Shulou(Shulou.com)06/01 Report--

Demand:

1. Network-wide WIFI to achieve 802.1X authentication

2. AC enables online users to display as AD members, non-IP addresses, control AD members and issue policies.

3. Achieve network isolation between AD group member departments and departments.

4. Establish 802.1x authentication escape mechanism in wireless network.

WLC:10.100.250.1

Aglie:10.100.246.47

1. Network-wide WIFI to achieve 802.1X authentication

HUAWEI_S12708 belongs to the agile series of switches, which integrates wired and wireless technology, so the wireless controller configuration in this case is configured at the bottom of the switch.

Network part:

Authentication unified-mode-the switch switches to unified mode, and the restart takes effect after the switch is completed

Interface vlan 122

Ip address 10.100.122.1 255.255.254.0

Dhcp select global

Ip pool vlan122

Gateway-list 10.100.122.1

Network 10.100.122.0 mask 255.255.254.0

Lease day 0 hour 8 minute 0

Dns-list 10.100.246.10 10.100.246.20

Radius-server template JC_OFFICE

Radius-server shared-key cipher huawei@123

Radius-server authentication 10.100.246.47 1812 source ip-address 10.100.250.1

Radius-server accounting 10.100.246.47 1813 source ip-address 10.100.250.1

Radius-server authorization 10.100.246.47 shared-key ciphe huwei@123

Aaa

Authentication-scheme JC_OFFICE

Authentication-mode radius none

Accounting-scheme JC_OFFICE

Accounting-mode radius

Accounting realtime 15

Domain JC_OFFICE

Authentication-scheme JC_OFFICE

Accounting-scheme JC_OFFICE

Radius-server JC_OFFICE

Authentication-profile name 802.1x

Dot1x-access-profile JC_OFFICE

Access-domain JC_OFFICE

Access-domain JC_OFFICE force

Wireless part:

Wlan

[S12700] wlan ac-global country-code cn-configure the country code of AC to make the radio frequency characteristics of AP managed by AC comply with the laws and regulations of different countries or regions. The default value of the country code is CN.

Warning: Modifying the country code will clear channel configurations of the AP radio using the country code and reset the AP. If the

New country code does not support the radio, all configurations of the radio are cleared. Continue? [Y/N]: y

[S12700] wlan ac-global ac id 1 carrier id other-- AC ID defaults to 0 and modified to 1

Capwap source interface vlanif250-- AP manages IP vlan

Rrm-profile name jc

Calibrate auto-txpower-select disable

Smart-roam enable

Smart-roam roam-threshold snr 25

Radio-2g-profile name radio-2g

Rrm-profile jc

Radio-5g-profile name radio-5g

Rrm-profile jc

Traffic-profile name JC_OFFICE

Security-profile name JC_OFFICE

Security wpa-wpa2 dot1x aes

Ssid-profile name JC_OFFICE

Ssid JC_OFFICE

Max-sta-number 255

Vap-profile name JC_OFFICE

Forward-mode tunnel

Service-vlan vlan-id 999

Ssid-profile JC_OFFICE

Security-profile JC_OFFICE

Traffic-profile JC_OFFICE

Authentication-profile 802.1x

Ap-group name JC

Radio 0

Radio-2g-profile radio-2g

Vap-profile JC_OFFICE wlan 1

Eirp 15

Radio 1

Radio-5g-profile radio-5g

Vap-profile JC_OFFICE wlan 1

Eirp 18

Ap-id 1 type-id 75 ap-mac C4FF-1FF5-ECA0-AP MAC

Ap-name 6#1

Ap-group 6#6F

Agile Contrller section:

The reference manual is implemented in the light of the actual environmental needs, but it will not be introduced in this case.

2. AC enables online users to display as AD members, non-IP addresses, control AD members and issue policies.

Network part:

Mirror the switch and Radius server traffic ports to AC devices

Interface XGigabitEthernet1/7/0/46

Description to neiwang_FW

Port-mirroring to observe-port 2 inbound

Port-mirroring to observe-port 2 outbound

Observe-port 2 interface GigabitEthernet1/2/0/45-this port is directly connected to the AC port

AC section:

1. Configure the LDAP server:

2. Configure LDAP server parameters:

3. After user management, the AD member information will be displayed in the group / user:

4. Configure the radius authentication server:

5. Enable radius single sign-on:

6. Configure the mirror port:

7. Configure single sign-on authentication policy:

8. Configure single sign-on authentication policy:

9. Configure single sign-on authentication policy:

10. The effect of online users displaying AD members:

11. Internet strategy audit:

12. Internet strategy audit:

3. Achieve network isolation between AD group member departments and departments.

The integration of Huawei Agile Controller and Huawei Agile Series switches can configure XMPP through the business accompanying function of controller, and achieve network isolation among AD members.

Agile Controller section:

1. Set up the equipment:

2. Configure XMPP parameters:

3. Define dynamic security groups:

4. Take a department as an example:

5. Define the private network configuration of dynamic security group:

6. After the configuration is completed, admission control-authentication authorization-rules and results will be generated automatically:

7. Configure business follow-up group:

8. Configure business accompanying parameters:

9. Define business follow-up group policy

10. Take a department as an example:

11. After the completion of the policy, the security group is deployed across the network.

12. After the completion of the policy, the business accompanying access control policy is deployed throughout the network.

Network part:

Group-policy controller 10.100.246.47 password huawei@123 src-ip 10.100.250.1

Display group-policy status-View connection status with Agile Controller-Campus

Display ucl-group all-View security groups

Display acl all-View access control policies

4. Establish 802.1x authentication escape mechanism in wireless network.

Authentication-scheme JC_OFFICE

Authentication-mode radius none

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.