• All
  • Test
  • Startup
  • Experience Case
  • FAQ
Product line
Search
Cancel
Documents type
Author
Time
Search

Access Controllers Comware 7 Remote 802.1X + LDAP Authentication Configuration Examples

2020-11-30 15:06:46 Published
  • 0Followed
  • 1Collected ,550Browsed
fans:0 follow:0

Network Topology

topology

Configuration Steps

Configuring the AC

 

1.     Configure interfaces on the AC:

 

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

 

<AC> system-view

 

[AC] vlan 100

 

[AC-vlan100] quit

 

[AC] interface vlan-interface 100

 

[AC-Vlan-interface100] ip address 10.1.1.46 24

 

[AC-Vlan-interface100] quit

 

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. VLAN 200 will be used for client access.

 

[AC] vlan 200

 

[AC-vlan200] quit

 

[AC] interface vlan-interface 200

 

[AC-Vlan-interface200] ip address 10.1.2.1 24

 

[AC-Vlan-interface200] quit

 

2.     Configure the LDAP scheme:

 

 # Create an LDAP server named ldap and enter its view.

 

[AC] ldap server ldap

 

# Specify the administrator DN.

 

[AC-ldap-server-ldap] login-dn cn=administrator,cn=users,dc=ldap,dc=com

 

# Specify the base DN for user search.

 

[AC-ldap-server-ldap] search-base-dn dc=ldap,dc=com

 

# Specify the IP address of the LDAP server.

 

[AC-ldap-server-ldap] ip  10.1.1.3

 

# Specify the administrator password.

 

[AC-ldap-server-ldap] login-password simple 123456

 

[AC-ldap-server-ldap] quit

 

# Create an LDAP scheme named ldap and enter its view.

 

[AC] ldap scheme ldap

 

# Specify ldap as the LDAP authentication server.

 

[AC-ldap-ldap] authentication-server ldap

 

[AC-ldap-ldap] quit

 

# Create an ISP domain named ldap and enter its view.

 

[AC] domain ldap

 

# Configure the authentication method as LDAP and the authentication and accounting methods as none for portal users in ISP domain ldap.

 

[AC-isp-ldap]authentication  lan-access ldap-scheme ldap

 

[AC-isp-ldap] authorization  lan-access none

 

[AC-isp-ldap] accounting  lan-access none

 

# Configure the idle cut feature for users in ISP domain ldap. Log out a user if the user's traffic is less than 1024 bytes in 15 minutes.

 

[AC-isp-ldap] authorization-attribute idle-cut 15 1024

 

[AC-isp-ldap] quit

 

3.     Configure the AC to use chap to authenticate 802.1X clients.

 

[AC]  dot1x authentication-method chap

 

4.     Configure a wireless service:

 

# Create a service template named service and enter its view.

 

[AC] wlan service-template service

 

# Configure the SSID of the service template as service.

 

[AC-wlan-st-service] ssid service

 

# Assign clients coming online through the service template to VLAN 200.

 

[AC-wlan-st-service] vlan 200

 

# Set the AKM mode to 802.1X.

 

[AC-wlan-st-service] akm mode dot1x

 

# Set the cipher suite to CCMP.

 

[AC-wlan-st-service] cipher-suite ccmp

 

# Enable the RSN IE in beacon and probe responses.

 

[AC-wlan-st-service] security-ie rsn

 

# Set the authentication mode to 802.1X.

 

[AC-wlan-st-service] client-security authentication-mode dot1x

 

# Specify ISP domain  ldap for authenticating 802.1X clients.

 

[AC-wlan-st-service] dot1x domain  ldap

 

# Enable the service template.

 

[AC-wlan-st-service] service-template enable

 

[AC-wlan-st-service] quit

 

5.     Configure a manual AP:

 

# Create a manual AP named office, and specify the AP model and serial ID

 

[AC] wlan ap office model WA560-WW

 

[AC-wlan-ap-office] serial-id 219801A1NM8182032235

 

# Enter the view of radio 1.

 

[AC-wlan-ap-office] radio 1

 

# Bind service template service to radio 1, and enable radio1.

 

[AC-wlan-ap-office-radio-1] service-template service

 

[AC-wlan-ap-office-radio-1] radio enable

 

[AC-wlan-ap-office-radio-1] quit

 

[AC-wlan-ap-office] quit


Configuring the switch

 

# Create VLAN 100. The switch will use this VLAN to forward the traffic on the CAPWAP tunnel between the AC and AP.

 

<Switch> system-view

 

[Switch] vlan 100

 

[Switch-vlan100] quit

 

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

 

[Switch] vlan 200

 

[Switch-vlan200] quit

 

# Configure GigabitEthernet 1/0/1 (port that connects the switch and the AC) as a trunk port, and assign the trunk port to VLANs 100 and 200.

 

[Switch] interface gigabitethernet 1/0/1

 

[Switch-GigabitEthernet1/0/1] port link-type trunk

 

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

 

[Switch-GigabitEthernet1/0/1] quit

 

# Configure GigabitEthernet 1/0/2 (port that connects the switch and the AP) as an access port, and assign the port to VLAN 100.

 

[Switch] interface gigabitethernet 1/0/2

 

[Switch-GigabitEthernet1/0/2] port link-type access

 

[Switch-GigabitEthernet1/0/2] port access vlan 100

 

# Enable PoE on GigabitEthernet 1/0/2.

 

[Switch-GigabitEthernet1/0/2] poe enable

 

[Switch-GigabitEthernet1/0/2] quit

 

# Create VLAN-interface 100, and assign an IP address to the VLAN interface.

 

[Switch] interface vlan-interface 100

 

[Switch-Vlan-interface100] ip address 10.1.1.47 24

 

[Switch-Vlan-interface100] quit

 

# Create VLAN-interface 200, and assign an IP address to the VLAN interface.

 

[Switch] interface vlan-interface 200

 

[Switch-Vlan-interface200] ip address 10.1.2.2 24

 

[Switch-Vlan-interface200] quit

 

# Configure DHCP pool 100 to assign an IP address to the AP.

 

[Switch] dhcp server ip-pool 100

 

[Switch-dhcp-pool-100] network 10.1.1.0 mask 255.255.255.0

 

[Switch-dhcp-pool-100] gateway-list 10.1.1.46

 

[Switch-dhcp-pool-100] quit

 

# Configure DHCP pool 200 to assign an IP address to the client.

 

[Switch] dhcp server ip-pool 200

 

[Switch-dhcp-pool-200] network 10.1.2.0 mask 255.255.255.0

 

[Switch-dhcp-pool-200] gateway-list 10.1.2.1

 

[Switch-dhcp-pool-200] quit

 

# Enable DHCP.

 

[Switch] dhcp enable

 

Configuring the LDAP server

 

This example uses Microsoft Windows 2003 Server Active Directory to illustrate the configuration on the LDAP server.

 

1.     Add a user named aaa.

 

a.     On the LDAP server, select Start > Control Panel > Administrative Tools.

 

b.     Double-click Active Directory Users and Computers.

 

The Active Directory Users and Computers window opens.

 

c.     From the navigation tree, click Users under the ldap.com node.

 

d.     Select Action > New > User from the menu to open the dialog box for adding a user.

 

e.     Enter logon name aaa and click Next.

 

Figure 2 Adding user aaa


 

f.     In the dialog box, enter password 123456, select options as needed, and click Next.

 

Figure 3 Setting the user's password


g.     Click OK.

 

2.     Add user aaa to user group Users:

 

a.     From the navigation tree, click Users under the ldap.com node.

 

b.     In the right pane, right-click user aaa and select Properties.

 

c.     In the dialog box, click the Member Of tab and click Add.

 

Figure 4 Modifying user properties


d.     In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.

 

User aaa is added to group Users.

 

Figure 5 Adding user aaa to group Users


3.     Configure the administrator password:

 

a.     In the right pane, right-click user Administrator and select Set Password.

 

b.     In the dialog box, enter the administrator password. (Details not shown.)

Verifying the configuration

 

1.     On the client, verify that the client can pass authentication, associate with the AP, and access the wireless network. (Details not shown.)

 

2.     On the AC, perform the following tasks to verify that the user has passed authentication and come online:

 

# Display detailed WLAN client information.

 

[AC] display wlan client verbose

 

Total number of clients: 1

 

 MAC address                       : 3829-5a40-9589

 

 IPv4 address                      : N/A

 

 IPv6 address                      : 2004::4

 

 Username                          : dot1x

 

 AID                               : 1

 

 AP ID                             : 2

 

 AP name                           : ap1

 

 Radio ID                          : 1

 

 SSID                              : service

 

 BSSID                             : ac74-090a-6421

 

 VLAN ID                           : 200

 

 Sleep count                       : 0

 

 Wireless mode                     : 802.11an

 

 Channel bandwidth                 : 40MHz

 

 20/40 BSS Coexistence Management  : Supported

 

 SM power save                     : Enabled

 

 SM power save mode                : Static

 

 Short GI for 20MHz                : Supported

 

 Short GI for 40MHz                : Supported

 

 STBC RX capability                : Supported

 

 STBC TX capability                : Not supported

 

 LDPC RX capability                : Not supported

 

 Block Ack                         : N/A

 

 Supported HT MCS set              : 0, 1, 2, 3, 4, 5, 6, 7

 

 Supported rates                   : 6, 9, 12, 18, 24, 36,

 

                                     48, 54 Mbps

 

 QoS mode                          : WMM

 

 Listen interval                   : 2

 

 RSSI                              : 0

 

 Rx/Tx rate                        : 0/0 Mbps

 

 Authentication method             : Open system

 

 Security mode                     : RSN

 

 AKM mode                          : 802.1X

 

 Cipher suite                      : CCMP

 

 User authentication mode          : 802.1X

 

 Authorization ACL ID              : N/A

 

 Authorization user profile        : N/A

 

 Roam status                       : N/A

 

 Key derivation                    : SHA1

 

 PMF status                        : N/A

 

 Forwarding policy name            : Not configured

 

 Online time                       : 0days 0hours 0minutes 1seconds

 

 FT status                         : Inactive

 

# Display online 802.1X client information.

 

[AC] display dot1x connection

 

Total connections: 1

 

User MAC address           : 3829-5a40-9589

 

AP name                    : ap1

 

Radio ID                   : 1

 

SSID                       : service

 

BSSID                      : ac74-090a-6421

 

Username                   : dot1x

 

Authentication domain      : dom1

 

IPv6 address               : 2004::4

 

Authentication method      : EAP

 

Initial VLAN               : 200

 

Authorization VLAN         : 200

 

Authorization ACL number   : N/A

 

Authorization user profile : N/A

 

Termination action         : Radius-Request

 

Session timeout period     : 86401 s

 

Online from                : 2018/07/18 10:36:00

 

Online duration            : 0h 0m 19s

Key Configuration

null

Please rate this case:   
0 comments

No comments

Add Comments:

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

Login before you can operate!

login

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作