51客户端在AC间漫游典型配置举例[定稿]_89c51单片机应用举例
51客户端在AC间漫游典型配置举例[定稿]由刀豆文库小编整理,希望给你工作、学习、生活带来方便,猜你可能喜欢“89c51单片机应用举例”。
客户端在AC间漫游典型配置举例
Copyright © 2014杭州华三通信技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。
目 录简介 ······························································································································· 1 2 配置前提 ························································································································· 1 3 配置举例 ························································································································· 1
3.1 组网需求 ······················································································································ 1 3.2 配置思路 ······················································································································ 2 3.3 配置注意事项 ················································································································ 2 3.4 配置步骤 ······················································································································ 2
3.4.1 AC 1的配置········································································································· 2 3.4.2 AC 2的配置········································································································· 5 3.4.3 L3 switch 的配置 ··································································································· 7 3.4.4 AAA server的配置 ································································································ 8 3.5 验证配置 ···················································································································· 10 3.6 配置文件 ···················································································································· 13相关资料 ······················································································································· 16
i 1 简介
本文档介绍客户端在AC间漫游的典型配置举例。配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解AAA、802.1X和WLAN特性。配置举例
3.1 组网需求
如图1所示,AP 1和AP 2分别与AC 1和AC 2相连,DHCP服务器为无线客户端和AP分配地址,要求:
客户端需要通过802.1X认证才能上线。
配置无线客户端AC间漫游功能,实现无线客户端在AP 1和AP 2之间漫游时,所在VLAN不变,且无线客户端信息可以在AC 1和AC 2之间自动同步。客户端在AC间漫游时不需要重新认证。
防止用户通过恶意假冒其它域账号从本端口接入网络。
图1 客户端在AC间漫游典型配置组网图
AC 1AP 1Vlan-int101137.101.0.1/24DHCP serverClientVlan-int101L3 switch137.101.0.2/24Vlan-int102137.102.0.2/24Vlan-int102137.102.0.1/24ClientAP 2AAA server8.1.1.5/16AC 23.2 配置思路
由于部分802.1X客户端不支持与设备进行握手报文的交互,因此需要关闭设备的在线用户握手功能,避免该类型的在线用户因没有回应握手报文而被强制下线。
对于无线局域网来说,802.1X认证可以由客户端主动发起,或由无线模块发现用户后自动触发,不需要通过端口定期发送802.1X组播报文的方式来触发。同时,组播触发报文会占用无线的通信带宽,因此建议无线局域网中的接入设备关闭802.1X组播触发功能。为了防止用户通过恶意假冒其它域账号从本端口接入网络,配置端口的强制认证域。由于无线客户端在跨VLAN漫游过程中需要通过MAC VLAN表项强制保持自身的VLAN不变,所以需要在AC上开启MAC-VLAN功能。
为了保证漫游成功,AC 1和AC 2配置的IACTP隧道名称必须一致,且AC 1和AC 2配置的IACTP控制消息完整性认证模式和认证密码必须一致。
3.3 配置注意事项
配置AP的序列号时请确保该序列号与AP唯一对应,AP的序列号可以通过AP设备背面的标签获取。
由于端口安全特性通过多种安全模式提供了802.1X认证的扩展和组合应用,因此在无特殊组网要求的情况下,无线环境中通常使用端口安全特性。
3.4 配置步骤
3.4.1 AC 1的配置
(1)配置AC 1的接口
# 创建VLAN 101及其对应的VLAN接口,并为该接口配置IP地址。AC将使用该接口的IP地址与AP建立LWAPP隧道。
system-view [AC1] vlan 101 [AC1-vlan101] quit [AC1] interface vlan-interface 101 [AC1-Vlan-interface101] ip addre 137.101.0.1 24 [AC1-Vlan-interface101] quit # 创建VLAN 200作为ESS接口的缺省VLAN。
[AC1] vlan 200 [AC1-vlan200] quit # VLAN 300作为Client接入的业务VLAN。
[AC1] vlan 300 [AC1-vlan300] quit # 配置默认路由。
[AC1] ip route-static 0.0.0.0 0 137.101.0.2 # 配置AC 1的GigabitEthernet1/0/1接口的属性为trunk,允许VLAN 101、VLAN 200和VLAN 300通过。[AC1] interface GigabitEthernet1/0/1 [AC1-GigabitEthernet1/0/1] port link-type trunk [AC1-GigabitEthernet1/0/1] port trunk permit vlan 101 200 300 [AC1-GigabitEthernet1/0/1] quit(2)配置IACTP隧道
# 创建IACTP隧道office,并进入其视图。
[AC1] wlan mobility-group office # 配置IACTP隧道的源IP地址。
[AC1-wlan-mg-office] source ip 137.101.0.1 # 配置IACTP隧道的成员AC 2的IP地址。
[AC1-wlan-mg-office] member ip 137.102.0.1 # 配置IACTP控制消息完整性认证模式为md5,认证密码为123456。
[AC1-wlan-mg-office] authentication-mode md5 simple 123456 # 开启IACTP隧道。
[AC1-wlan-mg-office] mobility-group enable [AC1-wlan-mg-office] quit(3)配置802.1X认证服务 # 使能端口安全。
[AC1] port-security enable # 配置802.1X用户的认证方式为EAP。
[AC1] dot1x authentication-method eap(4)配置认证策略和认证域 # 创建RADIUS方案office。
[AC1] radius scheme office # 配置主认证AAA服务器的IP地址8.1.1.5,主计费AAA服务器的IP地址8.1.1.5。
[AC1-radius-office] primary authentication 8.1.1.5 [AC1-radius-office] primary accounting 8.1.1.5 # 配置AC 1与AAA认证服务器交互报文时的共享密钥为123456789,与AAA计费服务器交互报文时的共享密钥为123456789。
[AC1-radius-office] key authentication 123456789 [AC1-radius-office] key accounting 123456789 # 配置发送给AAA服务器的用户名不带ISP域名。
[AC1-radius-office] user-name-format without-domain # 设置设备发送至AAA服务器的报文使用的源IP地址为137.101.0.1 [AC1-radius-office] nas-ip 137.101.0.1 [AC1-radius-office] quit # 添加认证域office,并为该域指定对应的RADIUS认证方案为office。
[AC1] domain office [AC1-isp-office] authentication lan-acce radius-scheme office [AC1-isp-office] authorization lan-acce radius-scheme none [AC1-isp-office] accounting lan-acce radius-scheme none [AC1-isp-office] quit(5)配置无线服务 # 创建WLAN-ESS1接口。
[AC1] interface wlan-e 1 # 配置WLAN-ESS1接口类型为Hybrid类型。
[AC1-WLAN-ESS1] port link-type hybrid # 配置当前Hybrid端口的PVID为VLAN 200,禁止VLAN 1通过并允许VLAN 200不带tag通过。
[AC1-WLAN-ESS1] undo port hybrid vlan 1 [AC1-WLAN-ESS1] port hybrid vlan 200 untagged [AC1-WLAN-ESS1] port hybrid pvid vlan 200 # 配置WLAN-ESS1口开启MAC-VLAN功能。
[AC1-WLAN-ESS1] mac-vlan enable # 配置802.1X用户的强制认证域为office。
[AC1-WLAN-ESS1] dot1x mandatory-domain office # 配置端口安全模式为userlogin-secure-ext,并使能端口11key类型的密钥协商功能。
[AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # 关闭802.1X多播触发功能和在线用户握手功能。
[AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # 创建服务模板1(加密类型服务模板),配置SSID为service,加密方式为TKIP和AES-CCMP。
[AC1] wlan service-template 1 crypto [AC1-wlan-st-1] id service [AC1-wlan-st-1] bind wlan-e 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite tkip [AC1-wlan-st-1] cipher-suite ccmp # 设置在AP发送信标和探查响应帧时携带RSN IE,并使能服务模板。
[AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit(6)配置射频接口并绑定服务模板
# 创建AP 1的模板,名称为officeap1,型号名称选择WA2620E-AGN,并配置其序列号。
[AC1] wlan ap officeap1 model WA2620E-AGN [AC1-wlan-ap-officeap1] serial-id 21023529G007C000020 # 设置AP 1的radio 2工作模式为dot11gn,将服务模板1绑定到该radio上,设置绑定到射频接口的VLAN编号为300,并使能radio。
[AC1-wlan-ap-officeap1] radio 2 type dot11gn [AC1-wlan-ap-officeap1-radio-2] service-template 1 vlan-id 300 [AC1-wlan-ap-officeap1-radio-2] radio enable [AC1-wlan-ap-officeap1-radio-2] quit [AC1-wlan-ap-officeap1] quit3.4.2 AC 2的配置
(1)配置AC 2的接口
# 创建VLAN 102及其对应的VLAN接口,并为该接口配置IP地址。AC将使用该接口的IP地址与AP建立LWAPP隧道。
system-view [AC2] vlan 102 [AC2-vlan102] quit [AC2] interface vlan-interface 102 [AC2-Vlan-interface102] ip addre 137.102.0.1 24 [AC2-Vlan-interface102] quit # 创建VLAN 200作为ESS接口的缺省VLAN。
[AC2] vlan 200 [AC2-vlan200] quit # 创建VLAN 300作为Client接入的业务VLAN。
[AC2] vlan 300 [AC2-vlan300] quit # 配置默认路由。
[AC2] ip route-static 0.0.0.0 0 137.102.0.2 # 配置AC 2的GigabitEthernet1/0/1接口的属性为trunk,允许VLAN 102、VLAN 200和VLAN 300通过。
[AC2] interface GigabitEthernet1/0/1 [AC2-GigabitEthernet1/0/1] port link-type trunk [AC2-GigabitEthernet1/0/1] port trunk permit vlan 102 200 300 [AC2-GigabitEthernet1/0/1] quit(2)配置IACTP隧道
# 创建IACTP隧道office,并进入其视图。
[AC2] wlan mobility-group office # 配置IACTP隧道的源IP地址。
[AC2-wlan-mg-office] source ip 137.102.0.1 # 配置IACTP隧道的成员AC 1的IP地址。
[AC2-wlan-mg-office] member ip 137.101.0.1 # 配置IACTP控制消息完整性认证模式为md5,认证密码为123456。
[AC2-wlan-mg-office] authentication-mode md5 simple 123456 # 开启IACTP隧道。
[AC2-wlan-mg-office] mobility-group enable [AC2-wlan-mg-office] quit(3)配置802.1X认证服务 # 使能端口安全。
[AC2] port-security enable # 配置802.1X用户的认证方式为EAP。
[AC2] dot1x authentication-method eap(4)配置认证策略和认证域 # 创建RADIUS方案office。
[AC2] radius scheme office # 配置主认证AAA服务器的IP地址8.1.1.5,主计费AAA服务器的IP地址8.1.1.5。
[AC2-radius-office] primary authentication 8.1.1.5 [AC2-radius-office] primary accounting 8.1.1.5 # 配置AC与AAA认证服务器交互报文时的共享密钥为123456789,与AAA计费服务器交互报文时的共享密钥为123456789。
[AC2-radius-office] key authentication 123456789 [AC2-radius-office] key accounting 123456789 # 配置AC发送给AAA服务器的用户名不带ISP域名。
[AC2-radius-office] user-name-format without-domain # 设置设备发送至AAA服务器的报文使用的源IP地址为137.102.0.1。
[AC2-radius-office] nas-ip 137.102.0.1 [AC2-radius-office] quit # 添加认证域office,并为该域指定对应的RADIUS认证方案为office。
[AC2] domain office [AC2-isp-office] authentication lan-acce radius-scheme office [AC2-isp-office] authorization lan-acce radius-scheme none [AC2-isp-office] accounting lan-acce radius-scheme none [AC2-isp-office] quit(5)配置无线服务 # 创建WLAN-ESS1接口。
[AC2] interface wlan-e 1 # 配置WLAN-ESS1接口类型为Hybrid类型。
[AC2-WLAN-ESS1] port link-type hybrid # 配置当前hybrid端口的PVID为VLAN 200,禁止VLAN 1通过并允许VLAN 200不带tag通过。
[AC2-WLAN-ESS1] undo port hybrid vlan 1 [AC2-WLAN-ESS1] port hybrid vlan 200 untagged [AC2-WLAN-ESS1] port hybrid pvid vlan 200 # 配置WLAN-ESS1口开启MAC-VLAN功能。
[AC2-WLAN-ESS1] mac-vlan enable # 在接口WLAN-ESS1上配置802.1X用户的强制认证域office。
[AC2-WLAN-ESS1] dot1x mandatory-domain office # 配置端口安全模式为userlogin-secure-ext,并使能端口11key类型的密钥协商功能。
[AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key # 关闭802.1X多播触发功能和在线用户握手功能。
[AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # 创建服务模板1(加密类型服务模板),配置SSID为service,加密方式为TKIP和AES-CCMP。[AC2] wlan service-template 1 crypto [AC2-wlan-st-1] id service [AC2-wlan-st-1] bind wlan-e 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite tkip [AC2-wlan-st-1] cipher-suite ccmp # 设置在AP发送信标和探查响应帧时携带RSN IE,并使能服务模板。
[AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit(6)配置射频接口并绑定服务模板
# 创建AP 2的模板,名称为officeap2,型号名称选择WA2620E-AGN,并配置其序列号。
[AC2] wlan ap officeap2 model WA2620E-AGN [AC2-wlan-ap-officeap2] serial-id 21023529G007C000021 # 进入射频2视图,将服务模板1绑定到该radio上,设置绑定到射频接口的VLAN编号为300,并使能radio。
[AC2-wlan-ap-officeap2] radio 2 [AC2-wlan-ap-officeap2-radio-2] service-template 1 vlan-id 300 [AC2-wlan-ap-officeap2-radio-2] radio enable [AC2-wlan-ap-officeap2-radio-2] quit [AC2-wlan-ap-officeap2] quit 3.4.3 L3 switch 的配置
# 创建VLAN 101、VLAN 102、和VLAN 300,其中VLAN 101和VLAN 102用于转发AC和AP间LWAPP隧道内的流量,VLAN 300为无线用户接入的VLAN。
system-view [Switch] vlan 101 [Switch-vlan101] quit [Switch] vlan 102 [Switch-vlan102] quit [Switch] vlan 300 [Switch-vlan300] quit # 配置Switch与AC 1相连的GigabitEthernet1/0/1接口的属性为trunk,当前trunk口的PVID为101,允许VLAN 101通过。
[Switch] interface GigabitEthernet1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk permit vlan 101 [Switch-GigabitEthernet1/0/1] port trunk pvid vlan 101 [Switch-GigabitEthernet1/0/1] quit # 配置Switch与AC 2相连的GigabitEthernet1/0/2接口的属性为trunk,当前trunk口的PVID为102,允许VLAN 102通过。
[Switch] interface GigabitEthernet1/0/2 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk permit vlan 102 [Switch-GigabitEthernet1/0/2] port trunk pvid vlan 102[Switch-GigabitEthernet1/0/2] quit # 配置Switch与AP 1相连的GigabitEthernet1/0/3接口属性为acce,并允许VLAN 101通过。
[Switch] interface GigabitEthernet1/0/3 [Switch-GigabitEthernet1/0/3] port link-type acce [Switch-GigabitEthernet1/0/3] port acce vlan 101 # 使能PoE功能。
[Switch-GigabitEthernet1/0/3] poe enable [Switch-GigabitEthernet1/0/3] quit # 配置Switch与AP 2相连的GigabitEthernet1/0/4接口属性为acce,并允许VLAN 102通过。
[Switch] interface GigabitEthernet1/0/4 [Switch-GigabitEthernet1/0/4] port link-type acce [Switch-GigabitEthernet1/0/4] port acce vlan 102 # 使能PoE功能。
[Switch-GigabitEthernet1/0/4] poe enable [Switch-GigabitEthernet1/0/4] quit # 配置VLAN 101接口的IP地址为137.101.0.2/24,VLAN 102接口的IP地址为137.102.0.2/24。
[Switch] interface vlan-interface 101 [Switch-Vlan-interface101] ip addre 137.101.0.2 255.255.255.0 [Switch-Vlan-interface101] quit [Switch] interface vlan-interface 102 [Switch-Vlan-interface102] ip addre 137.102.0.2 255.255.255.0 [Switch-Vlan-interface102] quit 3.4.4 AAA server的配置
下面以iMC为例(使用iMC版本为:iMC PLAT 7.0(E0202)、iMC UAM 7.0(E0202)),说明AAA server的基本配置。
# 增加接入设备。
登录进入iMC管理平台,选择“用户”页签,单击导航树中的[接入策略管理/接入设备管理/接入设备配置]菜单项,进入接入设备配置页面,在该页面中单击按钮,进入增加接入设备页面。
设置认证、计费共享密钥为123456789,其它保持缺省配置;
选择或手工增加接入设备,添加IP地址为137.101.0.1和137.102.0.1的接入设备。图2 增加接入设备
# 增加接入策略。
选择“用户”页签,单击导航树中的[接入策略管理/接入策略管理]菜单项,进入接入策略管理页面,在该页面中单击按钮,进入增加接入策略页面。
设置接入策略名为office;
选择认证证书类型为EAP-PEAP认证,认证证书子类型为MS-CHAPV2认证。
图3 增加接入策略页面
# 增加接入服务。
选择“用户”页签,单击导航树中的[接入策略管理/接入服务管理]菜单项,进入接入服务管理页面,在该页面中单击按钮,进入增加接入服务页面。
设置服务名为office;
选择缺省接入策略为office,其他保持缺省配置。图4 增加接入服务页面
# 增加接入用户。
选择“用户”页签,单击导航树中的[接入用户管理/接入用户]菜单项,进入接入用户页面,在该页面中单击按钮,进入增加接入用户页面。
单击添加用户office,证件号码 123456; 添加帐号名为office,密码为123456; 选中刚才配置的服务office。
图5 增加接入用户
3.5 验证配置
# 客户端首先从AC 1下连接的officeap1的VLAN 300上线。通过display wlan client verbose命令可以看到客户端的详细信息。
[AC1] display wlan client verbose Total Number of Clients : 1 Client Information------------------MAC Addre : 0015-00ef-ac23 User Name : office IP Addre : 0.0.0.0 AID : 1 AP Name : officeap1 Radio Id : 2 Antenna Id : 0 Service Template Number : 1 SSID : service BSSID : c8cb-b8f1-f6d0 Port : WLAN-DBSS1:1 VLAN : 300 State : Running Power Save Mode : Active Wirele Mode : 11g QoS Mode : WMM Listen Interval(Beacon Interval): 10 RSSI : 42 Rx/Tx Rate : 48/36 Client Type : WPA2(RSN)Authentication Method : Open System Authentication Mode : Central AKM Method : Dot1X 4-Way Handshake State : PTKINITDONE Group Key State : IDLE Encryption Cipher : AES-CCMP Roam Status : Normal Roam Count : 0 Up Time(hh:mm:): 00:00:51-----------------# 通过display wlan mobility-group命令可以查看IACTP隧道信息。
[AC1] display wlan mobility-group Mobility Group Information-----------------Group Name : office Source IP Addre : 137.101.0.1 Authentication Method : MD5-----------------Member Information-----------------IP-addre State Interface-----------------137.102.0.1 Run WLAN-Tunnel2-----------------[AC2] display wlan mobility-group Mobility Group Information-----------------Group Name : office Source IP Addre : 137.102.0.1 Authentication Method : MD5-----------------Member Information-----------------IP-addre State Interface-----------------137.101.0.1 Run WLAN-Tunnel2-----------------# 当客户端从AC 1下连接的AP 1漫游至AC 2下连接的AP 2上时,客户端信息同步到AC 2,客户端不需要重新进行认证,客户端初始VLAN 300也被同步过来。通过display wlan client verbose命令在AC 2上显示客户端进行AC间漫游,信息如下:
[AC2] display wlan client verbose Total Number of Clients : 1 Client Information------------------MAC Addre : 0015-00ef-ac23 User Name : office IP Addre : 0.0.0.0 AID : 2 AP Name : officeap2 Radio Id : 2 Antenna Id : 0 Service Template Number : 1 SSID : service BSSID : 0023-8930-9010 Port : WLAN-DBSS1:1 VLAN : 300 State : Running Power Save Mode : Active Wirele Mode : 11g QoS Mode : WMM Listen Interval(Beacon Interval): 10 RSSI : 42 Rx/Tx Rate : 48/36 Client Type : WPA2(RSN)Authentication Method : Open System Authentication Mode : Central AKM Method : Dot1X 4-Way Handshake State : PTKINITDONE Group Key State : IDLE Encryption Cipher : AES-CCMP Roam Status : Inter-AC roam aociation Roam Count : 1 Up Time(hh:mm:): 00:17:51-----------------# AC 1上查询客户端漫游追踪信息,显示Client当前已经漫游至AC 2:
[AC1] display wlan client roam-track mac-addre 0015-00ef-ac23-----------------BSSID Online-time(d:h:m:s)AC-IP-addre-----------------0023-8930-9010 0000:00:21:19 137.102.0.1 c8cb-b8f1-f6d0 0000:00:19:14 137.101.0.1(HOME AC)3.6 配置文件
# port-security enable # dot1x authentication-method eap # vlan 101 # vlan 200 # vlan 300 # radius scheme office primary authentication 8.1.1.5 primary accounting 8.1.1.5 key authentication cipher $c$3$SjWMEAJbTjqCC9+XHRLYhNZOSJ6bBN/7K3HBEA== key accounting cipher $c$3$Oj5WtaBGNaZb9s+R0Y/z0yKMG4fZcS0LuOUeOw== user-name-format without-domain nas-ip 137.101.0.1 # domain office authentication lan-acce radius-scheme office acce-limit disable state active idle-cut disable self-service-url disable # wlan service-template 1 crypto id service bind WLAN-ESS 1 cipher-suite tkip cipher-suite ccmp security-ie rsn service-template enable # interface GigabitEthernet1/0/1 port link-type trunk AC 1:port trunk permit vlan 101 200 300 # interface Vlan-interface101 ip addre 137.101.0.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable port-security port-mode userlogin-secure-ext port-security tx-key-type 11key undo dot1x handshake dot1x mandatory-domain office undo dot1x multicast-trigger # wlan ap officeap1 model WA2620E-AGN id 1 serial-id 21023529G007C000020 radio 1 radio 2 service-template 1 vlan-id 300 radio enable # wlan mobility-group office member ip 137.102.0.1 source ip 137.101.0.1 authentication-mode MD5 cipher $c$3$O1tSGsSqv31s4QJM7n6PXHtOFKFDSc3d9Q== mobility-group enable # ip route-static 0.0.0.0 0.0.0.0 137.101.0.2 #
# AC 2:
port-security enable # dot1x authentication-method eap # vlan 102 # vlan 200 # vlan 300 # radius scheme office primary authentication 8.1.1.5 primary accounting 8.1.1.5 key authentication cipher $c$3$SjWMEAJbTjqCC9+XHRLYhNZOSJ6bBN/7K3HBEA== key accounting cipher $c$3$Oj5WtaBGNaZb9s+R0Y/z0yKMG4fZcS0LuOUeOw== user-name-format without-domain nas-ip 137.102.0.1 # domain office authentication lan-acce radius-scheme office acce-limit disable state active idle-cut disable self-service-url disable # wlan service-template 1 crypto id service bind WLAN-ESS 1 cipher-suite tkip cipher-suite ccmp security-ie rsn service-template enable # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 102 200 300 # interface Vlan-interface102 ip addre 137.102.0.1 255.255.255.0 # interface WLAN-ESS1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 mac-vlan enable port-security port-mode userlogin-secure-ext port-security tx-key-type 11key undo dot1x handshake dot1x mandatory-domain office undo dot1x multicast-trigger # wlan ap officeap2 model WA2620E-AGN id 1 serial-id 21023529G007C000021 radio 1 radio 2 service-template 1 vlan-id 300 radio enable # wlan mobility-group office member ip 137.101.0.1 source ip 137.102.0.1 authentication-mode MD5 cipher $c$3$O1tSGsSqv31s4QJM7n6PXHtOFKFDSc3d9Q== mobility-group enable # ip route-static 0.0.0.0 0.0.0.0 137.102.0.2 #
# Switch:
vlan 101 to 102 # vlan 300 # interface Vlan-interface101 ip addre 137.101.0.2 255.255.255.0 # interface Vlan-interface102 ip addre 137.102.0.2 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 101 port trunk pvid vlan 101 # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk port trunk permit vlan 1 102 port trunk pvid vlan 102 # interface GigabitEthernet1/0/3 port link-mode bridge port acce vlan 101 poe enable # interface GigabitEthernet1/0/4 port link-mode bridge port acce vlan 102 poe enable # 4 相关资料
《H3C WX系列无线控制器产品配置指导》“WLAN配置指导”。《H3C WX系列无线控制器产品命令参考》“WLAN命令参考”。《H3C WX系列无线控制器产品配置指导》“安全配置指导”。《H3C WX系列无线控制器产品命令参考》“安全命令参考”。
![51客户端在AC间漫游典型配置举例[定稿]](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/PjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+PHN2ZyB0PSIxNTU2MjU5MTk0MTg2IiBjbGFzcz0iaWNvbiIgc3R5bGU9IiIgdmlld0JveD0iMCAwIDEwMjQgMTAyNCIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHAtaWQ9IjY0MDciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMzIiIGhlaWdodD0iMzIiPjxkZWZzPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+PC9zdHlsZT48L2RlZnM+PHBhdGggZD0iTTQzMiAwaDE2MGMyNi42IDAgNDggMjEuNCA0OCA0OHYzMzZoMTc1LjRjMzUuNiAwIDUzLjQgNDMgMjguMiA2OC4yTDUzOS40IDc1Ni42Yy0xNSAxNS0zOS42IDE1LTU0LjYgMEwxODAuMiA0NTIuMmMtMjUuMi0yNS4yLTcuNC02OC4yIDI4LjItNjguMkgzODRWNDhjMC0yNi42IDIxLjQtNDggNDgtNDh6IG01OTIgNzUydjIyNGMwIDI2LjYtMjEuNCA0OC00OCA0OEg0OGMtMjYuNiAwLTQ4LTIxLjQtNDgtNDhWNzUyYzAtMjYuNiAyMS40LTQ4IDQ4LTQ4aDI5My40bDk4IDk4YzQwLjIgNDAuMiAxMDUgNDAuMiAxNDUuMiAwbDk4LTk4SDk3NmMyNi42IDAgNDggMjEuNCA0OCA0OHogbS0yNDggMTc2YzAtMjItMTgtNDAtNDAtNDBzLTQwIDE4LTQwIDQwIDE4IDQwIDQwIDQwIDQwLTE4IDQwLTQweiBtMTI4IDBjMC0yMi0xOC00MC00MC00MHMtNDAgMTgtNDAgNDAgMTggNDAgNDAgNDAgNDAtMTggNDAtNDB6IiBmaWxsPSIjZmZmZmZmIiBwLWlkPSI2NDA4Ij48L3BhdGg+PC9zdmc+)