域管理模板和AC的国家代码 [AC]wlan [AC-wlan-view]regulatory-domain-profile name domain [AC-wlan-regulate-domain-domain]country-code CN [AC]capwap source interface Vlanif 10 //配置AC源接口 [AC-wlan-view]ap auth-mode mac-auth //配置AP认证方式 查看AP的mac地址 在AC上离线导入AP [AC-wlan-view]ap-mac 00e0-fcb5-30f0 ap-id 0 [AC-wlan-ap-0]ap-group ap-group [AC-wlan-ap-0]ap-name ap1 [AC-wlan-view]ap-mac 00e0-fc68-7480 ap-id 1 [AC-wlan-ap-1]ap-group ap-group [AC-wlan-ap-1]ap-name ap2 检查AP状态 6.配置WLAN业务 配置SSID模板 [AC-wlan-view]ssid-profile name yw1 [AC-wlan-ssid-prof-yw1]ssid yw1 [AC-wlan-view]ssid-profile name yw2 [AC-wlan-ssid-prof-yw2]ssid yw2 [AC-wlan-ssid-prof-yw2]ssid-profile name yw3 [AC-wlan-ssid-prof-yw3]ssid yw3 配置VAP模板、业务数据转发模式、业务vlan、引用ssid模板 [AC-wlan-view]vap-profile name yw1 [AC-wlan-vap-prof-yw1]forward-mode direct-forward [AC-wlan-vap-prof-yw1]service-vlan vlan-id 11 [AC-wlan-vap-prof-yw1]ssid-profile yw1 [AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof-yw2]forward-mode direct-forward [AC-wlan-vap-prof-yw2]service-vlan vlan-id 12
[AC-wlan-vap-prof-yw2]ssid-profile yw2
[AC-wlan-vap-prof-yw2]vap-profile name yw3 [AC-wlan-vap-prof-yw3]forward-mode tunnel [AC-wlan-vap-prof-yw3]service-vlan vlan-id 13 [AC-wlan-vap-prof-yw3]ssid-profile yw3
配置AP组引用域管理模板和VAP模板，AP上的射频0和1都使用VAP模板的配置 [AC-wlan-ap-group-ap-group]vap-profile yw1 wlan 1 radio all [AC-wlan-ap-group-ap-group]vap-profile yw2 wlan 2 radio all [AC-wlan-ap-group-ap-group]vap-profile yw3 wlan 3 radio all 查看vap状态 连接无线终端后 查看关联到的相关用户信息 在无线终端上ping loopback1口进行验证 7.配置WEP认证 AC支持的六种安全策略，每一个VAP模板可以调用一种 配置yw3认证方式和加密：认证方式为WEP share-key，加密采用WEP 40位 [AC-wlan-view]security-profile name yw3 [AC-wlan-sec-prof-yw3]security wep [AC-wlan-sec-prof-yw3]security wep share-key [AC-wlan-sec-prof-yw3]wep key 0 wep-40 pass-phrase abc123 [AC-wlan-view]vap-profile name yw3 [AC-wlan-vap-prof-yw3]security-profile yw3 查看安全模板配置 查看指定ssid下面关联用户汇总信息 查看终端关联详细信息 8.配置WPA PSK认证 华为AC支持WPA选项为 配置yw2的认证和加密：认证方式为WPA1-PSK，加密方式为TKIP [AC-wlan-view]security-profile name yw2 [AC-wlan-sec-prof-yw2]security wpa psk pass-phrase abc2abc2 tkip [AC-wlan-view]vap-profile name yw2 [AC-wlan-vap-prof-yw2]security-profile yw2 查看安全模板配置 查看关联用户汇总信息 查看终端关联信息 测试连通性 9.配置WPA EAP认证 WLAN的EAP认证架构需要客户端、认证者、认证服务器，认证功能服务器的配置略 在交换机上配置radius服务器网关地址 [SW]vlan 200 [SW-GigabitEthernet0/0/24]port link-type access [SW-GigabitEthernet0/0/24]port default vlan 200 [SW]interface Vlanif 200 [SW-Vlanif200]ip address 10.254.1.1 24 配置radius认证服务器和认证计费方案 [AC]radius-server template rs [AC-radius-rs]radius-server authentication 10.254.1.100 1812 source ip-address 10.1.10.100 [AC-radius-rs]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100 [AC-radius-rs]radius-server shared-key cipher rs001@123 [AC-radius-rs]undo radius-server user-name domain-included 配置aaa方案 [AC]aaa [AC-aaa]authentication-scheme radius [AC-aaa-authen-radius]authentication-mode radius [AC-aaa]accounting-scheme radius [AC-aaa-accounting-radius]accounting-mode radius [AC-aaa-accounting-radius]accounting realtime 15 [AC-aaa]domain default [AC-aaa-domain-default]authentication-scheme radius [AC-aaa-domain-default]radius-server rs 测试aaa的配置 [AC]test-aaa rs rs001@123 radius-template rs 配置接入模板 [AC]dot1x-access-profile name yw1 配置认证模板，并绑定认证模板、radius认证方案、计费方案和服务器模板指定使用的radius认证 [AC]authentication-profile name yw1 [AC-authentication-profile-yw1]dot1x-access-profile yw1 [AC-authentication-profile-yw1]authentication-scheme radius [AC-authentication-profile-yw1]radius-server rs 配置安全模板，定义加密方式为ccmp，认证方式为dot1x eap [AC]wlan [AC-wlan-view]security-profile name yw1 [AC-wlan-sec-prof-yw1]security wpa2 dot1x aes vap模板引用安全模板和认证模板 [AC-wlan-view]vap-profile name yw1 [AC-wlan-vap-prof-yw1]security-profile yw1 [AC-wlan-vap-prof-yw1]authentication-profile yw1 验证配置结果 [AC]display access-user ssid yw1 //查看ssid下面用户汇总信息 [AC]display station sta-mac 5489-98AF-2070 //查看终端关联的详细信息