架构如上图所示,ac用于对接ad域服务器,dhcp服务位于三层交换机
H3C官方配置教程:https://www.h3c.com/cn/d_202212/1745812_30005_0.htm
配置注意事项
· 配置AP的序列号时请确保该序列号与AP唯一对应。
· 如果本地Portal Web服务器提供的缺省认证页面文件需要更新,需要undo default-logon-page后重新配置,否则新页面不会生效。
· 配置路由,保证启动Portal之前各设备之间的路由可达。
· 请提前编辑好认证页面,保存为abc.zip,并上传到AC存储介质的根目录
所需要用到的vlan:
1、vlan 50用于各网络设备的管理及静态路由数据的转发,ldap服务器也可以接入到这个vlan,如果ldap服务器有其他网段,就在ac新建一个相应的网段
2、vlan172 用于无线网络dhcp使用
3、vlan 100 用于AP将获取该IP地址与AC建立CAPWAP隧道
3.3 配置步骤
3.3.1 配置AC
(1) 配置AC接口
# 创建VLAN 100及其对应的VLAN接口,并为该接口配置IP地址。AP将获取该IP地址与AC建立CAPWAP隧道。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 2.2.1.1 24
[AC-Vlan-interface100] quit
# 创建VLAN 172及其对应的VLAN接口,并为该接口配置IP地址。Client将使用该VLAN接入无线网络。(也就是无线网络的ip段)
[AC] vlan 172
[AC-vlan172] quit
[AC] interface vlan-interface 172
[AC-Vlan-interface172] ip address 172.88.0.254 24
[AC-Vlan-interface172] quit
# 配置AC与Switch相连的GigabitEthernet1/0/1接口的属性为Trunk,允许所有vlan通过。
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan all
[AC-GigabitEthernet1/0/1] quit
(2) 配置LDAP方案
# 创建LDAP服务器ldap,并进入LDAP服务器视图。
[AC] ldap server ldap
# 配置具有管理员权限的用户DN。(我的ad域的域名为network.lan,里面的cn=users应该是ad域服务器的本地组,为了方便管理,我们稍后在ad域里面创建一个wifi的组,然后把wifi这个组加入域服务器的本地users组就可以了,之后域用户需要连接wifi的统一加入wifi这个群组就可以了)
[AC-ldap-server-ldap] login-dn cn=administrator,cn=users,dc=network,dc=lan
# 配置查询用户的起始目录。
[AC-ldap-server-ldap] search-base-dn dc=network,dc=lan
# 配置LDAP认证服务器的IP地址。(这里填你的ad域服务器ip)
[AC-ldap-server-ldap] ip 192.168.50.211
# 配置具有管理员权限的用户密码。(这里填域管理员密码,最好创建一个具有管理权限的用户只用于此设备使用)
[AC-ldap-server-ldap] login-password simple 123456
[AC-ldap-server-ldap] quit
# 创建LDAP方案ldap,并进入LDAP方案视图。
[AC] ldap scheme ldap
# 配置LDAP认证服务器。
[AC-ldap-ldap] authentication-server ldap
[AC-ldap-ldap] quit
# 创建ISP域ldap,并进入ISP域视图。
[AC] domain ldap
# 为Portal用户配置AAA认证方法为LDAP认证、不授权、不计费。(这里注意了,别tap补全命令填到不认证了,这会导致点登陆按钮没反应)
[AC-isp-ldap]authentication portal ldap-scheme ldap
[AC-isp-ldap] authorization portal none
[AC-isp-ldap] accounting portal none
# 指定ISP域ldap下的用户闲置切断时间为15分钟,闲置切断时间内产生的流量为1024字节。
[AC-isp-ldap] authorization-attribute idle-cut 15 1024
[AC-isp-ldap] quit
(3) 配置Portal认证
# 配置Portal Web服务器的URL为http://172.88.0.254/portal。(这里填AC无线网络段的vlan地址,也就是上面设置的172.88.0.254)
[AC] portal web-server newpt
[AC-portal-websvr-newpt] url http://172.88.0.254/portal
[AC-portal-websvr-newpt] quit
# 创建本地Portal Web 服务器,进入本地Portal Web服务器视图,并指定使用HTTP协议和客户端交互认证信息。
[AC] portal local-web-server http
# 配置本地Portal Web服务器提供的缺省认证页面文件为defaultfile.zip(设备的存储介质的根目录下必须已存在该认证页面文件,否则功能不生效,我的ac设备默认有三个认证网页模板,我用的默认defaultfile.zip这个)。
[AC–portal-local-websvr-http] default-logon-page defaultfile.zip
[AC–portal-local-websvr-http] quit
# 配置两条基于目的的Portal免认证规则,放行访问DNS服务器的流量。
[AC] portal free-rule 1 destination ip any udp 53
[AC] portal free-rule 2 destination ip any tcp 53
# 开启无线Portal客户端合法性检查功能。
[AC] portal host-check enable
(4) 配置无线服务
# 创建无线服务模板st1,并进入无线服务模板视图。(这里的服务模版是可以改名字的,你可以自定义你喜欢的名字)
[AC] wlan service-template st1
# 配置SSID为service。(这里的名称是你的wifi名称,可以自定义修改)
[AC-wlan-st-st1] ssid service
# 配置无线服务模板VLAN为172。(就是把模版加入无线段的vlan)
[AC-wlan-st-st1] vlan 172
# 使能直接方式的Portal认证。
[AC-wlan-st-st1] portal enable method direct
# 配置接入的Portal用户使用认证域为ldap。
[AC-wlan-st-st1] portal domain ldap
# 在服务模板上引用名称为newpt的Portal Web服务器作为用户认证时使用的Web服务器。(newpt是可以改名字的看你喜欢)
[AC-wlan-st-st1] portal apply web-server newpt
# 配置客户端数据报文转发位置为AC。(如果客户端数据报文的缺省转发位置与本配置相同,请跳过此步骤)
[AC–wlan-st-st1] client forwarding-location ac
# 配置身份认证与密钥管理模式为PSK模式,配置PSK密钥为明文字符串12345678。(这里密码就是你的wifi连接密码)
[AC-wlan-st-st1] akm mode psk
[AC-wlan-st-st1] preshared-key pass-phrase simple 12345678
# 配置加密套件为CCMP,安全信息元素为RSN。
[AC-wlan-st-st1] cipher-suite ccmp
[AC-wlan-st-st1] security-ie rsn
# 使能无线服务模板。
[AC-wlan-st-st1] service-template enable
[AC-wlan-st-st1] quit
配置AP (这一部分我是直接web页面进去ap组里面直接把ap绑定到上面创建的wifi模板里面)
在大规模组网时,推荐在AP组内进行配置。
# 创建AP,配置AP名称为ap1,型号名称选择WA6320,并配置其序列号。
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# 创建AP组group1,设置AP名称入组规则
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap ap1
# 进入AP组的Radio 2视图,并将无线服务模板绑定到Radio 2上。
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# 开启Radio 2的射频功能。
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] return
3.3.2 Switch的配置
# 创建VLAN 100,用于转发AC和AP间CAPWAP隧道内的流量。
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
# 创建VLAN 172,用于转发Client无线报文。(注意,因为我的dhcp服务器在三层,所以要在三层配置好172段的dhcp、网关、dns等等,具体配置网段命令我就不写了,反正这个网段要正常访问互联网)
[Switch] vlan 172
[Switch-vlan172] quit
# 创建VLAN 50,用于连接LDAP服务器。(我的ad域服务器在这个段,Access网口连接到域服务器就可以了)
[Switch] vlan 50
[Switch-vlan50] quit
# 配置Switch与LDAP相连的接口加入VLAN 50(此处略)
# 配置VLAN 50接口的IP地址。(这个要一开始就配置好)
[Switch] interface vlan-interface 50
[Switch-Vlan-interface50] ip address 192.168.50.1 255.255.255.0
[Switch-Vlan-interface50] quit
# 配置Switch与AC相连的GigabitEthernet1/0/1接口的属性为Trunk,允许所有通过。
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan all
[Switch-GigabitEthernet1/0/1] quit
# 配置Switch与AP相连的GigabitEthernet1/0/2接口属性为Access,并允许VLAN 172通过。(这里官方的文档好像写错了,官方写的是允许vlan100也就是ac和ap虚拟隧道的vlan通过,这是不行的,因为172段是无线网络的ip段。)
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 172
# 使能PoE功能。(这个是有poe功能的才开启)
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
LDAP添加用户:
首先在ad域环境里面创建一个wifi的群组,然后,把wifi这个组加入进域本地的users组里面;
然后新建的域用户都加至wifi这个组里面就有权限portal认证了。成功后设备连接wifi会自动弹出认证页面输入域账户密码登陆即可,不需要额外填写域的域名进去。
总结,AC里面用到的vlan有三个
vlan50局域网的设备段 如ad域在此网段
vlan100 虚拟隧道的段,在ac上要配置一个vlan地址
vlan 172 在ac上要配置一个vlan地址,也是portal server用到的ip
三层交换机里面的vlan有:
vlan50局域网的设备段 如ad域在此网段
vlan100 虚拟隧道的段,无需配置ip地址
vlan 172 无线dhcp网段,在三层上需要配置dhcp服务 网关 dns等
以上设备均要记得填写静态路由。
贴下配置:
AC:
<H3C>dis cu
#
version 7.1.064, Release 5461P01
#
sysname H3C
#
wlan global-configuration
calibrate-channel self-decisive enable all
calibrate-power self-decisive enable all
#
telnet server enable
#
dhcp enable
#
dns server 119.29.29.29
dns server 192.168.50.254
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 50
#
vlan 100
#
vlan 172
#
wlan service-template h3c-g-375d40
ssid H3C-G-375D40
vlan 172
gtk-rekey enable
portal enable method direct
portal domain ldap
portal apply web-server newpt
service-template enable
#
wlan service-template st1
ssid service
vlan 172
akm mode psk
preshared-key pass-phrase cipher $c$3$A7dlDKpT06e7MeW3KrxPxCQ6frRbT6qmNRre
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain ldap
portal apply web-server newpt
service-template enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.50.199 255.255.255.0
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface172
ip address 172.88.0.254 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
nat outbound
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface GigabitEthernet1/0/4
port link-mode bridge
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0
user-role network-operator
#
line vty 1 31
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 192.168.50.220
#
undo info-center enable
undo info-center logfile enable
#
ssh server enable
#
ldap server ldap
login-dn cn=administrator,cn=users,dc=network,dc=lan
search-base-dn dc=network,dc=lan
ip 192.168.50.221
login-password cipher $c$3$1DRH7Q3wcRAmmeg2lrJsTwgaOOjEEkUiQJGs4kH3w2w=
#
ldap scheme ldap
authentication-server ldap
#
domain ldap
authorization-attribute idle-cut 15 1024
authentication portal ldap-scheme ldap
authorization portal none
accounting portal none
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$i+Eo+XqLYSsxS5tH$cfhNyDmKQBWdT9Eu7nq5Lt9cvJqywgL6veTDCsR9NQHmzQLNOKVAwTIEfV9jZ2OwoTFngEx4zymfKJdE6/E6dQ==
service-type ssh telnet http https
authorization-attribute user-role network-admin
#
portal free-rule 1 destination ip any udp 53
portal free-rule 2 destination ip any tcp 53
#
portal web-server newpt
url http://172.88.0.254/portal
#
portal local-web-server http
default-logon-page defaultfile.zip
#
netconf soap http enable
netconf ssh server enable
#
ip http enable
ip https enable
#
smartmc tm username admin password cipher $c$3$zU1CDk5rd0t0qBzSUg/S8BoQVwy2O5BB enable
#
wlan auto-ap enable
wlan auto-persistent enable
wlan tcp mss 1360
#
wlan ap-group default-group
vlan 1
ap-model SPM-D26X
ap-model SPM-X1-10
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
gigabitethernet 6
gigabitethernet 7
gigabitethernet 8
gigabitethernet 9
gigabitethernet 10
gigabitethernet 11
gigabitethernet 12
ap-model SPM-X1-24
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
gigabitethernet 6
gigabitethernet 7
gigabitethernet 8
gigabitethernet 9
gigabitethernet 10
gigabitethernet 11
gigabitethernet 12
gigabitethernet 13
gigabitethernet 14
gigabitethernet 15
gigabitethernet 16
gigabitethernet 17
gigabitethernet 18
gigabitethernet 19
gigabitethernet 20
gigabitethernet 21
gigabitethernet 22
gigabitethernet 23
gigabitethernet 24
ap-model WAP611H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ap-model WAP611H-U
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ap-model WAP622
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP622-U
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP622H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP622H-U
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP711H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
ap-model WAP712C
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712C-HI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712C-LI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
ap-model WAP712X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722E
radio 1
radio enable
service-template h3c-g-375d40
service-template st1 vlan 172
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722E-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
ap-model WAP722S
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-HI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-W2-IOT
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722X-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP722XS-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP723-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP912X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP922
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP923
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
smartrate-ethernet 1
ap-model WAP952
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP952E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP952H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP953
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WT828-Q
ap-model WTU410H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
#
wlan virtual-ap-group default-virtualapgroup
#
wlan ap 3897-d620-1180 model WAP722E
serial-id 219801A0Q3915BG00428
vlan 1
radio 1
max-power 5
radio 2
max-power 5
gigabitethernet 1
gigabitethernet 2
#
cloud-management server domain cloudnet.h3c.com
#
return
三层交换机:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]undo vlan 10
[H3C]dis cu
#
sysname H3C
#
dns server 119.29.29.29
dns server 192.168.50.254
#
radius scheme system
#
domain system
#
dhcp server ip-pool wifi
network 172.88.0.0 mask 255.255.255.0
gateway-list 172.88.0.1
dns-list 192.168.50.1
#
vlan 1
#
vlan 50
name mannege vlan
#
vlan 100
#
vlan 172
name wifi network
#
interface Vlan-interface50
ip address 192.168.50.220 255.255.255.0
#
interface Vlan-interface172
ip address 172.88.0.1 255.255.255.0
#
interface Aux1/0/0
#
interface GigabitEthernet1/0/1
port access vlan 172
#
interface GigabitEthernet1/0/2
port access vlan 50
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/16
port access vlan 50
#
interface GigabitEthernet1/0/17
shutdown
#
interface GigabitEthernet1/0/18
shutdown
port access vlan 50
#
interface GigabitEthernet1/0/19
shutdown
#
interface GigabitEthernet1/0/20
port link-type trunk
port trunk permit vlan all
shutdown
#
interface NULL0
#
undo info-center enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.50.1 preference 60
#
user-interface aux 0
user-interface vty 0 4
#
return
[H3C]