45基于SSID的Web界面访问控制典型配置举例_胖ap多ssid的配置实例

45基于SSID的Web界面访问控制典型配置举例由刀豆文库小编整理，希望给你工作、学习、生活带来方便，猜你可能喜欢“胖ap多ssid的配置实例”。

基于SSID的Web界面访问控制典型配置举例

Copyright © 2014 杭州华三通信技术有限公司 版权所有，保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。本文档中的信息可能变动，恕不另行通知。

目 录简介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置举例 ························································································································· 1

3.1 组网需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 1 3.3 配置注意事项 ················································································································ 1 3.4 配置步骤 ······················································································································ 2

3.4.1 AC的配置 ··········································································································· 2 3.4.2 Switch的配置 ······································································································ 4 3.5 验证配置 ······················································································································ 4 3.6 配置文件 ······················································································································ 6相关资料 ························································································································· 7

i 1 简介

本文档介绍基于SSID的Web界面访问控制的典型配置举例。配置前提

本文档不严格与具体软、硬件版本对应，如果使用过程中与产品实际情况有差异，请参考相关产品手册，或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解WLAN接入，WLAN ACL和HTTP特性。配置举例

3.1 组网需求

如图1所示，AC通过Switch与AP相连，DHCP服务器为AP和Client分配IP地址。需要控制不同SSID接入的无线客户端通过Web页面对AC的访问权限，具体实现如下：

  当Client通过名为“service2”的SSID接入无线网络时，可以通过Web访问AC。而当Client通过名为“service1”的SSID接入时，不能通过Web访问AC。

图1 基于SSID的Web界面访问控制组网图

DHCP serverGE1/0/3Vlan-int100192.168.1.1/24Vlan-int300192.168.3.1/24GE1/0/1GE1/0/2ACSwitchAPClient

3.2 配置思路

为了使关联SSID为service2的Client能够通过Web访问AC，需要在AC上配置WLAN ACL，仅允许关联SSID为service2的Client报文通过，并将HTTP服务与WLAN ACL相关联。

3.3 配置注意事项

 WLAN ACL中有默认规则rule 0 deny，需要执行undo rule 0命令删除该默认规则。 配置AP的序列号时请确保该序列号与AP唯一对应，AP的序列号可以通过AP设备背面的标签获取。

3.4 配置步骤

3.4.1 AC的配置

(1)配置AC接口

# 创建VLAN 100及其对应的VLAN接口，并为该接口配置IP地址。AC将使用该接口的IP地址与AP建立LWAPP隧道。

system-view [AC] vlan 100 [AC-vlan100] quit [AC] interface vlan-interface 100 [AC-Vlan-interface100] ip addre 192.168.1.1 24 [AC-Vlan-interface100] quit # 创建VLAN 200作为WLAN-ESS接口的缺省VLAN。

[AC] vlan 200 [AC-vlan200] quit # 创建VLAN 300作为Client接入的业务VLAN，配置VLAN 300的接口IP地址。

[AC] vlan 300 [AC-vlan300] quit [AC] interface vlan-interface 300 [AC-Vlan-interface300] ip addre 192.168.3.1 24 [AC-Vlan-interface300] quit # 配置GigabitEthernet1/0/1为Trunk类型，禁止VLAN 1报文通过，允许VLAN 100和VLAN 300通过，配置PVID为100。

[AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] port link-type trunk [AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [AC-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [AC-GigabitEthernet1/0/1] port trunk pvid vlan 100 [AC-GigabitEthernet1/0/1] quit # 创建WLAN-ESS1接口，并设置端口的链路类型为Hybrid类型。

[AC] interface wlan-e 1 [AC-WLAN-ESS1] port link-type hybrid # 配置当前Hybrid端口的PVID为VLAN 200，禁止VLAN 1通过并允许VLAN 200不带tag通过。

[AC-WLAN-ESS1] undo port hybrid vlan 1 [AC-WLAN-ESS1] port hybrid vlan 200 untagged [AC-WLAN-ESS1] port hybrid pvid vlan 200 # 使能MAC VLAN功能。

[AC-WLAN-ESS1] mac-vlan enable [AC-WLAN-ESS1] quit # 创建WLAN-ESS2接口，并设置端口的链路类型为Hybrid类型。[AC] interface wlan-e 2 [AC-WLAN-ESS2] port link-type hybrid # 配置当前Hybrid端口的PVID为VLAN 200，禁止VLAN 1通过并允许VLAN 200不带tag通过。

[AC-WLAN-ESS2] undo port hybrid vlan 1 [AC-WLAN-ESS2] port hybrid vlan 200 untagged [AC-WLAN-ESS2] port hybrid pvid vlan 200 # 使能MAC VLAN功能。

[AC-WLAN-ESS2] mac-vlan enable [AC-WLAN-ESS2] quit(2)配置无线服务

# 创建clear类型的服务模板1。

[AC] wlan service-template 1 clear # 设置当前服务模板的SSID为service1。

[AC-wlan-st-1] id service1 # 将WLAN-ESS1接口绑定到服务模板1。

[AC-wlan-st-1] bind wlan-e 1 # 启用无线服务。

[AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # 创建clear类型的服务模板2。

[AC] wlan service-template 2 clear # 设置当前服务模板的SSID为service2。

[AC-wlan-st-2] id service2 # 将WLAN-ESS2接口绑定到服务模板2。

[AC-wlan-st-2] bind wlan-e 2 # 启用无线服务。

[AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit(3)配置射频接口并绑定服务模板

# 创建AP的管理模板，名称为officeap，型号选择WA2620E-AGN。

[AC] wlan ap officeap model WA2620E-AGN # 设置AP的序列号为210235A29G007C000020。

[AC-wlan-ap-officeap] serial-id 210235A29G007C000020 # 进入radio 2射频视图。

[AC-wlan-ap-officeap] radio 2 # 将在AC上配置的clear类型的服务模板1和服务模板2与射频2进行关联，设置绑定到射频接口的VLAN编号为VLAN 300。

[AC-wlan-ap-officeap-radio-2] service-template 1 vlan-id 300 [AC-wlan-ap-officeap-radio-2] service-template 2 vlan-id 300 # 使能AP的radio 2。

[AC-wlan-ap-officeap-radio-2] radio enable [AC-wlan-ap-officeap-radio-2] quit(4)配置WLAN ACL # 创建WLAN ACL 199，并删除ACL 199中的默认规则0。

[AC] acl number 199 [AC-acl-wlan-199] undo rule 0 # 配置规则1：允许SSID名称为service2的WLAN用户报文通过。

[AC-acl-wlan-199] rule 1 permit id service2 [AC-acl-wlan-199] quit # 将HTTP服务与ACL 199关联。

[AC] ip http acl 199 3.4.2 Switch的配置

# 创建VLAN 100和VLAN 300，其中VLAN 100用于转发AC和AP间LWAPP隧道内的流量，VLAN 300为无线客户端接入的VLAN。

system-view [Switch] vlan 100 [Switch-vlan100] quit [Switch] vlan 300 [Switch-vlan300] quit # 配置Switch的GigabitEthernet1/0/1接口属性Trunk，禁止VLAN 1报文通过，允许VLAN 100和VLAN 300通过，配置PVID为100。

[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 300 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet1/0/1] quit # 配置Switch与AP相连的GigabitEthernet1/0/2接口属性为Acce，并允许VLAN 100通过。

[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type acce [Switch-GigabitEthernet1/0/2] port acce vlan 100 # 配置Switch与AP相连的GigabitEthernet1/0/2接口使能PoE功能。

[Switch-GigabitEthernet1/0/2] poe enable [Switch-GigabitEthernet1/0/2] quit # 配置Switch与DHCP服务器相连的GigabitEthernet1/0/3接口属性为Acce，并允许VLAN 100通过。

[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type acce [Switch-GigabitEthernet1/0/3] port acce vlan 100 [Switch-GigabitEthernet1/0/3] quit 3.5 验证配置

# 无线客户端关联SSID service2后，可以通过Web正常访问AC。

# 无线客户端关联SSID service1后，无法通过Web访问AC。3.6 配置文件

 AC：

# ip http acl 199 # acl number 199 rule 1 permit id service2 # vlan 100 # vlan 200 # vlan 300 # wlan service-template 1 clear id service1 bind WLAN-ESS 1 service-template enable # wlan service-template 2 clear id service2 bind WLAN-ESS 2 service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface Vlan-interface100 ip addre 192.168.1.1 255.255.255.0 # interface Vlan-interface300 ip addre 192.168.3.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # interface WLAN-ESS2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable # wlan ap officeap model WA2620E-AGN id 1 serial-id 210235A29G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 service-template 2 vlan-id 300 radio enable # 

# Switch：

vlan 100 # vlan 300 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 100 300 undo port trunk permit vlan 1 port trunk pvid vlan 100 # interface GigabitEthernet1/0/2 port link-type acce port acce vlan 100 poe enable # interface GigabitEthernet1/0/3 port link-type acce port acce vlan 100 # 4 相关资料

      《H3C WX系列无线控制器产品配置指导》“基础配置指导”。《H3C WX系列无线控制器产品命令参考》“基础配置命令参考”。《H3C WX系列无线控制器产品配置指导》“ACL和QoS配置指导”。《H3C WX系列无线控制器产品命令参考》“ACL和QoS命令参考”。《H3C WX系列无线控制器产品配置指导》“WLAN配置指导”。《H3C WX系列无线控制器产品命令参考》“WLAN命令参考”。