华为WLAN安全认证配置Portal认证,外置Protal服务器TSM对接
简介这也是安全认证的最后一种方式了,就是AC与外边Protal服务器对接的认证,这里采用的是华为 TSM(目前最新的已经改为policy center了),也支持第三方认证服务器,这里只是简单演示下,更多策略的控制跟应用,可以参考手册说明。拓扑(省略)拓扑其实很简单的,跟平常的无线拓扑一样,可以参考之前的文章即可,这里主要讲解AC上面的Protal定义,以及测试。AC初始化dhcp enablevlan batch 88 100interface Vlanif 88
ip address 192.168.88.1 255.255.255.0
dhcp select interfaceinterface Vlanif 100
ip address 192.168.100.1 255.255.255.0
dhcp select interface
dhcp server dns-list 218.85.152.99interface Vlanif 1
ip address 192.168.31.100 255.255.255.0配置AC与AP相连的端口interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 88
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 88 100配置RADIUS服务器模版radius-server template portal
radius-server authentication 192.168.31.209 1812
radius-server accounting 192.168.31.209 1813
radius-server shared-key simple huawei123配置RADIUS授权服务器radius-server authorization 192.168.31.209 shared-key simple huawei123配置认证方案和计费方案 aaa
authentication-scheme portal
authentication-mode radius
accounting-scheme portal
accounting-mode none配置域domain portal
radius-server portal
authentication-scheme portal
accounting-scheme portal配置Portal认证服务器web-auth-server portal
server-ip 192.168.31.209
port 50100
shared-key simple password
url https://192.168.31.209:8443/newwebauth在接口下绑定Portal认证服务器interface vlanif 100
web-auth-server portal direct配置免认证规则portal free-rule 0 destination ip 192.168.31.209 mask 255.255.255.255
portal free-rule 1 destination ip 218.85.152.99 mask 255.255.255.255建立wlan-ess接口和调用Portal认证服务器与认证域interface Wlan-Ess 1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
web-authentication first-mac
permit-domain name portal配置wlan-ess接口,在wlan-ess接口调用内置Portal与允许的认证域interface Wlan-Ess 1
port hybrid pvid vlan 100
port hybrid untagged vlan 100
portal local-server enable
permit-domain name default
配置AC的源接口,用于AC和AP之间建立隧道通信。wlan
wlan ac source interface vlanif88配置AP的认证方式为免认证ap-auth-mode no-auth添加APap id 0 type-id 31 mac d4b1-10ac-0b00 sn 210235582910D6000354创建名为“wmm1”的WMM模版,参数采用默认配置wmm-profile name wmm1 id 1创建名为“radio1”的射频模版,绑定WMM模版“wmm1”radio-profile name radio1 id 1
wmm-profile id 1创建名为“traffic1”的流量模版,参数采用默认配置traffic-profile name traffic1 id 1创建名为“security1”的安全模版,认证方式为WEP认证,开放认证,不加密security-profile name security1 id 1创建名为“service1”的服务集,并绑定流量模版和安全模版,WLAN-ESS接口service-set name service1 id 1
wlan-ess 1
ssid huawei-portal
traffic-profile id 1
security-profile id 1
service-vlan 100配置AP对应的VAP,下发WLAN服务ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1下发AP的WLAN配置commit all
页:
[1]