Huawei WLAN Certification Training
HCIA-WALN
Experiment Guide for WLAN /en
m
o
c
.
Engineers
i
e
w
a
hu
.
g
in
ISSUE:2.0
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
rn
a
le
//
:
p
u
o
s
e
R
HUAWEI TECHNOLOGIES CO., LTD.
1
Huawei WLAN Certification Training Experiment Guide
Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
n
e
/
om
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
c
.
i
e
w
a
hu
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
.
g
in
rn
a
le
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
:
s
e
c
r
Address:
e
L
e
or
M
Website:
g
n
i
n
ar
t
t
h
//
:
p
u
o
s
e
RHuawei Technologies Co., Ltd.
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
http://e.huawei.com
华为专有和保密信息
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Huawei Certificate System
Relying on the strong technical strength and professional training system, Huawei provides
a practical and professional four-level certificate system to meet various customer requirements
on different WLAN technologies.
Huawei Certified ICT Associate-Wireless Local Area Network (HCIA-WLAN) is designed for
Huawei local offices, online engineers in representative offices, and readers who want to
understand Huawei WLAN products and technology. HCIA-WLAN covers WLAN basics,
Control and Provisioning of Wireless Access Points (CAPWAP) protocol, WLAN networking,
Huawei WLAN product features, security configuration, WLAN advanced technology,
antennas, WLAN network planning and optimization, and WLAN fault troubleshooting.
n
e
/
m
o
i.c
The HCIA-WLAN certificate system introduces you to the industry and market, helps you in
innovation, and enables you to stand atop the WLAN frontiers.
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
1
Huawei WLAN Certification Training Experiment Guide
About This Document
Overview
This document is applicable to the candidates who are preparing for the HCIA-WLAN
exam and the readers who want to understand the WLAN basics, the CAPWAP protocol,
WLAN networking, Huawei WLAN product features, security configuration, WLAN
advanced technology, antennas, WLAN network planning and optimization, and WLAN
fault troubleshooting.
n
e
/
m
o
i.c
Description
e
w
a
u
This experiment guide introduces the following six experiments, covering basic
configurations, and configurations and implementation of Layer 2 networking, security,
Layer 3 networking, and the network management software eSight.
h
.
g
in
Experiment 1: AC configuration initialization
This experiment involves basis operations and configurations on an AC, helping you
know the AC6005 and its basic functions.
Experiment 2: AP authentication and WLAN configuration process
This experiment lets you know basic WLAN network capabilities through basic WLAN
configurations.
Experiment 3: WLAN security configuration
:
s
e
t
t
h
n
r
lea
//
:
p
This experiment mainly introduces 802.1x authentication, helping you know WLAN
security and the configuration process.
c
r
u
Experiment 4: WLAN configuration on eSight
This experiment involves how to add WLAN devices to the eSight and deliver WLAN
services using the configuration wizard.
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
Experiment 5: Bypass Layer 3 networking
This experiment uses the AC6005 and Layer 3 networking. The Layer 3 network
configuration helps you comprehensively know WLAN networking modes.
Experiment 6: Configuration file backup and AC configuration clearance
This experiment describes how to back up configuration files through File Transfer
Protocol (FTP).
华为专有和保密信息
版权所有 © 华为技术有限公司
3
Huawei WLAN Certification Training Experiment Guide
Background Knowledge Required
The intended audience should know basic WLAN knowledge, Huawei switching
devices, and basic datacom knowledge.
Common Icons
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
4
Huawei WLAN Certification Training Experiment Guide
Experiment Environment Overview
Networking Introduction
This experiment environment is prepared for WLAN engineers who are preparing for
the HCIA-WLAN exam.
Each suite of experiment environment includes 2-6 ACs, 2-12 APs, 1 core switch, and 1
Remote Authentication Dial In User Service (RADIUS) or eSight server. Each suite of
experiment environment is applicable to 4 to 12 candidates.
n
e
/
Device Introduction
he following table lists devices recommended for HCIA-WLAN experiments and the
mappings between the device name, model, and software version.
Device name
Model
m
o
i.c
e
w
a
u
Software Version
S3700-28TP-PWR-EI or
Version 5.70 (S3700 V100R005C01SPC100)
S5700-28C-PWR-EI
Version 5.130 (S5700 V200R003C00SPC300)
AC
AC6005-8-PWR
AC6005 V200R007C10SPC100
AP
AP4030DN
AP4030DN V200R007C10SPC100
eSight Network
eSight Network V300R006C00SPC505
Core Switch
NMS
:
s
e
h
.
g
in
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
5
Huawei WLAN Certification Training Experiment Guide
Experiment Environment Preparation
Checking Whether All Devices Are Available
Before starting the experiment, check whether all required devices are ready. The
following table lists the required devices.
Device
Quantity
Remarks
eSight
1
Shared by all groups
Radius Server
1
Shared by all groups
1
Shared by all groups
Huawei 3700PoE/
Huawei 5700PoE Switch
AC6005
One for each
group
AP4030DN
Two for each
group
Laptop or desktop computer
One for each
group
Twisted pair
Four for each
group
Console cable
:
s
e
c
r
u
t
t
h
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
//
:
p
n
r
lea
A desktop computer requires a
network adapter
The twisted pair must be at least
2 meters long
One for each
group
o
s
Re
Each group must check whether the following devices are ready:
One AC6005
g
n
i
n
Two AP4030DN
r
a
e
L
e
One laptop or desktop computer
Four twisted pairs
M
or
One console cable
华为专有和保密信息
版权所有 © 华为技术有限公司
6
Huawei WLAN Certification Training Experiment Guide
Experiment topology
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
Key points of bypass topology establishment:
t
t
h
This course uses a layer 3 bypass topology. Devices are connected as follows:
:
s
e
For group 1, port 8 of AC1 is connected to port 1 of the switch. AP1 is connected to port
10 of the switch. AP2 is connected to port 11 of the switch.
c
r
u
For group 2, port 8 of AC2 is connected to port 2 of the switch. AP3 is connected to port
12 of the switch. AP4 is connected to port 13 of the switch.
o
s
Re
For group 3, port 8 of AC3 is connected to port 3 of the switch. AP5 is connected to port
14 of the switch. AP6 is connected to port 15 of the switch.
g
n
i
n
The same rule applies to all other groups.
e
L
e
M
ar
For group 6, port 8 of AC6 is connected to port 6 of the switch. AP11 is connected to
port 20 of the switch. AP12 is connected to port 21 of the switch.
or
华为专有和保密信息
版权所有 © 华为技术有限公司
7
Huawei WLAN Certification Training Experiment Guide
Login
Use a console cable to connect the PC to the device, run a terminal emulation program on
the PC (such as a HyperTerminal running the Windows OS), and log in to the device
through the COM port.
AC Configuration Removal
Trainees must remove previously saved configurations after the experiment is complete
and before devices are turned off, to avoid any impact of the configurations on the next
experiment. In addition, trainees must confirm that the device is not configured before an
experiment starts. If it is not, remove the configurations and then restart the device.
You need a password to log in to the router. The login password is Admin@123 in this
experiment.
Login authentication
Password:Admin@123
<AC6005>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
m
o
i.c
e
w
a
u
h
.
g
in
To restart the controller, run the following command:
n
e
/
<AC6005>reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup
configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...
:
s
e
t
t
h
n
r
lea
//
:
p
After the controller is restarted, carry out experiments.
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
8
Huawei WLAN Certification Training Experiment Guide
Contents
About This Document ..................................................................................................................... 3
Overview ..............................................................................................................................................................3
Description ...........................................................................................................................................................3
Background Knowledge Required .........................................................................................................................4
Common Icons .....................................................................................................................................................4
n
e
1 Experiment 1:AC configuration initialization ......................................................................./12
m
o
c
.
i
e
w
a
u
h
.
g
in
n
r
a
e
l
/
:/
p
t
t
2 Experiment 2: AP Authentication and hWLAN Configuration Roadmap .................... 24
:
s
e
c
r
u
o
s
Re
g
n
i
n
r
a
e
L
e
r
o
M
Experiment Environment Preparation .....................................................................................................................6
1.1 About This Course .........................................................................................................................................12
1.1.1 Objectives ..................................................................................................................................................12
1.1.2 Topology ....................................................................................................................................................12
1.1.3 Plan ...........................................................................................................................................................13
1.2 Experiment Task ............................................................................................................................................14
1.2.1 Configuration Procedure .............................................................................................................................14
1.3 Verification ...................................................................................................................................................17
1.3.1 Telnet AC ...................................................................................................................................................17
1.4 Reference Configuration ................................................................................................................................18
1.4.1 S5700 Configuration ..................................................................................................................................18
1.4.2 AC Configuration ........................................................................................................................................20
2.1 About This Course .........................................................................................................................................24
2.1.1 Objectives ..................................................................................................................................................24
2.1.2 Topology ....................................................................................................................................................24
2.1.3 Plan ...........................................................................................................................................................25
2.2 Experiment Task ............................................................................................................................................27
2.2.1 Configuration Procedure .............................................................................................................................27
2.3 Verification ...................................................................................................................................................30
2.3.1 Checking the VAP Status .............................................................................................................................30
2.3.2 Terminal Connection Test ............................................................................................................................31
2.4 Reference Configuration ................................................................................................................................32
2.4.1 S5700 Configuration ..................................................................................................................................32
2.4.2 AC Configuration ........................................................................................................................................34
3 Experiment 3: WLAN Security Configuration....................................................................... 39
3.1 About This Course .........................................................................................................................................39
3.1.1 Objectives ..................................................................................................................................................39
3.1.2 Topology ....................................................................................................................................................39
华为专有和保密信息
版权所有 © 华为技术有限公司
9
Huawei WLAN Certification Training Experiment Guide
3.1.3 Plan ...........................................................................................................................................................40
3.2 Experiment Task ............................................................................................................................................41
3.2.1 Configuration Procedure .............................................................................................................................41
3.3 Verification ...................................................................................................................................................50
3.3.1 Connect an STA to the WLAN .....................................................................................................................50
3.3.2 Checking the Users Status ...........................................................................................................................51
3.4 Reference Configuration ................................................................................................................................54
3.4.1 S5700 Configuration ..................................................................................................................................54
3.4.2 AC Configuration ........................................................................................................................................56
4 Experiment 4: eSight WLAN Management ............................................................................ 62
n
e
/
4.1 About This Course .........................................................................................................................................62
m
o
i.c
4.1.1 Objectives ..................................................................................................................................................62
4.1.2 Topology ....................................................................................................................................................62
e
w
a
u
4.1.3 Plan ...........................................................................................................................................................63
4.2 Experiment Task ............................................................................................................................................64
4.2.1 Configuration Procedure .............................................................................................................................64
h
.
g
in
4.3 Verification ...................................................................................................................................................81
4.3.1 Connect an STA to the WLAN .....................................................................................................................81
n
r
lea
4.4 Reference Configuration ................................................................................................................................82
4.4.1 S5700 Configuration ..................................................................................................................................82
//
:
p
4.4.2 AC Configuration ........................................................................................................................................85
t
t
h
5 Experiment 5: Layer 3 Networking Experiment .................................................................... 91
5.1 About This Course .........................................................................................................................................91
:
s
e
5.1.1 Objectives ..................................................................................................................................................91
c
r
u
5.1.2 Topology ....................................................................................................................................................91
5.1.3 Plan ...........................................................................................................................................................92
o
s
Re
5.2 Experiment Task ............................................................................................................................................93
5.2.1 Configuration Procedure .............................................................................................................................93
g
n
i
n
5.3 Verification ...................................................................................................................................................94
5.3.1 Verifiy the L3 Network Status ......................................................................................................................94
r
a
e
L
e
5.4 Reference Configuration ................................................................................................................................95
5.4.1 S5700 Configuration ..................................................................................................................................95
5.4.2 AC Configuration ........................................................................................................................................97
or
6 Experiment 6: Backup the Configuration and Reset the Device ...................................... 103
M
6.1 About This Course .......................................................................................................................................103
6.1.1 Objectives ................................................................................................................................................103
6.1.2 Plan .........................................................................................................................................................103
6.2 Experiment Task ..........................................................................................................................................104
6.2.1 Configuration Procedure ...........................................................................................................................104
6.3 Verification .................................................................................................................................................106
华为专有和保密信息
版权所有 © 华为技术有限公司
10
Huawei WLAN Certification Training Experiment Guide
6.3.1 Checking the Device Configuration ...........................................................................................................106
6.4 Reference Configuration ..............................................................................................................................109
6.4.1 Key Configuration .....................................................................................................................................109
7 Appendix .................................................................................................................................... 110
7.1 Configuration of Core Switch.......................................................................................................................110
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
11
Huawei WLAN Certification Training Experiment Guide
1
Experiment 1:AC configuration initialization
1.1 About This Course
n
e
/
1.1.1 Objectives
Configure the initialization password
Configure VLAN and routing in the AC
Configure telnet service of the AC
Save the configuration in the AC
m
o
i.c
e
w
a
u
h
.
g
in
1.1.2 Topology
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
12
Huawei WLAN Certification Training Experiment Guide
1.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No
AC-Switch Port
1
AC1—G0/0/1
2
AC2—G0/0/2
3
AC3—G0/0/3
AP-Switch Port
4
AC4—G0/0/4
5
AC5—G0/0/5
6
AC6—G0/0/6
AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
AP10-G0/0/18
s:
e
c
r
t
t
h
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
AP11-G0/0/19
AP12-G0/0/20
The following table describes an AC parameter configuration template.
u
o
s
e
R
Trainee GroupX
AC Configuration
g
n
i
n
Admin@123
Console Password
r
a
e
L
e
M
or
Device
ACX
AP Management
VLAN
VLAN:X0
IP:10.1.X0.100
Service VLAN
(Employee)
VLAN:X1
IP:10.1.X1.100
Service VLAN (Voice)
VLAN:X2
IP:10.1.X2.100
Service VLAN (Guest)
VLAN:X3
IP:10.1.X3.100
AC Port Connecting
to the Switch
GE0/0/8
trunk interface
VLANs X0 through X3 can pass the
华为专有和保密信息
版权所有 © 华为技术有限公司
13
Huawei WLAN Certification Training Experiment Guide
Topology: layer2 and layer 3 bypass topology
1.2 Experiment Task
1.2.1 Configuration Procedure
Step1 Configuring Initialization Password
The Software Version of AC6005 is V2R7, You need a password
to log in to the AC at first time. The login password is
Admin@123 in this experiment.
Please configure the login password (maximum length 16)
Enter password:Admin@123
Confirm password:Admin@123
<AC6005>
n
e
/
m
o
i.c
e
w
a
u
Step2 Configuring a Switch
h
.
g
in
Configure the access switch S5700. Add GE0/0/10 and GE0/0/11 to VLANX0
(management VLAN) and set the port VLAN ID (PVID) to VLANX0. Add GE0/0/8 to VLANs
X0 through X3(Connect to AC).
n
r
lea
<Huawei>system-view
[Huawei]sysname S5700
[S5700]vlan batch 10 to 13
[S5700]interface GigabitEthernet0/0/10
[S5700-GigabitEthernet0/0/10]port link-type trunk
[S5700-GigabitEthernet0/0/10]port trunk pvid vlan 10
[S5700-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
[S5700-GigabitEthernet0/0/10]quit
[S5700]interface GigabitEthernet0/0/11
[S5700-GigabitEthernet0/0/11]port link-type trunk
[S5700-GigabitEthernet0/0/11]port trunk pvid vlan 10
[S5700-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[S5700-GigabitEthernet0/0/11]quit
[S5700]interface GigabitEthernet 0/0/1
[S5700-GigabitEthernet0/0/1]port link-type trunk
[S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[S5700-GigabitEthernet0/0/1]quit
:
s
e
t
t
h
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
Create a LoopbackX interface, and set its IP address to 10X.10X.10X.10X to simulate a
public network interface. Create VLANIF interfaces to function as gateways of service
VLANs.
[S5700]interface LoopBack 1
[S5700- LoopBack1]ip address 101.101.101.101 32
[S5700- LoopBack1]quit
[S5700]interface Vlanif 10
[S5700-Vlanif10]ip address 10.1.10.1 24
[S5700-Vlanif10]quit
[S5700]interface Vlanif 11
[S5700-Vlanif11]ip address 10.1.11.1 24
[S5700-Vlanif11]quit
华为专有和保密信息
版权所有 © 华为技术有限公司
14
Huawei WLAN Certification Training Experiment Guide
[S5700]interface Vlanif 12
[S5700-Vlanif12]ip address 10.1.12.1 24
[S5700-Vlanif12]quit
[S5700]interface Vlanif 13
[S5700-Vlanif13]ip address 10.1.13.1 24
[S5700-Vlanif13]quit
Step3 Configuring Basic AC Parameters
<AC6005>system-view
[AC6005]sysname AC1
Create VLANs X0 through X3.
[AC1]vlan batch 10 to 13
n
e
/
Configure GE0/0/8 to connect to the S5700.
m
o
i.c
[AC1]interface g0/0/8
[AC1-GigabitEthernet0/0/8]port link-type trunk
[AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13
[AC1-GigabitEthernet0/0/8]quit
e
w
a
u
After the configuration is complete, run the display port vlan command to check whether
the configuration is correct.
h
.
g
in
[AC1]display port vlan
Port
Link Type
PVID Trunk VLAN List
------------------------------------------------------------------------GigabitEthernet0/0/1
hybrid
1
GigabitEthernet0/0/2
hybrid
1
GigabitEthernet0/0/3
hybrid
1
GigabitEthernet0/0/4
hybrid
1
GigabitEthernet0/0/5
hybrid
1
GigabitEthernet0/0/6
hybrid
1
GigabitEthernet0/0/7
access
4090 GigabitEthernet0/0/8
trunk
1
1 10-13
:
s
e
c
r
u
t
t
h
n
r
lea
//
:
p
Configure the IP address of the layer 3 interface corresponding to the VLAN.
e
L
e
M
or
[AC1]interface vlan 10
[AC1-Vlanif10]ip address
[AC1-Vlanif10]quit
[AC1]interface vlan 11
[AC1-Vlanif11]ip address
[AC1-Vlanif11]quit
[AC1]interface vlan 12
[AC1-Vlanif12]ip address
[AC1-Vlanif12]quit
[AC1]interface Vlanif 13
[AC1-Vlanif13]ip address
[AC1-Vlanif13]quit
ar
g
n
i
n
o
s
Re
10.1.10.100 24
10.1.11.100 24
10.1.12.100 24
10.1.13.100 24
Check whether the interface status is up.
[AC1]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
华为专有和保密信息
版权所有 © 华为技术有限公司
15
Huawei WLAN Certification Training Experiment Guide
The
The
The
The
number
number
number
number
of
of
of
of
interface
interface
interface
interface
Interface
NULL0
Vlanif1
Vlanif10
Vlanif11
Vlanif12
Vlanif13
Vlanif4090
that
that
that
that
is
is
is
is
UP in Physical is 7
DOWN in Physical is 0
UP in Protocol is 7
DOWN in Protocol is 0
IP Address/Mask
unassigned
169.254.1.1/16
10.1.10.100/24
10.1.11.100/24
10.1.12.100/24
10.1.13.100/24
172.21.11.3/16
up
Physical
Protocol
up(s)
up
up
up
up
up
up
up
up
up
up
up
up
Check whether the route between the AC and the layer 3 switch is reachable. The
following command output indicates that 10X.10X.10X.10X (the simulated public
network interface on the switch) cannot be pinged.
[AC1]ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
n
e
/
m
o
i.c
e
w
a
u
h
n
r
lea
--- 101.101.101.101 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
t
t
h
.
g
in
//
:
p
Configure a static route for the switch.
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
:
s
e
IP address 10X.10X.10X.10X can be pinged.
c
r
u
[AC1]ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=254 time=1
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=254 time=1
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=254 time=1
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=254 time=1
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=254 time=1
e
L
e
M
or
ar
g
n
i
n
o
s
Re
ms
ms
ms
ms
ms
--- 101.101.101.101 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Step4 Configuring and Testing the Telnet/SSH Service (AAA Authentication)
Enable and configure telnet service in the AC, add account huawei for AAA
authentication.
[AC1]telnet server enable
Info: TELNET server has been enabled.
[AC1]aaa
[AC1-aaa] local-user huawei password irreversible-cipher Admin@123
华为专有和保密信息
版权所有 © 华为技术有限公司
16
Huawei WLAN Certification Training Experiment Guide
[AC1-aaa] local-user huawei service-type telnet
[AC1-aaa] local-user huawei privilege level 3
Warning: This operation may affect online users, are you sure to change
the user privilege level ?[Y/N]y
[AC1-aaa]quit
[AC1]user-interface vty 0 4
[AC1-ui-vty0-4]authentication-mode aaa
-------------------- Input Login password Admin@123
Current Password:
Step5 Save the Configuration
<AC1>save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please
wait........
Configuration file has been saved successfully
Note: The configuration file will take effect after being activated
n
e
/
m
o
i.c
1.3 Verification
e
w
a
u
h
.
g
in
1.3.1 Telnet AC
n
r
lea
After Configure telnet, test the telnet service on S5700。
//
:
p
<S5700>telnet 10.1.10.100
Trying 10.1.10.100 ...
Press CTRL+K to abort
Connected to 10.1.10.100 ...
Warning: Telnet is not a secure protocol, and it is recommended to use
Stelnet.
:
s
e
t
t
h
c
r
u
Login authentication
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
Username:huawei
Password:
----------------------------------------------------------------------User last login information:
----------------------------------------------------------------------Access Type: Telnet
IP-Address : 172.21.5.155
Time
: 2016-11-11 19:50:02+08:00
----------------------------------------------------------------------<AC1>
Login AC successfully.
华为专有和保密信息
版权所有 © 华为技术有限公司
17
Huawei WLAN Certification Training Experiment Guide
1.4 Reference Configuration
1.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
18
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
19
Huawei WLAN Certification Training Experiment Guide
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
1.4.2 AC Configuration
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 4090
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
lldp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
20
Huawei WLAN Certification Training Experiment Guide
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
local-user admin password irreversiblecipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K%^
%#
local-user admin privilege level 15
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
local-user huawei privilege level 3
local-user huawei service-type telnet
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
21
Huawei WLAN Certification Training Experiment Guide
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+qK%aTJ_0%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name default
vap-profile name default
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
22
Huawei WLAN Certification Training Experiment Guide
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
return
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
23
Huawei WLAN Certification Training Experiment Guide
2
Experiment 2: AP Authentication and
WLAN Configuration Roadmap
n
e
/
2.1 About This Course
m
o
i.c
2.1.1 Objectives
Configure AP authentication
Understand WLAN configuration profile
Understand WLAN configuration roadmap
Configure open system authentication
2.1.2 Topology
:
s
e
t
t
h
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
24
Huawei WLAN Certification Training Experiment Guide
2.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No.
AC-Switch Port
1
AC1—G0/0/1
2
AC2—G0/0/2
3
AP-Switch Port
4
AC3—G0/0/3
AC4—G0/0/4
5
AC5—G0/0/5
6
AC6—G0/0/6
AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
AP10-G0/0/18
s:
e
c
r
t
t
h
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
AP11-G0/0/19
AP12-G0/0/20
The following table describes an AC parameter configuration template.
u
o
s
e
R
AC Information
g
n
i
n
Country code: CN
WLAN source: VLAN X0
AP authentication mode: mac-auth
AP Authentication
e
L
e
M
or
ar
AP MAC address
Name: ap-groupX
VAP ID 1: VAP profile: guestX
regulatory domain profile: domainX
AP Group
VAP ID 2: VAP profile: voiceX
regulatory domain profile: domainX
VAP ID 3: VAP profile: employeeX
regulatory domain profile: domainX
SSID Profile
Name: employeeX
Name: voiceX
SSID Profile: employeeX
SSID Profile: voiceX
华为专有和保密信息
版权所有 © 华为技术有限公司
25
Huawei WLAN Certification Training Experiment Guide
Name: guestX
SSID Profile: guestX
Name: employeeX
Forwarding mode: direct forwarding
Service VLAN: 11
Referenced profile: SSID profile employeeX
Name: voiceX
Forwarding mode: direct forwarding
VAP Profile
Service VLAN: 12
Referenced profile: SSID profile voiceX
Name: guestX
Forwarding mode: tunnel forwarding
n
e
/
Service VLAN: 13
m
o
i.c
Referenced profile: SSID profile guestX
Topology: layer2 and layer 3 bypass topology
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
26
Huawei WLAN Certification Training Experiment Guide
2.2 Experiment Task
2.2.1 Configuration Procedure
Step1 Overall Procedure
Configure AC
management on
fit APs.
1. Configure the
access switch.
Enable layer 2 or layer 3 interconnection
between the AP and AC.
2. Create an AP
group.
Create an AP group.
Configure the DHCP server function of the AC.
Create a regulatory domain profile.
Configure the country code of the AC.
Configure the authentication mode for the AP .
Configure the AC source port (for establishing
a tunnel with the AP).
3. Configure the
AP going online.
in
n
r
a
le
c
r
u
tp
t
h
://
4. Configure the
VAP profile.
m
o
i.c
e
w
a
u
h
g.
Configure the
security profile.
4/5. Configure
WLAN service
parameters.
:
s
e
n
e
/
Being
referred to
Configure the
SSID profile.
Configure the
VAP profile.
Being referred to
Bind the regulatory domain profile
and VAP profile to the AP group.
5. Bind the profile
to the AP group.
o
s
Re
Step2 Configuring a Switch
Continue the configuration from experiment 1, the configuration of the switch has
been ready.
g
n
i
n
Step3 Configuring Basic AC Parameters
e
L
e
M
or
ar
Continue the configuration from experiment 1, the configuration of the switch has been
ready.
Step4 Creating an AP Group
Create AP group ap-groupX.
[AC1]wlan
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group- ap-group1]quit
Step5 Configuring AP Online Parameters
Enable DHCP on the AC. Assign IP addresses to the STA and AP, Configure the Option43
Parameters.
华为专有和保密信息
版权所有 © 华为技术有限公司
27
Huawei WLAN Certification Training Experiment Guide
[AC1]dhcp enable
[AC1]ip pool ap
[AC1-ip-pool-ap]network 10.1.10.0 mask 24
[AC1-ip-pool-ap]gateway-list 10.1.10.1
[AC1-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100
[AC1-ip-pool-ap]quit
[AC1]ip pool employee
[AC1-ip-pool- employee]network 10.1.11.0 mask 24
[AC1-ip-pool- employee]gateway-list 10.1.11.1
[AC1-ip-pool- employee]quit
[AC1]ip pool voice
[AC1-ip-pool- voice]network 10.1.12.0 mask 24
[AC1-ip-pool- voice]gateway-list 10.1.12.1
[AC1-ip-pool- voice]quit
[AC1]ip pool guest
[AC1-ip-pool- guest]network 10.1.13.0 mask 24
[AC1-ip-pool- guest]gateway-list 10.1.13.1
[AC1-ip-pool- guest]quit
:
s
e
global
h
global
global
t
t
h
m
o
i.c
e
w
a
u
Enable DHCP over all VLANIF interfaces on the AC.
[AC1]interface Vlanif 10
[AC1-Vlanif10]dhcp select
[AC1-Vlanif10]quit
[AC1]interface Vlanif 11
[AC1-Vlanif11]dhcp select
[AC1-Vlanif11]quit
[AC1]interface Vlanif 12
[AC1-Vlanif12]dhcp select
[AC1-Vlanif12]quit
[AC1]interface Vlanif 13
[AC1-Vlanif13]dhcp select
[AC1-Vlanif13]quit
n
e
/
.
g
in
n
r
lea
//
:
p
global
Configure regulatory domain profile domainX.
c
r
u
[AC1]wlan
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1]country-code CN
[AC1-wlan-regulatory-domain-prof-domain1]quit
[AC1-wlan-view]quit
g
n
i
n
o
s
Re
Configure the AC source interface.
r
a
e
L
e
M
or
[AC1]capwap source interface vlanif 10
Configure AP authentication.
AP authentication has three modes. By default, MAC authentication is used. Manually add
APs based on MAC addresses.
[AC1]wlan
[AC1-wlan-view]ap auth-mode mac-auth
Import the AP offline to the AC and add two APs to AP group ap-groupX. Name the two
APs AP1 and AP2.
[AC1-wlan-view]ap-mac 4cfa-cabe-eb60 ap-id 0
[AC1-wlan-ap-0]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configurations of the
radio, Whether to continue? [Y/N]:y
华为专有和保密信息
版权所有 © 华为技术有限公司
28
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-ap-0]ap-name ap1
[AC1-wlan-ap-0]quit
[AC1-wlan-view]ap-mac 4cfa-cabf-d0c0 ap-id 1
[AC1-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configurations of the
radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1]ap-name ap2
After APs are added, their status will change from fault to config, and then to normal. If
the AP status does not change to normal several minutes after the AP is added, check the
configuration of VLAN, DHCP, and AP authentication.
<AC1>display ap all
Info: This operation may take a few seconds. Please wait for a
moment.done.
Total AP information:
nor : normal
[2]
------------------------------------------------------------------------ID MAC
Name Group
IP
Type
State STA Uptime
------------------------------------------------------------------------0
4cfa-cabe-eb60 ap1 ap-group1 10.1.10.253 AP4030DN
nor
0 31S
1
4cfa-cabf-d0c0 ap2 ap-group1 10.1.10.254 AP4030DN
nor 0
58S
------------------------------------------------------------------------Total: 2
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
Step6 Configuring WLAN Service Parameters
n
r
lea
Configure SSID Profile.
Create SSID profiles employeeX, voiceX and guestX, and set SSIDs to employeeX, voiceX
and guestX, respectively.
//
:
p
[AC1]wlan
[AC1-wlan-view]ssid-profile name employee1
[AC1-wlan-ssid-prof-employee1]ssid employee1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-employee1]quit
[AC1-wlan-view]ssid-profile name voice1
[AC1-wlan-ssid-prof-employee1]ssid voice1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-employee1]quit
[AC1-wlan-view]ssid-profile name guest1
[AC1-wlan-ssid-prof-employee1]ssid guest1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-employee1]quit
:
s
e
t
t
h
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
Create VAP profiles employeeX, voiceX and guestX. Set the data forwarding mode for
employeeX and voiceX to direct forwarding, and that for guestX to tunnel forwarding.
Configure the service VLAN and bind the profile to the SSID profile.
[AC1-wlan-view]vap-profile name employee1
[AC1-wlan-vap-prof-employee1]forward-mode direct-forward
[AC1-wlan-vap-prof-employee1]service-vlan vlan-id 11
[AC1-wlan-vap-prof-employee1]ssid-profile employee1
[AC1-wlan-vap-prof-employee1]quit
[AC1-wlan-view]vap-profile name voice1
[AC1-wlan-vap-prof-voice1]forward-mode direct-forward
[AC1-wlan-vap-prof-voice1]service-vlan vlan-id 12
[AC1-wlan-vap-prof-voice1]ssid-profile voice1
华为专有和保密信息
版权所有 © 华为技术有限公司
29
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-vap-prof-voice1]quit
[AC1-wlan-view]vap-profile name guest1
[AC1-wlan-vap-prof-guest1]forward-mode tunnel
[AC1-wlan-vap-prof-guest1]service-vlan vlan-id 13
[AC1-wlan-vap-prof-guest1]ssid-profile guest1
[AC1-wlan-vap-prof-guest1]quit
Configure AP groups to use the regulatory domain profile and VAP profile. When AP
group ap-groupX uses VAP profile employeeX, set VAP ID to 1. When AP group apgroupX uses VAP profile voiceX, set VAP ID to 2. When AP group ap-groupX uses VAP
profile guestX, set VAP ID to 3. Radios 0 and 1 on the AP use the configuration of the VAP
profile.
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile employee1 wlan 1 radio all
[AC1-wlan-ap-group-ap-group1]vap-profile voice1 wlan 2 radio all
[AC1-wlan-ap-group-ap-group1]vap-profile guest1 wlan 3 radio all
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
[AC1-wlan-ap-group-ap-group1]quit
n
e
/
m
o
i.c
2.3 Verification
e
w
a
u
h
.
g
in
2.3.1 Checking the VAP Status
n
r
lea
The AC automatically delivers WLAN service configurations to APs. After the service
configuration is complete, run the display vap ssid guestX and display vap ssid employeeX
commands. If the value of Status in the command output is ON, the VAPs have been
created on AP radios.
t
t
h
//
:
p
[AC1]display vap ssid employee1
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
------------------------------------------------------------------------AP ID AP name RfID WID BSSID
Status
Auth type STA SSID
------------------------------------------------------------------------0
ap1
0
1
4CFA-CABE-EB60 ON
Open
0
employee1
0
ap1
1
1
4CFA-CABE-EB70 ON
Open
0
employee1
1
ap2
0
1
4CFA-CABF-D0C0 ON
Open
0
employee1
1
ap2
1
1
4CFA-CABF-D0D0 ON
Open
0
employee1
------------------------------------------------------------------------Total: 4
[AC1]display vap ssid voice1
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
------------------------------------------------------------------------AP ID AP name RfID WID BSSID
Status Auth type STA
SSID
------------------------------------------------------------------------0
ap1
0
2
4CFA-CABE-EB61 ON
Open
0
voice1
0
ap1
1
2
4CFA-CABE-EB71 ON
Open
0
voice1
1
ap2
0
2
4CFA-CABF-D0C1 ON
Open
0
voice1
1
ap2
1
2
4CFA-CABF-D0D1 ON
Open
1
voice1
------------------------------------------------------------------------Total: 4
:
s
e
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
30
Huawei WLAN Certification Training Experiment Guide
[AC1]display vap ssid guest1
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
------------------------------------------------------------------------AP ID AP name RfID WID BSSID
Status
Auth type STA
SSID
-------------------------------------------------------------------------0
ap1
0
3
4CFA-CABE-EB62 ON
Open
0
guest1
0
ap1
1
3
4CFA-CABE-EB72 ON
Open
0
guest1
1
ap2
0
3
4CFA-CABF-D0C2 ON
Open
0
guest1
1
ap2
1
3
4CFA-CABF-D0D2 ON
Open
0
guest1
n
e
/
------------------------------------------------------------------------Total: 4
m
o
i.c
2.3.2 Terminal Connection Test
e
w
a
u
Connect STAs to the WLANs with SSIDs employeeX, voiceX and guestX. Run the display
station all commands on the AC. The command output shows that the STAs are
connected to the WLANs.
h
.
g
in
[AC1]display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
n
r
lea
------------------------------------------------------------------------STA MAC
address SSID
AP ID Ap name Rf/WLAN Band
//
:
p
Type Rx/Tx
RSSI VLAN IP
------------------------------------------------------------------------1041-7f67-01b1 1
10.1.12.254 voice1
tt
ap2
h
:
s
0/2
2.4G 11n
65/52
-70
12
-------------------------------------------------------------------------
e
c
r
Total: 1 2.4G: 1 5G: 0
On the wireless terminal, ping the IP address of the simulated public network interface on
the switch.
u
o
s
e
R
C:\Users\zWX>ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
ing
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
e
L
e
M
or
n
r
a
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 101.101.101.101 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/9/10 ms
华为专有和保密信息
版权所有 © 华为技术有限公司
31
Huawei WLAN Certification Training Experiment Guide
2.4 Reference Configuration
2.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
32
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
33
Huawei WLAN Certification Training Experiment Guide
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
2.4.2 AC Configuration
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 4090
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
lldp enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
34
Huawei WLAN Certification Training Experiment Guide
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.10.100
#
ip pool employee
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool voice
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
ip pool guest
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
local-user admin password irreversiblecipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K
%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
local-user huawei privilege level 3
local-user huawei service-type telnet
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
35
Huawei WLAN Certification Training Experiment Guide
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
capwap source interface vlanif10
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
36
Huawei WLAN Certification Training Experiment Guide
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
security-profile name employee1
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+qK%aTJ_0%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name guest1
ssid guest1
ssid-profile name voice1
ssid voice1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-id 13
ssid-profile guest1
vap-profile name voice1
service-vlan vlan-id 12
ssid-profile voice1
vap-profile name default
vap-profile name employee1
service-vlan vlan-id 11
ssid-profile employee1
security-profile employee1
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
37
Huawei WLAN Certification Training Experiment Guide
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
ap-name ap2
ap-group ap-group1
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
return
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
38
Huawei WLAN Certification Training Experiment Guide
3
Experiment 3: WLAN Security Configuration
3.1 About This Course
n
e
/
3.1.1 Objectives
Configure WLAN security profile
Configure WEP authentication
Configure WPA/WPA2 PSK authentication
Configure WPA/WPA2 EAP authentication
m
o
i.c
e
w
a
u
h
.
g
in
3.1.2 Topology
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
39
Huawei WLAN Certification Training Experiment Guide
3.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No.
AC-Switch Port
1
AC1—G0/0/1
2
AC2—G0/0/2
3
AP-Switch Port
4
AC3—G0/0/3
AC4—G0/0/4
5
AC5—G0/0/5
6
AC6—G0/0/6
AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
AP10-G0/0/18
s:
e
c
r
t
t
h
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
AP11-G0/0/19
AP12-G0/0/20
The following table describes an AC parameter configuration template.
u
o
s
e
R
Name: ap-groupX
g
n
i
n
AP Group
r
a
e
L
e
M
or
RADIUS Server
Profile
Dot1x Profile
Authentication
Scheme
SSID Profile
VAP ID 1: VAP profile: guestX
regulatory domain profile: domainX
VAP ID 2: VAP profile: voiceX
regulatory domain profile: domain
VAP ID 3: VAP profile: employeeX
regulatory domain profile: domainX
Name: huawei
Key: huawei
Name: employeeX
Name: employeeX
Apply: Radius Server Profile: huawei
dot1x Profile: employeeX
Name: employeeX
SSID name: employeeX
华为专有和保密信息
版权所有 © 华为技术有限公司
40
Huawei WLAN Certification Training Experiment Guide
Name: voiceX
SSID name: voiceX
Name: guestX
SSID name: guestX
Name: employeeX
Security Profile
SSID name: employeeX
Name: voiceX
SSID name: voiceX
Name: guestX
SSID name: guestX
Name: employeeX
Forwarding mode: direct forwarding
Service VLAN: 11
Referenced profile: SSID profile employeeX
n
e
/
Security Profile employeeX
m
o
i.c
Name: voiceX
Forwarding mode: direct forwarding
Service VLAN: 12
VAP Profile
e
w
a
u
Referenced profile: SSID profile voiceX
Security Profile voiceX
Name: guestX
Forwarding mode: tunnel forwarding
h
.
g
in
Service VLAN: 13
n
r
lea
Referenced profile: SSID profile guestX
Security Profile guestX
//
:
p
Topology: layer2 and layer 3 bypass topology
:
s
e
t
t
h
c
r
u
3.2 Experiment Task
o
s
3.2.1 ConfigurationeProcedure
R
Step1
g
n
i
n
r
a
e
L
e
r
o
M
Configuring WEP Authentication
Huawei AC supports six access security policies, every VAP Profile can apply each of
policies.
Security Policy
Policy Explain
open
Open system Authentication
wapi
WLAN Authentication and Privacy Infrastructure (WAPI)
wep
Wired equivalent privacy
wpa
Wi-Fi protected access
wpa2
Wi-Fi protected access version 2
华为专有和保密信息
版权所有 © 华为技术有限公司
41
Huawei WLAN Certification Training Experiment Guide
wpa-wpa2
Wi-Fi protected access version 1&2
[AC1]wlan
[AC1-wlan-view]security-profile name test
[AC1-wlan-sec-prof-test]security ?
open
Open system
wapi
WLAN authentication and privacy infrastructure
wep
Wired equivalent privacy
wpa
Wi-Fi protected access
wpa-wpa2 Wi-Fi protected access version 1&2
wpa2
Wi-Fi protected access version 2
n
e
/
The SSID guestX used authentication type WEP share-key, set WEP key to WEP-40, and
password guest.
Create security profile guestX with encrypt key: guest. We can set a WEP key with three
types: WEP-40, WEP-104,WEP-128.
If WEP-40 is used, the WEP key is 10 hexadecimal characters or 5 ASCII characters.
If WEP-104 is used, the WEP key is 26 hexadecimal characters or 13 ASCII characters.
If WEP-128 is used, the WEP key is 32 hexadecimal characters or 16 ASCII characters.
m
o
i.c
e
w
a
u
h
.
g
in
[AC1]wlan
[AC1-wlan-view]security-profile name guest1
[AC1-wlan-sec-prof-guest1]security wep
[AC1-wlan-sec-prof-guest1]security wep share-key
[AC1-wlan-sec-prof-guest1]wep key 0 wep-40 pass-phrase guest
Warning: The current password is too simple. For the sake of security,
you are advised to set a password containing at least two of the
following: lowercase letters a to z, uppercase letters A to Z, digits,
and special characters. Continue? [Y/N]:y
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
:
s
e
t
t
h
n
r
lea
//
:
p
Bind the Security profile guestX to the VAP profile guestX.
c
r
u
[AC1]wlan
[AC1-wlan-view]vap-profile name guest1
[AC1-wlan-vap-prof-guest1]security-profile guest1
[AC1-wlan-vap-prof-guest1]quit
o
s
Re
Checking the security profile configuration for WEP.
g
n
i
n
r
a
e
L
e
M
or
[AC1-wlan-view]display security-profile name guest1
-----------------------------------------------------------Security policy
: Share key
Encryption
: WEP-40
-----------------------------------------------------------WEP's configuration
Key 0
: *****
Key 1
: *****
Key 2
: *****
Key 3
: *****
Default key ID
: 0
-----------------------------------------------------------WPA/WPA2's configuration
PTK update
: disable
PTK update interval(s)
: 43200
华为专有和保密信息
版权所有 © 华为技术有限公司
42
Huawei WLAN Certification Training Experiment Guide
-----------------------------------------------------------WAPI's configuration
CA certificate filename
: ASU certificate filename
: AC certificate filename
: AC private key filename
: WAPI source interface
: Authentication server IP
: WAI timeout(s)
: 60
BK update interval(s)
: 43200
BK lifetime threshold(%)
: 70
USK update method
: Time-based
USK update interval(s)
: 86400
MSK update method
: Time-based
MSK update interval(s)
: 86400
Cert auth retrans count
: 3
USK negotiate retrans count : 3
MSK negotiate retrans count : 3
------------------------------------------------------------
n
e
/
m
o
i.c
e
w
a
u
Run the display access-user ssid guest1 commands on the AC. The command output
shows that the STAs are connected to the SSID.
h
.
g
in
[AC1-wlan-view]display access-user ssid guest1
---------------------------------------------------------------------UserID Username
IP address
MAC
Status
---------------------------------------------------------------------51
48437c4b8f16
10.1.13.252
4843-7c4b-8f16 Open
---------------------------------------------------------------------Total: 1, printed: 1
[AC1-wlan-view]display access-user ssid guest1
----------------------------------------------------------------------UserID Username
IP address
MAC
Status
---------------------------------------------------------------------54
10417f6701b1
10.1.13.254
1041-7f67-01b1 Open
---------------------------------------------------------------------Total: 1, printed: 1
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
o
s
Re
Run the display station sta-mac XX commands on the AC, displays status of an STA,
including the SSID of the WLAN to which the STA connects, online duration,
authentication type, and vlan. Below display result shows the STA 1041-7f67-01b1
cipher type is WEP-40.
g
n
i
n
r
a
e
L
e
M
or
[AC1-wlan-view]display station sta-mac 1041-7f67-01b1
----------------------------------------------------------------------Station MAC-address
: 1041-7f67-01b1
Station IP-address
: 10.1.13.254
Station gateway
: 10.1.13.1
Associated SSID
: guest1
Station online time(ddd:hh:mm:ss)
: 000:00:18:26
The upstream SNR(dB)
: 25.0
The upstream aggregate receive power(dBm) : -70.0
Station connect rate(Mbps)
: 54
Station connect channel
: 165
Station inactivity time(ddd:hh:mm:ss)
: 000:00:00:00
Station current state
Authorized for data transfer
: YES
华为专有和保密信息
版权所有 © 华为技术有限公司
43
Huawei WLAN Certification Training Experiment Guide
QoS enabled
: YES
ERP enabled
: No
HT rates enabled
: No
Power save mode enabled
: YES
Auth reference held
: No
UAPSD enabled
: No
UAPSD triggerable
: No
UAPSD SP in progress
: No
This is an ATH node
: No
WDS workaround req
: No
WDS link
: No
PMF negotiation
: No
Station's HT capability
: Q
Station ERP element
: 0
Station capabilities
: EP
Station PMF capabilities
: PMFC=0,PMFR=0
Station VHT capabilities
256QAM capabilities
: No
VHT explicit beamforming capabilities : No
MU-MIMO capabilities
: No
Station's RSSI(dBm)
: -70
Station's radio mode
: 11a
Station's AP Name
: ap2
Station's Radio ID
: 1
Station's Authentication Method
: WEP+Share
Station's Cipher Type
: WEP-40
Station's User Name
: 10417f6701b1
Station's Vlan ID
: 13
Station's Channel Band-width
: 20MHz
Station's asso BSSID
: 4cfa-cabf-d0d2
Station's state
: Asso with auth
Station's QoS Mode
: WMM
Station's HT Mode
: Station's MCS value
: 0
Station's Short GI
: nonsupport
Station's roam state
: Yes
Station supported band
: 2.4G/5G
Station support 802.11k
: Yes
Station support 802.11r
: No
Station support 802.11v
: No
Available to trigger roam
: Yes
Is sticky client now
: No
Trigger aimless roam while sticky
: Yes
Neighbor list:
-----------------------------------------AP name
RfID SNR
RCPI
----------------------------------------------------------------------------------Total: 0
U-APSD list:
------------------------------------------------------AC-VI
AC-VO
AC-BE
AC-BK
------------------------------------------------------not-support not-support not-support not-support
-------------------------------------------------------
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
44
Huawei WLAN Certification Training Experiment Guide
Step2 Configuring WPA PSK Authentication
Configure the authentication type for SSID voiceX to WPA1-PSK. Huawei AC supports
below WPA configuration option:
WPA Type
Encryption Method
Authentication Method
WPA/WPA2/WPA1-2 Personal
CCMP or TKIP
PSK(password 8-64
characters)
WPA/WPA2/WPA1-2 Enterprise
CCMP or TKIP
Dot1x
Configure security profile security-profile name voice1, encryption mode TKIP, password of
PSK is voicevoice.
n
e
/
[AC1-wlan-view]security-profile name voice1
[AC1-wlan-sec-prof-voice1]security wpa psk pass-phrase voicevoice tkip
m
o
i.c
Warning: The current password is too simple. For the sake of security,
you are advised to set a password containing at least two of the
following: lowercase letters a to z, uppercase letters A to Z, digits,
and special characters. Continue? [Y/N]:y
e
w
a
u
[AC1-wlan-sec-prof-voice1]quit
Configure VAP Profile voiceX bind to security profile voiceX.
h
.
g
in
[AC1-wlan-view]vap-profile name voice1
[AC1-wlan-vap-prof-voice1]security-profile voice1
n
r
lea
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-voice1]quit
//
:
p
Then the Configuration of WPA-PSK has been finished, we can test the connection.
:
s
e
t
t
h
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
C:\Users\zWX>ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
华为专有和保密信息
版权所有 © 华为技术有限公司
45
Huawei WLAN Certification Training Experiment Guide
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 101.101.101.101 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/9/10 ms
Checking the security profile configuration for WPA PSK.
n
e
/
[AC1-wlan-view]display security-profile name voice1
-----------------------------------------------------------Security policy
m
o
i.c
: WPA PSK
Encryption
: TKIP
e
w
a
u
-----------------------------------------------------------WEP's configuration
Key 0
: *****
Key 1
: *****
Key 2
: *****
Key 3
: *****
Default key ID
h
.
g
in
n
r
lea
: 0
-----------------------------------------------------------WPA/WPA2's configuration
PTK update
//
:
p
: disable
tt
PTK update interval(s)
h
:
s
: 43200
-----------------------------------------------------------WAPI's configuration
e
c
r
CA certificate filename
ASU certificate filename
: -
AC certificate filename
: -
u
o
s
e
R
AC private key filename
: -
WAPI source interface
: -
g
n
i
n
Authentication server IP
WAI timeout(s)
r
a
e
L
e
M
or
: -
: : 60
BK update interval(s)
: 43200
BK lifetime threshold(%)
: 70
USK update method
: Time-based
USK update interval(s)
MSK update method
: 86400
: Time-based
MSK update interval(s)
: 86400
Cert auth retrans count
: 3
USK negotiate retrans count
: 3
MSK negotiate retrans count
: 3
------------------------------------------------------------
Run the display access-user ssid voice1 commands on the AC. The command output
shows that the STAs are connected to the SSID.
华为专有和保密信息
版权所有 © 华为技术有限公司
46
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-view]display access-user ssid voice1
-----------------------------------------------------------------------UserID Username
IP address
MAC
Status
-----------------------------------------------------------------------55
10417f6701b1
10.1.12.254
1041-7f67-01b1 Open
-----------------------------------------------------------------------Total: 1, printed: 1
Run the display station sta-mac XX commands on the AC, displays status of an STA,
including the SSID of the WLAN to which the STA connects, online duration,
authentication type, and vlan.
[AC1-wlan-view]display station sta-mac 1041-7f67-01b1
n
e
/
------------------------------------------------------------------------: 1041-7f67-01b1
Station MAC-address
Station IP-address
: 10.1.12.1
Associated SSID
: voice1
Station online time(ddd:hh:mm:ss)
: 32.0
The upstream aggregate receive power(dBm) : -63.0
: 54
Station connect channel
: 165
n
r
lea
Station inactivity time(ddd:hh:mm:ss)
Station current state
Authorized for data transfer
QoS enabled
ERP enabled
HT rates enabled
s:
Power save mode enabled
e
c
r
u
o
s
e
R
UAPSD triggerable
M
or
: YES
: YES
: No
: No
: YES
: No
: No
: No
: No
This is an ATH node
: No
g
n
i
n
WDS link
e
L
e
//
:
p
: 000:00:00:00
UAPSD SP in progress
WDS workaround req
ar
t
t
h
h
.
g
in
Station connect rate(Mbps)
Auth reference held
e
w
a
u
: 000:00:09:21
The upstream SNR(dB)
UAPSD enabled
m
o
i.c
: 10.1.12.254
Station gateway
: No
: No
PMF negotiation
: No
Station's HT capability
: Q
Station ERP element
: 0
Station capabilities
: EP
Station PMF capabilities
: PMFC=0,PMFR=0
Station VHT capabilities
256QAM capabilities
: No
VHT explicit beamforming capabilities
MU-MIMO capabilities
Station's RSSI(dBm)
Station's radio mode
Station's AP Name
: No
: No
: -63
: 11a
: ap2
华为专有和保密信息
版权所有 © 华为技术有限公司
47
Huawei WLAN Certification Training Experiment Guide
Station's Radio ID
: 1
Station's Authentication Method
: WPA-PSK
Station's Cipher Type
: TKIP
Station's User Name
: 10417f6701b1
Station's Vlan ID
: 12
Station's Channel Band-width
: 20MHz
Station's asso BSSID
: 4cfa-cabf-d0d1
Station's state
: Asso with auth
Station's QoS Mode
: WMM
Station's HT Mode
: -
Station's MCS value
: 0
Station's Short GI
: nonsupport
Station's roam state
: Yes
Station supported band
: 2.4G/5G
Station support 802.11k
: Yes
Station support 802.11r
: No
Station support 802.11v
: No
Available to trigger roam
: Yes
Is sticky client now
Trigger aimless roam while sticky
RfID SNR
e
w
a
u
h
.
g
in
: Yes
-----------------------------------------AP name
m
o
i.c
: No
Neighbor list:
n
e
/
n
r
lea
RCPI
------------------------------------------
//
:
p
-----------------------------------------Total: 0
U-APSD list:
t
t
h
------------------------------------------------------AC-VI
:
s
e
AC-VO
AC-BE
AC-BK
c
r
u
------------------------------------------------------not-support not-support not-support not-support
o
s
Re
-------------------------------------------------------
Step3 Configuring WPA EAP Authentication
g
n
i
n
The authentication architecture of EAP consists of three parts: clients, authenticator and
authentication server.
r
a
e
L
e
M
or
The authentication server of this experiment had set an IP address 10.254.1.100,
password: huawei, the authentication server was ready and test account: huawei,
password: Huawei@123.
Configure radius service gateway in the S5700.
[S5700] vlan batch 200
华为专有和保密信息
版权所有 © 华为技术有限公司
48
Huawei WLAN Certification Training Experiment Guide
[S5700] interface GigabitEthernet0/0/24
[S5700-GigabitEthernet0/0/24]port link-type access
[S5700-GigabitEthernet0/0/24]port default vlan 200
[S5700-GigabitEthernet0/0/24]quit
[S5700] interface Vlanif200
[S5700-Vlanif200] ip address 10.254.1.1 24
[S5700-Vlanif200]quit
Configure radius service and accounting scheme in the AC.
[AC1]radius-server template huawei
[AC1-radius-huawei]radius-server authentication 10.254.1.100 1812 source
ip-address 10.1.10.100
n
e
/
[AC1-radius-huawei]radius-server accounting 10.254.1.100 1813 source ipaddress 10.1.10.100
m
o
i.c
[AC1-radius-huawei]radius-server shared-key cipher huawei
[AC1-radius-huawei]undo radius-server user-name domain-included
[AC1-radius-huawei]quit
e
w
a
u
Configure and test AAA.
[AC1-aaa]authentication-scheme radius
[AC1-aaa-authen-radius]quit
[AC-aaa] accounting-scheme radius
h
.
g
in
[AC1-aaa-authen-radius]authentication-mode radius
n
r
lea
[AC-aaa-accounting-radius] accounting-mode radius
[AC-aaa-accounting- radius] accounting realtime 15
//
:
p
[AC-aaa-accounting- radius] quit
[AC1-aaa]domain default
t
t
h
[AC1-aaa-domain-default]authentication-scheme radius
[AC1-aaa-domain-default]radius-server huawei
:
s
e
[AC1]test-aaa huawei Huawei@123 radius-template huawei
c
r
u
[AC1]
Info: Account test succeed.
o
s
Re
If the account test failed please ignore it first, and keep on configuring it.
Configure access profile dot1x-access-profile name employeeX。
g
n
i
n
[AC1]dot1x-access-profile name employee1
r
a
e
L
e
M
or
[AC1-dot1x-access-profile-employee1]quit
Configure Authentication profile authentication-profile name employeeX。
Bind the access profile, authentication scheme, accounting scheme and radius server to
authentication profile.
[AC1]authentication-profile name employee1
[AC1-authentication-profile-auth_dot1x]dot1x-access-profile employee1
[AC1-authentication-profile-auth_dot1x]authentication-scheme radius
[AC1-authentication-profile-auth_dot1x]accounting-scheme radius
[AC1-authentication-profile-auth_dot1x]radius-server huawei
[AC1-authentication-profile-auth_dot1x]quit
Configure security profile security-profile name employee, encryption mode CCMP,
authentication mode Dot1x EAP.
华为专有和保密信息
版权所有 © 华为技术有限公司
49
Huawei WLAN Certification Training Experiment Guide
[AC1]wlan
[AC1-wlan-view]security-profile name employee1
[AC1-wlan-sec-prof-employee1]security wpa2 dot1x aes
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-sec-prof-employee1]quit
Configure VAP profile employee to bind the security profile and authentication profile.
[AC1]wlan
[AC1-wlan-view]vap-profile name employee1
[AC1-wlan-vap-prof-employee1]security-profile employee1
[AC1-wlan-vap-prof-employee1]authentication-profile employee1
Warning: This action may cause service interruption. Continue?[Y/N]y
n
e
/
[AC1-wlan-vap-prof-employee1]quit
m
o
i.c
3.3 Verification
3.3.1 Connect an STA to the WLAN
:
s
e
t
t
h
h
.
g
in
Connect iphone to the WLANs with SSIDs employeeX.
e
w
a
u
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
50
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
3.3.2 Checking the Users Status
t
t
h
n
r
lea
//
:
p
Check the security profile configuration.
:
s
e
<AC1>display security-profile name employee1
c
r
u
-----------------------------------------------------------Security policy
o
s
Re
Encryption
PMF
: WPA2 802.1x
: AES
: disable
------------------------------------------------------------
g
n
i
n
WEP's configuration
r
a
e
L
e
M
or
Key 0
: *****
Key 1
: *****
Key 2
: *****
Key 3
: *****
Default key ID
: 0
-----------------------------------------------------------WPA/WPA2's configuration
PTK update
: disable
PTK update interval(s)
: 43200
-----------------------------------------------------------WAPI's configuration
CA certificate filename
: -
ASU certificate filename
: -
华为专有和保密信息
版权所有 © 华为技术有限公司
51
Huawei WLAN Certification Training Experiment Guide
AC certificate filename
: -
AC private key filename
: -
WAPI source interface
: -
Authentication server IP
: -
WAI timeout(s)
: 60
BK update interval(s)
: 43200
BK lifetime threshold(%)
: 70
USK update method
: Time-based
USK update interval(s)
: 86400
MSK update method
: Time-based
MSK update interval(s)
: 86400
Cert auth retrans count
: 3
USK negotiate retrans count
: 3
MSK negotiate retrans count
: 3
n
e
/
m
o
i.c
------------------------------------------------------------
Run the display access-user ssid XX commands on the AC. The command output shows
that the STAs are connected to the SSID.
e
w
a
u
<AC1>display access-user ssid employee1
h
g.
-----------------------------------------------------------------------UserID Username
IP address
MAC
Status
in
n
r
a
le
-----------------------------------------------------------------------31
huawei1
10.1.11.254
1041-7f67-01b1 Success
-----------------------------------------------------------------------Total: 1, printed: 1
//
:
p
Run the display station sta-mac XX commands on the AC, displays status of an STA,
including the SSID of the WLAN to which the STA connects, online duration,
authentication type, and vlan.
:
s
e
t
t
h
<AC1>display station sta-mac 1041-7f67-01b1
-------------------------------------------------------------------------
c
r
u
Station MAC-address
: 1041-7f67-01b1
o
s
Re
Station IP-address
: 10.1.12.254
Station gateway
: 10.1.12.1
Associated SSID
: voice1
g
n
i
n
Station online time(ddd:hh:mm:ss)
: 000:00:00:01
The upstream SNR(dB)
r
a
e
L
e
M
or
: 27.0
The upstream aggregate receive power(dBm) : -68.0
Station connect rate(Mbps)
: 54
Station connect channel
: 149
Station inactivity time(ddd:hh:mm:ss)
: 000:00:00:00
Station current state
Authorized for data transfer
: YES
QoS enabled
: YES
ERP enabled
: No
HT rates enabled
: No
Power save mode enabled
Auth reference held
UAPSD enabled
: No
: No
: No
华为专有和保密信息
版权所有 © 华为技术有限公司
52
Huawei WLAN Certification Training Experiment Guide
UAPSD triggerable
: No
UAPSD SP in progress
: No
This is an ATH node
: No
WDS workaround req
: No
WDS link
: No
PMF negotiation
: No
Station's HT capability
: Q
Station ERP element
: 0
Station capabilities
: EP
Station PMF capabilities
: PMFC=0,PMFR=0
Station VHT capabilities
256QAM capabilities
MU-MIMO capabilities
: 11a
Station's AP Name
: ap1
Station's Radio ID
: 1
Station's Authentication Method
: WPA-PSK
e
w
a
u
h
.
g
in
Station's Cipher Type
: TKIP
Station's User Name
: 10417f6701b1
Station's Vlan ID
: 12
n
r
lea
: 20MHz
Station's Channel Band-width
Station's asso BSSID
Station's state
ttp
Station's QoS Mode
Station's HT Mode
Station's MCS value
Station's roam state
://
:h
s
e
rc
Station's Short GI
: 4cfa-cabe-eb71
: Asso with auth
: WMM
: : 0
: nonsupport
: No
u
o
s
e
R
Station supported band
: 2.4G/5G
Station support 802.11k
: Yes
Station support 802.11r
: No
Station support 802.11v
: No
Available to trigger roam
: Yes
ing
Is sticky client now
: No
n
r
a
Trigger aimless roam while sticky
M
m
o
i.c
: -68
Station's radio mode
or
: No
: No
Station's RSSI(dBm)
e
L
e
n
e
/
: No
VHT explicit beamforming capabilities
: Yes
Neighbor list:
-----------------------------------------AP name
RfID SNR
RCPI
----------------------------------------------------------------------------------Total: 0
U-APSD list:
------------------------------------------------------AC-VI
AC-VO
AC-BE
AC-BK
------------------------------------------------------not-support not-support not-support not-support
华为专有和保密信息
版权所有 © 华为技术有限公司
53
Huawei WLAN Certification Training Experiment Guide
3.4 Reference Configuration
3.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13 200
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
54
Huawei WLAN Certification Training Experiment Guide
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port default vlan 200
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.24255.255
n
e
/
m
o
i.c
h
.
g
in
:
s
e
t
t
h
e
w
a
u
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
55
Huawei WLAN Certification Training Experiment Guide
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
3.4.2 AC Configuration
n
e
/
m
o
i.c
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 4090
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
authentication-profile name employee1
dot1x-access-profile employee1
authentication-scheme radius
accounting-scheme radius
radius-server huawei
#
lldp enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
radius-server template huawei
radius-server authentication 10.254.1.100 1812 source ip-address
10.1.10.100 weight 80
radius-server accounting 10.254.1.100 1813 source ip-address
10.1.10.100 weight 80
undo radius-server user-name domain-included
#
pki realm default
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
56
Huawei WLAN Certification Training Experiment Guide
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.10.100
#
ip pool employee
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool voice
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
ip pool guest
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme radius
accounting-mode radius
accounting realtime 15
domain default
authentication-scheme radius
radius-server huawei
domain default_admin
authentication-scheme default
local-user admin password irreversiblecipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K
%^%#
local-user admin privilege level 15
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
57
Huawei WLAN Certification Training Experiment Guide
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
local-user huawei privilege level 3
local-user huawei service-type telnet ssh
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
read %^%#zx5kPs")cO.^IG;R6J^5nd^JU_|q",$FD,E.s%@9CaEk5yD*QDiGKR&$73e;T^
(&JH\gl'IkR|DmZ=0C%^%#
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
58
Huawei WLAN Certification Training Experiment Guide
snmp-agent community
write %^%#bSWeA`C;H5A98pQDivZ4mR\LSzVDEHibs|Gln%zJW[vB~(`4KElv:@:;H:BMM
=5^F$Ab1,k4LJ;xbEb=%^%#
snmp-agent sys-info version v2c
snmp-agent
#
ssh client first-time enable
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
capwap source interface vlanif10
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name test
security-profile name guest1
security wep share-key
wep key 0 wep-40 pass-phrase %^%#)~{E64X##X|h6647iii5.y8.)yr"2@":|):T.B/%^%#
security-profile name voice1
security wpa psk passphrase %^%#'B_NS~.4,Fh#8YX{gfeV}Ekj=<[Gi){`xT>QmnG>%^%# tkip
security-profile name default
security-profile name employee1
security wpa2 dot1x aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+qK%aTJ_0%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name guest1
ssid guest1
ssid-profile name voice1
ssid voice1
ssid-profile name default
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
59
Huawei WLAN Certification Training Experiment Guide
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-id 13
ssid-profile guest1
security-profile guest1
vap-profile name voice1
service-vlan vlan-id 12
ssid-profile voice1
security-profile voice1
vap-profile name default
vap-profile name employee1
service-vlan vlan-id 11
ssid-profile employee1
security-profile employee1
authentication-profile employee1
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
ap-name ap2
ap-group ap-group1
provision-ap
#
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
华为专有和保密信息
版权所有 © 华为技术有限公司
60
Huawei WLAN Certification Training Experiment Guide
dot1x-access-profile name dot1x_access_profile
dot1x-access-profile name employee1
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
return
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
61
Huawei WLAN Certification Training Experiment Guide
4
Experiment 4: eSight WLAN Management
4.1 About This Course
n
e
/
4.1.1 Objectives
Configure SNMP in AC
Understand the method of eSight discover AC
Configure WLAN with eSight wizard
4.1.2 Topology
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
62
Huawei WLAN Certification Training Experiment Guide
4.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No.
AC-Switch Port
1
AC1—G0/0/1
2
AC2—G0/0/2
3
AP-Switch Port
AC3—G0/0/3
4
AC4—G0/0/4
5
AC5—G0/0/5
6
AC6—G0/0/6
u
o
s
e
R
eSight Server password
e
L
e
M
or
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
AP10-G0/0/18
s:
eSight Server IP
n
r
a
AP1-G0/0/10
e
c
r
ing
t
t
h
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
//
:
p
AP11-G0/0/19
AP12-G0/0/20
172.21.11.20
Name: admin Password: Huawei@123
SNMP read only community
publicRO
SNMP read and write
community
privateRW
华为专有和保密信息
版权所有 © 华为技术有限公司
63
Huawei WLAN Certification Training Experiment Guide
4.2 Experiment Task
4.2.1 Configuration Procedure
Step1 Configuring a Switch
Continue the configuration from experiment 1, the configuration of the switch has
been ready.
Step2 Configuring SNMP Parameters
Configure AC SNMP Community and static route.
n
e
/
[AC1]snmp-agent community read publicRO
[AC1]snmp-agent community write privateRW
[AC1]snmp-agent sys-info version v2c
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
m
o
i.c
e
w
a
u
Step3 Configuring eSight Discover AC
After the PC connect to the WLAN, enter URL http://172.21.11.20:8080 to access eSight
Server, user name: admin, password: Huawei@123 (The initialized user name and
password are: admin/Changeme123, you need change the initial password when you first
login eSight). Should use google chrome or firefox browser.
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
or
o
s
Re
After login in to eSight, select the pull-down menu“Resource”
,and click “Add
Device”, reference below parameters.
IP Address
172.21.11.X+2
Name
ACX
SNMP Version
V2C
Read Only Community
publicRO
Write Community
privateRW
Telnet Authentication mode
Password
Password
Admin@123
华为专有和保密信息
版权所有 © 华为技术有限公司
64
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
o
s
Re
Click”OK” when you finished, if displayed “Success”then means the configuring is
successed.
or
华为专有和保密信息
版权所有 © 华为技术有限公司
65
Huawei WLAN Certification Training Experiment Guide
Step4 Configuring Basic AC Parameters
,and click “Network Device”.
Select the pull-down menu“Resource”
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
n
r
lea
Click “WLAN Feature > AP”, enter the Create Manually interface and add aps.
:
s
e
t
t
h
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
66
Huawei WLAN Certification Training Experiment Guide
Configure interface Group huaweiX.
Select the pull-down menu“Resource> Resources Group> Group Management”
Click “Interface group > User Defined >
“huawei1”.
”, and the name for this experiment is
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
67
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
68
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
Configure VLANIF and DHCP Server
Select the pull-down menu“Business> WLAN Management> Configuration and
Deployment”
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
o
s
Re
Add devices on base configuration.
g
n
i
n
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
69
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
70
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
Configure Channel. Click “Base configuration > Channel Configuration ”, set the allow
pass VLANs and PVID for interface group”.
华为专有和保密信息
版权所有 © 华为技术有限公司
71
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
72
Huawei WLAN Certification Training Experiment Guide
Step1
n
e
/
m
o
i.c
Configuring AP Online
e
w
a
u
Configure AP Authentication mode and AC Source Address.
Click “Global AC Configuration > AC >
”, select Resouce AC1”.
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
73
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
74
Huawei WLAN Certification Training Experiment Guide
Step2 Configure WLAN Service Parameters
Create Profiles employeeX, Click “AP Configuration > Profile Management > VAP Profile >
SSID Profile ”, select Create”. Configure the security policy for employeeX to WPA2, with
the password employee.
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
75
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
Create VAP profiles employeeX. Set the data forwarding mode for employeeX to tunnel
forwarding. Configure the service VLAN and bind the profile to the security profile and
SSID profile.
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
o
s
Re
r
a
e
L
e
M
or
华为专有和保密信息
版权所有 © 华为技术有限公司
76
Huawei WLAN Certification Training Experiment Guide
n
e
/
m
o
i.c
e
w
a
u
h
.
g
in
:
s
e
t
t
h
n
r
lea
//
:
p
c
r
u
g
n
i
n
r
a
e
L
e
M
o
s
Re
Configure AP groups ap-groupX to use the VAP profile.
or
华为专有和保密信息
版权所有 © 华为技术有限公司
77
Huawei WLAN Certification Training Experiment Guide
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
78
Huawei WLAN Certification Training Experiment Guide
After finish above, ap still not online. Configure the function of ssh for AC, and test the
SFTP for eSight. Username: admin, password: Changeme123.
[AC6005]ssh client first-time enable
[AC6005]sftp 172.21.0.11 31922
Please input the username:admin
Trying 172.21.0.11 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? (y/n)[n]:y
Save the server's public key? (y/n)[n]:y
n
e
/
om
The server's public key will be saved with the name 172.21.0.11. Please
wait...
c
.
i
e
w
a
hu
Enter password:
sftp-client>
Click “System > Network Management Settings > Polling Settings”. Configure Polling
interval, make the AP online.
.
g
in
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
79
Huawei WLAN Certification Training Experiment Guide
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
t
t
h
n
r
lea
//
:
p
Check the AP Status and two Aps are online.
e
L
e
g
n
i
n
ar
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
80
Huawei WLAN Certification Training Experiment Guide
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
4.3
orVerification
M
4.3.1 Connect an STA to the WLAN
Connect STAs to the WLANs with SSIDs employeeX.
华为专有和保密信息
版权所有 © 华为技术有限公司
81
Huawei WLAN Certification Training Experiment Guide
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
n
r
lea
//
:
p
C:\Users\zWX>ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
t
t
h
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
:
s
e
c
r
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=255 time=10 ms
u
o
s
e
R
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 101.101.101.101 ping statistics --5 packet(s) transmitted
g
n
i
n
ar
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/9/10 ms
e
L
e
4.4rReference Configuration
o
M4.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13 200
#
lldp enable
#
华为专有和保密信息
版权所有 © 华为技术有限公司
82
Huawei WLAN Certification Training Experiment Guide
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
83
Huawei WLAN Certification Training Experiment Guide
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port default vlan 200
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
84
Huawei WLAN Certification Training Experiment Guide
4.4.2 AC Configuration
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
n
e
/
om
portal local-server ip 10.1.10.100
portal local-server https ssl-policy default_policy port 2000
#
c
.
i
e
w
a
hu
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 4090
.
g
in
#
authentication-profile name default_authen_profile
n
r
lea
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
portal-access-profile guest1
t
t
h
//
:
p
authentication-profile name macportal_authen_profile
authentication-profile name guest1
:
s
e
c
r
portal-access-profile guest1
authentication-profile name employee1
dot1x-access-profile employee1
u
o
s
e
R
authentication-scheme radius
radius-server huawei
#
lldp enable
g
n
i
n
ar
#
dhcp enable
e
r
o
M
Le
#
diffserv domain default
#
radius-server template default
radius-server template huawei
radius-server authentication 10.254.1.100 1812 source ip-address
10.1.10.100 weight 80
undo radius-server user-name domain-included
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
华为专有和保密信息
版权所有 © 华为技术有限公司
85
Huawei WLAN Certification Training Experiment Guide
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
n
e
/
om
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
c
.
i
e
w
a
hu
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
portal local-server enable
.
g
in
#
portal-access-profile name guest1
portal local-server enable
n
r
lea
#
ip pool ap
gateway-list 10.1.10.1
//
:
p
network 10.1.10.0 mask 255.255.255.0
t
t
h
option 43 sub-option 3 ascii 10.1.10.100
#
:
s
e
c
r
ip pool employee1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
u
o
s
e
R
dns-list 114.114.114.114
#
ip pool voice1
g
n
i
n
ar
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
or
M
e
L
e
ip pool guest1
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
华为专有和保密信息
版权所有 © 华为技术有限公司
86
Huawei WLAN Certification Training Experiment Guide
local-user admin password irreversible-cipher $1a$VNcE$6oR"2$aASkVyCl~~qx^~!e+:.S|>BJto>%VV[WvDxK./G$
local-user admin privilege level 15
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
$1a$6@(!=HT_IP$A=lvP*~iu+0<..Y&4`Y6+j4$Xkcf=#aMU=5[4wEP$
local-user huawei privilege level 1
local-user huawei service-type telnet ssh http
local-user guest01 password cipher %^%#h)q(D@"^~3lbX|<lHk1L#bj]RY3pAYq#XEVAp>~%^%#
n
e
/
om
local-user guest01 privilege level 0
local-user guest01 service-type web
c
.
i
e
w
a
hu
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
.
g
in
ip address 10.1.10.100 255.255.255.0
dhcp select global
n
r
lea
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
:
s
e
c
r
t
t
h
//
:
p
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
u
o
s
e
R
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
g
n
i
n
ar
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
e
r
o
M
Le
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
华为专有和保密信息
版权所有 © 华为技术有限公司
87
Huawei WLAN Certification Training Experiment Guide
port link-type access
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface NULL0
n
e
/
om
#
info-center timestamp log format-date
#
c
.
i
e
w
a
hu
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
read %^%#En_g+AWfX>adWz&5.!G~E^)4&/r]vCScEB~w~u%Zje$@`GH0BN7e"$A8PF(_n~lC9qvT)O*{4!I+:yR%^%#
snmp-agent community write %^%#atYiX7&TjG<o\Y/.2YV/8bVI&sGJOTB4$0Y@{"2$306$`dp;=7cULM)*$.3Q!lXY<}!y7jZ,7BS"NNY%^%#
.
g
in
snmp-agent sys-info version v2c
n
r
lea
snmp-agent
#
undo telnet ipv6 server enable
//
:
p
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
aes128 3des
t
t
h
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
md5_96
:
s
e
c
r
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
aes128 3des
u
o
s
e
R
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
md5_96
ssh client key-exchange dh_group14_sha1
g
n
i
n
ar
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
or
M
e
L
e
capwap source interface vlanif10
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
华为专有和保密信息
版权所有 © 华为技术有限公司
88
Huawei WLAN Certification Training Experiment Guide
wlan
traffic-profile name default
security-profile name guest1
security-profile name voice1
security wpa psk passphrase %^%#0)RfPJm>L58cY+4*K);#E~]V)7`\406bJM4syy*%%^%# tkip
security-profile name default
security-profile name employee1
security wpa2 dot1x aes
n
e
/
om
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+qK%aTJ_0%^%# aes
c
.
i
e
w
a
hu
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name guest1
ssid guest1
.
g
in
ssid-profile name voice1
ssid voice1
n
r
lea
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-id 13
:
s
e
c
r
ssid-profile guest1
security-profile guest1
t
t
h
//
:
p
authentication-profile portal_authen_profile
u
o
s
e
R
vap-profile name voice1
service-vlan vlan-id 12
ssid-profile voice1
security-profile voice1
g
n
i
n
ar
vap-profile name default
vap-profile name employee1
or
M
e
L
e
service-vlan vlan-id 11
ssid-profile employee1
security-profile employee1
authentication-profile employee1
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
华为专有和保密信息
版权所有 © 华为技术有限公司
89
Huawei WLAN Certification Training Experiment Guide
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
n
e
/
om
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
c
.
i
e
w
a
hu
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
.
g
in
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
n
r
lea
vap-profile guest1 wlan 3
ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-group ap-group1
//
:
p
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
ap-group ap-group1
provision-ap
:
s
e
c
r
#
t
t
h
dot1x-access-profile name dot1x_access_profile
dot1x-access-profile name employee1
#
u
o
s
e
R
mac-access-profile name mac_access_profile
#
g
n
i
n
ar
undo ntp-service enable
#
return
e
L
e
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
90
Huawei WLAN Certification Training Experiment Guide
5
Experiment 5: Layer 3 Networking Experiment
n
e
/
om
5.1 About This Course
c
.
i
e
w
a
hu
5.1.1 Objectives
Understand the L3 networking structure
Configure L3 networking device
Configure tunnel forwarding
Verify the configuration
5.1.2 Topology
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
.
g
in
n
r
lea
//
:
p
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
91
Huawei WLAN Certification Training Experiment Guide
5.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No.
AC-Switch Port
1
AC1—G0/0/1
2
AC2—G0/0/2
3
AC3—G0/0/3
4
AC4—G0/0/4
5
AC5—G0/0/5
6
AC6—G0/0/6
n
e
/
om
AP-Switch Port
AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
:
s
e
c
r
u
o
s
e
R
t
t
h
c
.
i
e
w
a
hu
.
g
in
n
r
lea
//
:
p
AP10-G0/0/18
AP11-G0/0/19
AP12-G0/0/20
The following table describes an AC parameter configuration template.
g
n
i
n
ar
Trainee Group X
or
M
e
L
e
Console Port Login
Password
Device
AC Configuration
Admin@123
ACX
AP Management
VLAN
VLAN:X0
IP:10.1.X0.100
Service VLAN
(Employee)
VLAN:X1
IP:10.1.X1.100
Service VLAN (Voice)
VLAN:X2
IP:10.1.X2.100
Service VLAN (Guest)
VLAN:X3
IP:10.1.X3.100
VLANif 80X
IP:10.1.20X.100
AC Source interface
(L3 Networking)
华为专有和保密信息
版权所有 © 华为技术有限公司
92
Huawei WLAN Certification Training Experiment Guide
Topology: layer2 and layer 3 bypass topology
5.2 Experiment Task
5.2.1 Configuration Procedure
n
e
/
om
Step1 Configuring a Switch
Configure the VLAN and Trunk on switch S5700, set the VLANIF80X ip address.
c
.
i
e
w
a
hu
[S5700]vlan batch 801
[S5700]int GigabitEthernet 0/0/1
[S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 801
[S5700-GigabitEthernet0/0/1]quit
[S5700]int Vlanif 801
[S5700-Vlanif801]ip address 10.1.201.1 24
[S5700-Vlanif801]quit
.
g
in
n
r
lea
Step2 Configuring Basic AC Parameters
Update the VLAN and Trunk Configuration, and set the VLANIF80X ip address.
//
:
p
[AC1]vlan 801
[AC1]interface GigabitEthernet 0/0/8
[AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 801
[AC1-GigabitEthernet0/0/8]quit
:
s
e
c
r
t
t
h
[AC1]int Vlanif 801
[AC1-Vlanif801]ip address 10.1.201.100 24
[AC1-Vlanif801]quit
u
o
s
e
R
Modify the DHCP Option43 address to 10.1.201.100.
[AC1]ip pool ap
[AC1-ip-pool-ap]display this
g
n
i
n
ar
#
ip pool ap
e
r
o
M
Le
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.10.100
#
[AC1-ip-pool-ap]undo option 43
[AC1-ip-pool-ap]option 43 sub-option 3 ascii 10.1.20X.100
Modify the AC Source interface.
[AC1]undo capwap source interface Vlanif 10
Warning: This operation will disconnect the device on the source
interface. Continue? [Y/N]:y
[AC1]capwap source interface Vlanif 801
Modify VAP Profile employeeX and voiceX forwarding mode to tunnel forwarding.
[AC1]wlan
华为专有和保密信息
版权所有 © 华为技术有限公司
93
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-view]vap-profile name employee1
[AC1-wlan-vap-prof-employee1]forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-employee1]quit
[AC1-wlan-vap-prof-voice1]forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-voice1]quit
n
e
/
om
5.3 Verification
c
.
i
e
w
a
hu
5.3.1 Verifiy the L3 Network Status
Then the Configuration of L3 Network has been finished, all Aps are online.
[AC1]display ap all
.
g
in
Info: This operation may take a few seconds. Please wait for a
moment.done.
n
r
lea
Total AP information:
nor : normal
[2]
------------------------------------------------------------------------ID
MAC
Name Group
IP
tp
t
h
://
Type
State STA Uptime
------------------------------------------------------------------------0
4cfa-cabe-eb60 ap1 ap-group1 10.1.10.253 AP4030DN
1
4cfa-cabf-d0c0 ap2 ap-group1 10.1.10.254 AP4030DN
:
s
e
c
r
nor
0
6S
nor
1
26S
------------------------------------------------------------------------Total: 2
u
o
s
e
R
Check the station information.
[AC1]display station all
Rf/WLAN: Radio ID/WLAN ID
g
n
i
n
ar
Rx/Tx: link receive rate/link transmit rate(Mbps)
-------------------------------------------------------------------------
o
M
re
Le
STA MAC
address SSID
AP ID Ap name Rf/WLAN Band
Type Rx/Tx
RSSI VLAN IP
------------------------------------------------------------------------1041-7f67-01b1 0
10.1.12.254 voice1
ap1
0/2
2.4G 11g
35/46
-64
12
------------------------------------------------------------------------Total: 1 2.4G: 1 5G: 0
华为专有和保密信息
版权所有 © 华为技术有限公司
94
Huawei WLAN Certification Training Experiment Guide
5.4 Reference Configuration
5.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13 200 801
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13 801
#
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
95
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port default vlan 200
#
interface NULL0
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
96
Huawei WLAN Certification Training Experiment Guide
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
c
.
i
e
w
a
hu
5.4.2 AC Configuration
.
g
in
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
undo portal url-encode enable
#
ssl renegotiation-rate 1
#
vlan batch 10 to 13 801 4090
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
authentication-profile name employee1
dot1x-access-profile employee1
authentication-scheme radius
accounting-scheme radius
radius-server huawei
#
lldp enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
radius-server template huawei
radius-server authentication 10.254.1.100 1812 source ip-address
10.1.10.100 weight 80
radius-server accounting 10.254.1.100 1813 source ip-address
10.1.10.100 weight 80
:
s
e
c
r
or
M
e
L
e
n
e
/
om
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
97
Huawei WLAN Certification Training Experiment Guide
undo radius-server user-name domain-included
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool employee
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool voice
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
ip pool guest
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme radius
accounting-mode radius
accounting realtime 15
domain default
authentication-scheme radius
radius-server huawei
domain default_admin
authentication-scheme default
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
98
Huawei WLAN Certification Training Experiment Guide
local-user admin password irreversiblecipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K
%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
local-user huawei privilege level 3
local-user huawei service-type telnet ssh
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13 801
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
99
Huawei WLAN Certification Training Experiment Guide
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
read %^%#zx5kPs")cO.^IG;R6J^5nd^JU_|q",$FD,E.s%@9CaEk5yD*QDiGKR&$73e;T^
(&JH\gl'IkR|DmZ=0C%^%#
snmp-agent community
write %^%#bSWeA`C;H5A98pQDivZ4mR\LSzVDEHibs|Gln%zJW[vB~(`4KElv:@:;H:BMM
=5^F$Ab1,k4LJ;xbEb=%^%#
snmp-agent sys-info version v2c
snmp-agent
#
ssh client first-time enable
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name test
security-profile name guest1
security wep share-key
wep key 0 wep-40 pass-phrase %^%#)~{E64X##X|h6647iii5.y8.)yr"2@":|):T.B/%^%#
security-profile name voice1
security wpa psk passphrase %^%#'B_NS~.4,Fh#8YX{gfeV}Ekj=<[Gi){`xT>QmnG>%^%# tkip
security-profile name default
security-profile name employee1
security wpa2 dot1x aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+qK%aTJ_0%^%# aes
security-profile name default-mesh
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
100
Huawei WLAN Certification Training Experiment Guide
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name guest1
ssid guest1
ssid-profile name voice1
ssid voice1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-id 13
ssid-profile guest1
security-profile guest1
vap-profile name voice1
forward-mode tunnel
service-vlan vlan-id 12
ssid-profile voice1
security-profile voice1
vap-profile name default
vap-profile name employee1
service-vlan vlan-id 11
ssid-profile employee1
security-profile employee1
authentication-profile employee1
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
101
Huawei WLAN Certification Training Experiment Guide
ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
ap-name ap2
ap-group ap-group1
provision-ap
#
dot1x-access-profile name dot1x_access_profile
dot1x-access-profile name employee1
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
Return
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
102
Huawei WLAN Certification Training Experiment Guide
6
Experiment 6: Backup
the Configuration and
Reset the Device
n
e
/
om
c
.
i
e
w
a
hu
6.1 About This Course
6.1.1 Objectives
Save the configuration of AC
Configure FTP service in AC
Backup the configuration of AC
Reset the configuration of AC
6.1.2 Plan
:
s
e
c
r
t
t
h
.
g
in
n
r
lea
//
:
p
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
u
o
s
e
R
The following table describes device connections.
Group
No.
AC-Switch Port
1
AC1—G0/0/1
or
M
e
L
e
g
n
i
n
ar
2
AC2—G0/0/2
3
AC3—G0/0/3
4
AC4—G0/0/4
5
AC5—G0/0/5
AP-Switch Port
AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
AP9-G0/0/17
AP10-G0/0/18
华为专有和保密信息
版权所有 © 华为技术有限公司
103
Huawei WLAN Certification Training Experiment Guide
6
AC6—G0/0/6
AP11-G0/0/19
AP12-G0/0/20
Item
Parameter
Management IP
172.21.11.X+2
Backup Configuration
File name
acvrpcfg.zip
FTP account
Name: ftp Password: Huawei@123
FTP Directory
Flash:/
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
6.2 Experiment Task
6.2.1 Configuration Procedure
Step1 Save the Configuration
:
s
e
c
r
t
t
h
n
r
lea
//
:
p
We can use save command to save the current configuration to the storage device.
<AC1>save acvrpcfg.zip
Are you sure to save the configuration to acvrpcfg.zip? (y/n)[n]:y
It will take several minutes to save configuration file, please
wait........
Configuration file has been saved successfully
Note: The configuration file will take effect after being activated
g
n
i
n
ar
u
o
s
e
R
Using the dir command, you can view information about the files and directories on the
storage device.
or
M
e
L
e
<AC1>dir
Directory of sdcard:/
Idx Attr
Size(Byte) Date
Time(LMT)
1,883 May 13 2016 16:19:42
0 -rw1 -rw3,266 Nov 11 2016 15:16:11
2 -rw61,456 Jun 20 2015 07:33:20
AC6005V200R005C10SPH301.pat
3 -rw53,286,116 Oct 26 2015 19:55:55
AC6005V200R006C10SPC100.cc
4 -rw67,503,156 Nov 11 2016 14:11:48
AC6005V200R007C10SPC100.cc
5 -rw2,610 Nov 17 2016 10:14:27
6 -rw1,318 Nov 11 2016 14:37:26
7 -rw149 Nov 11 2016 14:39:00
8 -rw7,211 Nov 16 2016 20:28:47
9 drw- Jun 20 2015 07:29:43
华为专有和保密信息
版权所有 © 华为技术有限公司
FileName
002f_sftpsync_53.xml
AC6005-1.cfg
acvrpcfg.zip
ca.cer
ca_config.ini
config.cfg
corefile
104
Huawei WLAN Certification Training Experiment Guide
10 -rw1,055 Nov 12 2016 18:11:10
11 -rw2,100 Oct 31 2016 15:34:40
12 drw- Nov 12 2016 18:12:33
13 -rw793 Jun 20 2015 08:05:59
14 -rw1,775 Nov 11 2016 14:39:00
default_local_privkey.pem
- Jul 30 2016 12:43:59
15 drw16 -rw12,606,028 Nov 11 2016 14:17:12
FitAP4X30XN_V200R007C10SPC100.bin
17 -rw11,707,428 Oct 26 2015 19:58:48
FitAP6X10XN_V200R006C10SPC100.bin
1,575 Jun 20 2015 08:06:29
18 -rwLICQPZQ6F614HF_210235681310F6000040.dat
1,253 Nov 11 2016 14:37:26
19 -rw20 drw- Nov 11 2016 19:36:33
21 drw- Oct 11 2016 18:22:34
22 drw- Jan 01 2013 09:49:36
23 -rw59,025 Nov 12 2016 18:13:15
- Nov 12 2016 18:13:14
24 drw25 -rw855 Aug 23 2016 15:24:27
26 -rw1,260 Nov 11 2016 19:38:25
540 Nov 11 2016 19:38:25
27 -rw28 -rw1,807,526 Oct 21 2015 22:54:16
29 drw- Jun 20 2015 07:32:17
30 drw- Nov 11 2016 14:36:45
1,395 Nov 11 2016 15:08:22
31 -rw-
daemon.log
daemon.log.bak
default-sdb
default_local.cer
dhcp
local.cer
localuser
logfile
lost+found
mon_file.txt
pmdata
private-data.txt
rsa_host_key.efs
rsa_server_key.efs
sacrule.dat
security
update
vrpcfg.zip
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
t
t
h
n
r
lea
//
:
p
1,882,652 KB total (1,531,204 KB free)
Step2 Configuring FTP Service on AC
:
s
e
c
r
[AC1]ftp server enable
[AC1]aaa
[AC1-aaa]local-user ftp password irreversible-cipher Huawei@123 ftpdirectory sdcard:/
[AC1-aaa]local-user ftp service-type ftp
[AC1-aaa]local-user ftp privilege level 15
Warning: This operation may affect online users, are you sure to change
the user privilege level ?[Y/N]y
g
n
i
n
ar
u
o
s
e
R
Step3 Backup the Configuration to PC
e
r
o
M
Le
D:\>ftp 192.168.100.200
connect 192.168.100.200。
220 FTP service ready.
User(192.168.100.200:(none)): ftp
331 Password required for ftp.
password:ftp001
230 User logged in.
ftp> get acvrpcfg.zip
200 Port command okay.
150 Opening ASCII mode data connection for acvrpcfg.zip.
226 Transfer complete.
ftp: 1373 bytes received in 0.00Seconds 1373000.00Kbytes/sec.
ftp>
华为专有和保密信息
版权所有 © 华为技术有限公司
105
Huawei WLAN Certification Training Experiment Guide
Then the configuration file is backuped in the PC, find the file in D:/ and then can opent it
by notepad or wordpad.
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
Step4 Reset the Configuration
:
s
e
c
r
t
t
h
n
r
lea
//
:
p
After your practice finished, We need to reset the configuration of the devices before the
practice, so as to avoid the impacting to the practice, please following below procedures
to reset the configuration and reboot the device.
u
o
s
e
R
<AC1>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
g
n
i
n
ar
Are you sure? (y/n)[n]:y
#
e
L
e
or
M
<AC1>reboot
Info: The system is comparing the configuration, please wait......
Warning: All the configuration will be saved to the next startup
configuration. Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
6.3 Verification
6.3.1 Checking the Device Configuration
It required set a new password When you login the device after reboot.
华为专有和保密信息
版权所有 © 华为技术有限公司
106
Huawei WLAN Certification Training Experiment Guide
Please configure the login password:
Info: A plain text password is a string of 8 to 16 case-sensitive
characters and must be a combination of at least two of the following:
uppercase letters A to Z, lowercase letters a to z, digits, and special
characters. A cipher text password contains 68 characters.
Enter password:
Confirm password:
Only the default configuration exist.
<AC6005>display current-configuration
#
http secure-server ssl-policy default_policy
http server enable
#
ssl renegotiation-rate 1
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1 tls1.2
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
107
Huawei WLAN Certification Training Experiment Guide
domain default_admin
authentication-scheme default
local-user admin password irreversiblecipher %^%#M`4JPQpOV5o%dg<#chz:0uQcV}F#{FY6"TUeF>YO[l0C!OPI-!:hyJLvcXC%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#h'O5Y|4b&.=,loK4{<@Qo0h6R~Q>oT[2{<X+y^:,Sg*tSthkTO("UiYv~tN<
%^%#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
108
Huawei WLAN Certification Training Experiment Guide
security-profile name default-wds
security wpa2 psk passphrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#o[7"I"t]\4xde7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
ssid-profile name default
vap-profile name default
mesh-handover-profile name default
mesh-profile name default
wds-profile name default
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
return
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
t
t
h
n
r
lea
//
:
p
u
o
s
e
6.4 Reference Configuration
R
g
n
i
6.4.1 Key Configuration
rn
a
e
L
e
r
o
M
[AC1]ftp server enable
[AC1]aaa
[AC1-aaa]local-user ftp password irreversible-cipher Huawei@123 ftpdirectory sdcard:/
[AC1-aaa]local-user ftp service-type ftp
[AC1-aaa]local-user ftp privilege level 15
Warning: This operation may affect online users, are you sure to change
the user privilege level ?[Y/N]y
华为专有和保密信息
版权所有 © 华为技术有限公司
109
Huawei WLAN Certification Training Experiment Guide
7
Appendix
n
e
/
om
7.1 Configuration of Core Switch
#
sysname S5700
#
vlan batch 10 to 13 20 to 23 30 to 33 40 to 43 50 to 53 60 to 63 200
801 to 806
#
undo http server enable
undo http secure-server enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.20.1 255.255.255.0
#
interface Vlanif21
ip address 10.1.21.1 255.255.255.0
#
interface Vlanif22
ip address 10.1.22.1 255.255.255.0
#
interface Vlanif23
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
110
Huawei WLAN Certification Training Experiment Guide
ip address 10.1.23.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.30.1 255.255.255.0
#
interface Vlanif31
ip address 10.1.31.1 255.255.255.0
#
interface Vlanif32
ip address 10.1.32.1 255.255.255.0
#
interface Vlanif33
ip address 10.1.33.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.40.1 255.255.255.0
#
interface Vlanif41
ip address 10.1.41.1 255.255.255.0
#
interface Vlanif42
ip address 10.1.42.1 255.255.255.0
#
interface Vlanif43
ip address 10.1.43.1 255.255.255.0
#
interface Vlanif50
ip address 10.1.50.1 255.255.255.0
#
interface Vlanif51
ip address 10.1.51.1 255.255.255.0
#
interface Vlanif52
ip address 10.1.52.1 255.255.255.0
#
interface Vlanif53
ip address 10.1.53.1 255.255.255.0
#
interface Vlanif60
ip address 10.1.60.1 255.255.255.0
#
interface Vlanif61
ip address 10.1.61.1 255.255.255.0
#
interface Vlanif62
ip address 10.1.62.1 255.255.255.0
#
interface Vlanif63
ip address 10.1.63.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
:
s
e
c
r
or
M
e
L
e
g
n
i
n
ar
t
t
h
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
n
r
lea
//
:
p
u
o
s
e
R
华为专有和保密信息
版权所有 © 华为技术有限公司
111
Huawei WLAN Certification Training Experiment Guide
#
interface Vlanif802
ip address 10.1.202.1 255.255.255.0
#
interface Vlanif803
ip address 10.1.203.1 255.255.255.0
#
interface Vlanif804
ip address 10.1.204.1 255.255.255.0
#
interface Vlanif805
ip address 10.1.205.1 255.255.255.0
#
interface Vlanif806
ip address 10.1.206.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20 to 23
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30 to 33
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 40 to 43
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 50 to 53
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 60 to 63
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
:
s
e
c
r
ing
rn
a
e
o
M
L
e
r
u
o
s
e
R
t
t
h
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
801
n
r
lea
//
:
p
802
803
804
805
806
华为专有和保密信息
版权所有 © 华为技术有限公司
112
Huawei WLAN Certification Training Experiment Guide
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to
#
interface GigabitEthernet0/0/12
port link-type trunk
port trunk pvid vlan 20
port trunk allow-pass vlan 20 to
#
interface GigabitEthernet0/0/13
port link-type trunk
port trunk pvid vlan 20
port trunk allow-pass vlan 20 to
#
interface GigabitEthernet0/0/14
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 30 to
#
interface GigabitEthernet0/0/15
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 30 to
#
interface GigabitEthernet0/0/16
port link-type trunk
port trunk pvid vlan 40
port trunk allow-pass vlan 40 to
#
interface GigabitEthernet0/0/17
port link-type trunk
port trunk pvid vlan 40
port trunk allow-pass vlan 40 to
#
interface GigabitEthernet0/0/18
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 50 to
#
interface GigabitEthernet0/0/19
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 50 to
#
interface GigabitEthernet0/0/20
port link-type trunk
port trunk pvid vlan 60
port trunk allow-pass vlan 60 to
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk pvid vlan 60
port trunk allow-pass vlan 60 to
#
interface GigabitEthernet0/0/22
#
:
s
e
c
r
ing
or
M
eL
rn
a
e
u
o
s
e
R
t
t
h
13
23
n
e
/
om
23
c
.
i
e
w
a
hu
33
33
.
g
in
n
r
lea
//
:
p
43
43
53
53
63
63
华为专有和保密信息
版权所有 © 华为技术有限公司
113
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/23
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 200
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
interface LoopBack2
ip address 102.102.102.102 255.255.255.255
#
interface LoopBack3
ip address 103.103.103.103 255.255.255.255
#
interface LoopBack4
ip address 104.104.104.104 255.255.255.255
#
interface LoopBack5
ip address 105.105.105.105 255.255.255.255
#
interface LoopBack6
ip address 106.106.106.106 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;($MM!"!U<_DW.Z.H!4L,$49.>!z*#!\EX>M5e+/7j&#$4<,%@%@
user-interface vty 0 4
user-interface vty 16 20
#
return
n
e
/
om
c
.
i
e
w
a
hu
.
g
in
:
s
e
c
r
e
L
e
g
n
i
n
ar
t
t
h
n
r
lea
//
:
p
u
o
s
e
R
or
M
华为专有和保密信息
版权所有 © 华为技术有限公司
114