• All
  • Test
  • Startup
  • Experience Case
  • FAQ
Product line
Documents type

Access Controllers Comware 7 Remote 802.1X + LDAP Authentication Configuration Examples

2020-11-30 15:06:46 Published
  • 0Followed
  • 1Collected ,550Browsed
fans:0 follow:0

Network Topology


Configuration Steps

Configuring the AC


1.     Configure interfaces on the AC:


# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.


<AC> system-view


[AC] vlan 100


[AC-vlan100] quit


[AC] interface vlan-interface 100


[AC-Vlan-interface100] ip address 24


[AC-Vlan-interface100] quit


# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. VLAN 200 will be used for client access.


[AC] vlan 200


[AC-vlan200] quit


[AC] interface vlan-interface 200


[AC-Vlan-interface200] ip address 24


[AC-Vlan-interface200] quit


2.     Configure the LDAP scheme:


 # Create an LDAP server named ldap and enter its view.


[AC] ldap server ldap


# Specify the administrator DN.


[AC-ldap-server-ldap] login-dn cn=administrator,cn=users,dc=ldap,dc=com


# Specify the base DN for user search.


[AC-ldap-server-ldap] search-base-dn dc=ldap,dc=com


# Specify the IP address of the LDAP server.


[AC-ldap-server-ldap] ip


# Specify the administrator password.


[AC-ldap-server-ldap] login-password simple 123456


[AC-ldap-server-ldap] quit


# Create an LDAP scheme named ldap and enter its view.


[AC] ldap scheme ldap


# Specify ldap as the LDAP authentication server.


[AC-ldap-ldap] authentication-server ldap


[AC-ldap-ldap] quit


# Create an ISP domain named ldap and enter its view.


[AC] domain ldap


# Configure the authentication method as LDAP and the authentication and accounting methods as none for portal users in ISP domain ldap.


[AC-isp-ldap]authentication  lan-access ldap-scheme ldap


[AC-isp-ldap] authorization  lan-access none


[AC-isp-ldap] accounting  lan-access none


# Configure the idle cut feature for users in ISP domain ldap. Log out a user if the user's traffic is less than 1024 bytes in 15 minutes.


[AC-isp-ldap] authorization-attribute idle-cut 15 1024


[AC-isp-ldap] quit


3.     Configure the AC to use chap to authenticate 802.1X clients.


[AC]  dot1x authentication-method chap


4.     Configure a wireless service:


# Create a service template named service and enter its view.


[AC] wlan service-template service


# Configure the SSID of the service template as service.


[AC-wlan-st-service] ssid service


# Assign clients coming online through the service template to VLAN 200.


[AC-wlan-st-service] vlan 200


# Set the AKM mode to 802.1X.


[AC-wlan-st-service] akm mode dot1x


# Set the cipher suite to CCMP.


[AC-wlan-st-service] cipher-suite ccmp


# Enable the RSN IE in beacon and probe responses.


[AC-wlan-st-service] security-ie rsn


# Set the authentication mode to 802.1X.


[AC-wlan-st-service] client-security authentication-mode dot1x


# Specify ISP domain  ldap for authenticating 802.1X clients.


[AC-wlan-st-service] dot1x domain  ldap


# Enable the service template.


[AC-wlan-st-service] service-template enable


[AC-wlan-st-service] quit


5.     Configure a manual AP:


# Create a manual AP named office, and specify the AP model and serial ID


[AC] wlan ap office model WA560-WW


[AC-wlan-ap-office] serial-id 219801A1NM8182032235


# Enter the view of radio 1.


[AC-wlan-ap-office] radio 1


# Bind service template service to radio 1, and enable radio1.


[AC-wlan-ap-office-radio-1] service-template service


[AC-wlan-ap-office-radio-1] radio enable


[AC-wlan-ap-office-radio-1] quit


[AC-wlan-ap-office] quit

Configuring the switch


# Create VLAN 100. The switch will use this VLAN to forward the traffic on the CAPWAP tunnel between the AC and AP.


<Switch> system-view


[Switch] vlan 100


[Switch-vlan100] quit


# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.


[Switch] vlan 200


[Switch-vlan200] quit


# Configure GigabitEthernet 1/0/1 (port that connects the switch and the AC) as a trunk port, and assign the trunk port to VLANs 100 and 200.


[Switch] interface gigabitethernet 1/0/1


[Switch-GigabitEthernet1/0/1] port link-type trunk


[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200


[Switch-GigabitEthernet1/0/1] quit


# Configure GigabitEthernet 1/0/2 (port that connects the switch and the AP) as an access port, and assign the port to VLAN 100.


[Switch] interface gigabitethernet 1/0/2


[Switch-GigabitEthernet1/0/2] port link-type access


[Switch-GigabitEthernet1/0/2] port access vlan 100


# Enable PoE on GigabitEthernet 1/0/2.


[Switch-GigabitEthernet1/0/2] poe enable


[Switch-GigabitEthernet1/0/2] quit


# Create VLAN-interface 100, and assign an IP address to the VLAN interface.


[Switch] interface vlan-interface 100


[Switch-Vlan-interface100] ip address 24


[Switch-Vlan-interface100] quit


# Create VLAN-interface 200, and assign an IP address to the VLAN interface.


[Switch] interface vlan-interface 200


[Switch-Vlan-interface200] ip address 24


[Switch-Vlan-interface200] quit


# Configure DHCP pool 100 to assign an IP address to the AP.


[Switch] dhcp server ip-pool 100


[Switch-dhcp-pool-100] network mask


[Switch-dhcp-pool-100] gateway-list


[Switch-dhcp-pool-100] quit


# Configure DHCP pool 200 to assign an IP address to the client.


[Switch] dhcp server ip-pool 200


[Switch-dhcp-pool-200] network mask


[Switch-dhcp-pool-200] gateway-list


[Switch-dhcp-pool-200] quit


# Enable DHCP.


[Switch] dhcp enable


Configuring the LDAP server


This example uses Microsoft Windows 2003 Server Active Directory to illustrate the configuration on the LDAP server.


1.     Add a user named aaa.


a.     On the LDAP server, select Start > Control Panel > Administrative Tools.


b.     Double-click Active Directory Users and Computers.


The Active Directory Users and Computers window opens.


c.     From the navigation tree, click Users under the ldap.com node.


d.     Select Action > New > User from the menu to open the dialog box for adding a user.


e.     Enter logon name aaa and click Next.


Figure 2 Adding user aaa


f.     In the dialog box, enter password 123456, select options as needed, and click Next.


Figure 3 Setting the user's password

g.     Click OK.


2.     Add user aaa to user group Users:


a.     From the navigation tree, click Users under the ldap.com node.


b.     In the right pane, right-click user aaa and select Properties.


c.     In the dialog box, click the Member Of tab and click Add.


Figure 4 Modifying user properties

d.     In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.


User aaa is added to group Users.


Figure 5 Adding user aaa to group Users

3.     Configure the administrator password:


a.     In the right pane, right-click user Administrator and select Set Password.


b.     In the dialog box, enter the administrator password. (Details not shown.)

Verifying the configuration


1.     On the client, verify that the client can pass authentication, associate with the AP, and access the wireless network. (Details not shown.)


2.     On the AC, perform the following tasks to verify that the user has passed authentication and come online:


# Display detailed WLAN client information.


[AC] display wlan client verbose


Total number of clients: 1


 MAC address                       : 3829-5a40-9589


 IPv4 address                      : N/A


 IPv6 address                      : 2004::4


 Username                          : dot1x


 AID                               : 1


 AP ID                             : 2


 AP name                           : ap1


 Radio ID                          : 1


 SSID                              : service


 BSSID                             : ac74-090a-6421


 VLAN ID                           : 200


 Sleep count                       : 0


 Wireless mode                     : 802.11an


 Channel bandwidth                 : 40MHz


 20/40 BSS Coexistence Management  : Supported


 SM power save                     : Enabled


 SM power save mode                : Static


 Short GI for 20MHz                : Supported


 Short GI for 40MHz                : Supported


 STBC RX capability                : Supported


 STBC TX capability                : Not supported


 LDPC RX capability                : Not supported


 Block Ack                         : N/A


 Supported HT MCS set              : 0, 1, 2, 3, 4, 5, 6, 7


 Supported rates                   : 6, 9, 12, 18, 24, 36,


                                     48, 54 Mbps


 QoS mode                          : WMM


 Listen interval                   : 2


 RSSI                              : 0


 Rx/Tx rate                        : 0/0 Mbps


 Authentication method             : Open system


 Security mode                     : RSN


 AKM mode                          : 802.1X


 Cipher suite                      : CCMP


 User authentication mode          : 802.1X


 Authorization ACL ID              : N/A


 Authorization user profile        : N/A


 Roam status                       : N/A


 Key derivation                    : SHA1


 PMF status                        : N/A


 Forwarding policy name            : Not configured


 Online time                       : 0days 0hours 0minutes 1seconds


 FT status                         : Inactive


# Display online 802.1X client information.


[AC] display dot1x connection


Total connections: 1


User MAC address           : 3829-5a40-9589


AP name                    : ap1


Radio ID                   : 1


SSID                       : service


BSSID                      : ac74-090a-6421


Username                   : dot1x


Authentication domain      : dom1


IPv6 address               : 2004::4


Authentication method      : EAP


Initial VLAN               : 200


Authorization VLAN         : 200


Authorization ACL number   : N/A


Authorization user profile : N/A


Termination action         : Radius-Request


Session timeout period     : 86401 s


Online from                : 2018/07/18 10:36:00


Online duration            : 0h 0m 19s

Key Configuration


Please rate this case:   

No comments

Add Comments:



侵犯我的权益 >
对根叔知了社区有害的内容 >



泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >



您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)



您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)






您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)



不规范转载 >






Login before you can operate!