華爲WLAN安全配置

1.交換機的基礎配置
配置vlan
[SW]vlan batch 10 to 13
[SW-GigabitEthernet0/0/10]port link-type trunk
[SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/10]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port link-type trunk
[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10
[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[SW-GigabitEthernet0/0/1]port link-type trunk
[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[SW-LoopBack1]ip add 101.101.101.101 32
配置各vlan的網關
[SW-Vlanif10]ip add 10.1.10.1 24
[SW-Vlanif11]ip add 10.1.11.1 24
[SW-Vlanif12]ip add 10.1.12.1 24
[SW-Vlanif13]ip add 10.1.13.1 24
2.AC的基礎配置
[AC]vlan batch 10 to 13
[AC-GigabitEthernet0/0/8]port link-type trunk
[AC-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13
查看vlan的配置

配置三層接口ip地址
[AC-Vlanif10]ip add 10.1.10.100 24
[AC-Vlanif11]ip add 10.1.11.100 24
[AC-Vlanif12]ip add 10.1.12.100 24
[AC-Vlanif13]ip add 10.1.13.100 24
查看三層接口配置

[AC]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 //配置默認路由指向交換機
檢查AC和交換機上三層接口是否可達

3.配置AC遠程登錄
[AC]aaa
[AC-aaa]local-user a1 password irreversible-cipher abc@123456
[AC-aaa]local-user a1 service-type telnet
[AC-aaa]local-user a1 privilege level 3
[AC]user-interface vty 0 4
[AC-ui-vty0-4]authentication-mode aaa
<AC>save //保存AC的配置
<SW>telnet 10.1.10.100 //在交換機上進行驗證
4.創建AP組
[AC]wlan
[AC-wlan-view]ap-group name ap-group
5.配置AP上線
開啓DHCP服務，爲STA和AP分配IP地址
[AC]dhcp enable
[AC]ip pool ap
[AC-ip-pool-ap]network 10.1.10.0 mask 24
[AC-ip-pool-ap]gateway-list 10.1.10.1
[AC-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100
[AC]ip pool yw1
[AC-ip-pool-yw1]gateway-list 10.1.11.1
[AC-ip-pool-yw1]network 10.1.11.0 mask 24
[AC]ip pool yw2
[AC-ip-pool-yw2]network 10.1.12.0 mask 24
[AC-ip-pool-yw2]gateway-list 10.1.12.1
[AC-ip-pool-yw2]ip pool yw3
[AC-ip-pool-yw3]gateway-list 10.1.13.1
[AC-ip-pool-yw3]network 10.1.13.0 mask 24
在各vlanif接口下，使能DHCP
[AC-Vlanif10]dhcp select global
[AC-Vlanif11]dhcp select global
[AC-Vlanif12]dhcp select global
[AC-Vlanif13]dhcp select global
配置域管理模板和AC的國家代碼
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain]country-code CN
[AC]capwap source interface Vlanif 10 //配置AC源接口
[AC-wlan-view]ap auth-mode mac-auth //配置AP認證方式
查看AP的mac地址

在AC上離線導入AP
[AC-wlan-view]ap-mac 00e0-fcb5-30f0 ap-id 0
[AC-wlan-ap-0]ap-group ap-group
[AC-wlan-ap-0]ap-name ap1
[AC-wlan-view]ap-mac 00e0-fc68-7480 ap-id 1
[AC-wlan-ap-1]ap-group ap-group
[AC-wlan-ap-1]ap-name ap2
檢查AP狀態

6.配置WLAN業務
配置SSID模板
[AC-wlan-view]ssid-profile name yw1
[AC-wlan-ssid-prof-yw1]ssid yw1
[AC-wlan-view]ssid-profile name yw2
[AC-wlan-ssid-prof-yw2]ssid yw2
[AC-wlan-ssid-prof-yw2]ssid-profile name yw3
[AC-wlan-ssid-prof-yw3]ssid yw3
配置VAP模板、業務數據轉發模式、業務vlan、引用ssid模板
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1]forward-mode direct-forward
[AC-wlan-vap-prof-yw1]service-vlan vlan-id 11
[AC-wlan-vap-prof-yw1]ssid-profile yw1
[AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof-yw2]forward-mode direct-forward
[AC-wlan-vap-prof-yw2]service-vlan vlan-id 12
[AC-wlan-vap-prof-yw2]ssid-profile yw2
[AC-wlan-vap-prof-yw2]vap-profile name yw3
[AC-wlan-vap-prof-yw3]forward-mode tunnel
[AC-wlan-vap-prof-yw3]service-vlan vlan-id 13
[AC-wlan-vap-prof-yw3]ssid-profile yw3
配置AP組引用域管理模板和VAP模板，AP上的射頻0和1都使用VAP模板的配置
[AC-wlan-ap-group-ap-group]vap-profile yw1 wlan 1 radio all
[AC-wlan-ap-group-ap-group]vap-profile yw2 wlan 2 radio all
[AC-wlan-ap-group-ap-group]vap-profile yw3 wlan 3 radio all
查看vap狀態



連接無線終端後
查看關聯到的相關用戶信息

在無線終端上ping loopback1口進行驗證

7.配置WEP認證
AC支持的六種安全策略，每一個VAP模板可以調用一種

配置yw3認證方式和加密：認證方式爲WEP share-key，加密採用WEP 40位
[AC-wlan-view]security-profile name yw3
[AC-wlan-sec-prof-yw3]security wep
[AC-wlan-sec-prof-yw3]security wep share-key
[AC-wlan-sec-prof-yw3]wep key 0 wep-40 pass-phrase abc123
[AC-wlan-view]vap-profile name yw3
[AC-wlan-vap-prof-yw3]security-profile yw3
查看安全模板配置

查看指定ssid下面關聯用戶彙總信息

查看終端關聯詳細信息

8.配置WPA PSK認證
華爲AC支持WPA選項爲

配置yw2的認證和加密：認證方式爲WPA1-PSK，加密方式爲TKIP
[AC-wlan-view]security-profile name yw2
[AC-wlan-sec-prof-yw2]security wpa psk pass-phrase abc2abc2 tkip
[AC-wlan-view]vap-profile name yw2
[AC-wlan-vap-prof-yw2]security-profile yw2
查看安全模板配置

查看關聯用戶彙總信息

查看終端關聯信息

測試連通性

9.配置WPA EAP認證
WLAN的EAP認證架構需要客戶端、認證者、認證服務器，認證功能服務器的配置略
在交換機上配置radius服務器網關地址
[SW]vlan 200
[SW-GigabitEthernet0/0/24]port link-type access
[SW-GigabitEthernet0/0/24]port default vlan 200
[SW]interface Vlanif 200
[SW-Vlanif200]ip address 10.254.1.1 24
配置radius認證服務器和認證計費方案
[AC]radius-server template rs
[AC-radius-rs]radius-server authentication 10.254.1.100 1812 source ip-address 10.1.10.100
[AC-radius-rs]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100
[AC-radius-rs]radius-server shared-key cipher rs001@123
[AC-radius-rs]undo radius-server user-name domain-included
配置aaa方案
[AC]aaa
[AC-aaa]authentication-scheme radius
[AC-aaa-authen-radius]authentication-mode radius
[AC-aaa]accounting-scheme radius
[AC-aaa-accounting-radius]accounting-mode radius
[AC-aaa-accounting-radius]accounting realtime 15
[AC-aaa]domain default
[AC-aaa-domain-default]authentication-scheme radius
[AC-aaa-domain-default]radius-server rs
測試aaa的配置
[AC]test-aaa rs rs001@123 radius-template rs
配置接入模板
[AC]dot1x-access-profile name yw1
配置認證模板，並綁定認證模板、radius認證方案、計費方案和服務器模板指定使用的radius認證
[AC]authentication-profile name yw1
[AC-authentication-profile-yw1]dot1x-access-profile yw1
[AC-authentication-profile-yw1]authentication-scheme radius
[AC-authentication-profile-yw1]radius-server rs
配置安全模板，定義加密方式爲ccmp，認證方式爲dot1x eap
[AC]wlan
[AC-wlan-view]security-profile name yw1
[AC-wlan-sec-prof-yw1]security wpa2 dot1x aes
vap模板引用安全模板和認證模板
[AC-wlan-view]vap-profile name yw1
[AC-wlan-vap-prof-yw1]security-profile yw1
[AC-wlan-vap-prof-yw1]authentication-profile yw1
驗證配置結果

[AC]display access-user ssid yw1 //查看ssid下面用戶彙總信息
[AC]display station sta-mac 5489-98AF-2070 //查看終端關聯的詳細信息