< Home

Example for Deploying the Free Mobility Function for Users' Physical Location Change (V200R009 and later versions)

This section includes the following content:

Free Mobility Overview

In an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes.

The switches must be associated with the Agile Controller-Campus in the free mobility solution. An administrator only needs to uniformly deploy network access policies on the Agile Controller-Campus for users, and deliver the policies to all associated switches. Then, a user can obtain the same access policy no matter how the user's physical location and IP address change.

Networking Requirements

Employees in an enterprise connect to the network in wired and wireless modes and are authenticated using 802.1X or Portal authentication.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Figure 1 Networking

Requirement Analysis

As shown in Figure 1, the agile core switch coreswitch functions as the authentication point and the access switch is a common switch.

You can configure 802.1X authentication and Portal authentication on the core switch so that wired and wireless users can connect to the network after being authenticated by the core switch.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Configuration Logic

Figure 2 Configuration logic of Huawei switch
Figure 3 Configuration logic of Huawei Agile Controller-Campus

Configuration Notes

  • Free mobility is supported only in NAC unified mode.
  • In this example, the Agile Controller-Campus runs V100R003C00.

  • When the controller delivers a UCL group name that is not supported by the switch, for example, this group name contains Chinese characters or special characters, the switch cannot parse the group name. A UCL group name that can be supported by the switch must be consistent with the value of group-name in the ucl-group group-index [ name group-name ] command, cannot be -, --, a, an, or any, and cannot contain any of the following characters: / \ : * ? " < > | @ ' %. Therefore, when configuring a UCL group name on the controller, do not use Chinese characters or special characters.

  • If the switch has been associated with an Agile Controller-Campus and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

    1. Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller-Campus.
    2. Run the undo acl all command to delete the access control policy.
    3. Run the undo ucl-group ip all command to delete IP addresses bound to security groups.
    4. Run the undo ucl-group all command to delete security groups.
    5. Return to the user view and run the save command. The system automatically deletes the configured version number.

Data Plan

Table 1 Network data plan

Item

Data

Description

VLAN plan

ID: 11

VLANIF11 IP address: 192.168.11.254/24

The core switch uses this VLAN to communicate with the Agile Controller-Campus.

ID: 12

VLANIF12 IP address: 192.168.12.254/24

The core switch uses this VLAN to manage APs.

ID: 13

VLANIF13 IP address: 192.168.13.254/24

The core switch uses this VLAN to provide wireless access services.

ID: 14

VLANIF14 IP address: 192.168.14.254/24

The core switch uses this VLAN to provide wired access services.

Core switch (coreswitch)

Interface number: GE1/0/11

IDs of allowed VLANs: 11

IDs of allowed VLANs: 11, 12, 13, and 14

Interface number: GE1/0/12

IDs of allowed VLANs: 12, 14

This interface allows packets from the wired access service VLAN and APs' management VLAN to pass through.

Access switch

Interface number: GE0/0/1

IDs of allowed VLANs: 12, 14

This interface connects to GE1/0/12 on the core switch (coreswitch).

Interface number: GE0/0/3

IDs of allowed VLANs: 14

This interface provides wired access and allows packets from the wired access service VLAN to pass through.

Interface number: GE0/0/5

IDs of allowed VLANs: 12

This interface provides wireless access and allows packets from the APs' management VLAN to pass through.

Server

Agile Controller-Campus: 192.168.11.1

The Service Manager (SM) and Service Controller (SC) are installed on the same server. The SC functions as both the RADIUS server and Portal server.

Email server: 192.168.11.100

-

Video server: 192.168.11.110

-

DNS server: 192.168.11.200

Table 2 Service data plan

Item

Data

Description

Core switch (coreswitch)
RADIUS authentication server:
  • IP address: 192.168.11.1
  • Port number: 1812
  • RADIUS shared key: Admin@123
  • The SC of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the SC's IP address.
  • Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. On the Agile Controller-Campus, the fixed RADIUS authentication and accounting port numbers are 1812 and 1813 respectively, and the fixed Portal server port number is 50200.
RADIUS accounting server:
  • IP address: 192.168.11.1
  • Port number: 1813
  • RADIUS shared key: Admin@123
  • Accounting interval: 15 minutes
Portal server:
  • IP address: 192.168.11.1
  • Port number: 50200
  • Shared key: Admin@123

XMPP password: Admin@123

The configuration is the same as that on the Agile Controller-Campus.

Agile Controller-Campus

Core switch's IP address: 192.168.11.254

This IP address is the IP address of VLANIF 11.
RADIUS parameters:
  • Device: Huawei S series
  • RADIUS authentication key: Admin@123
  • RADIUS accounting key: Admin@123
  • RADIUS authorization key: Admin@123
  • Real-time accounting interval: 15 minutes

The configuration is the same as that on the core switch.
Portal parameters:
  • Port number: 2000
  • Portal key: Admin@123
  • IP addresses of access terminals

    Wireless terminal: 192.168.13.0/24

    Wired terminal: 192.168.14.0/24

XMPP password: Admin@123

The configuration is the same as that on the core switch.

Account:

Employees:
  • User name: staff
  • Password: Huawei@123
Guests:
  • User name: guest
  • Password: Guest@123

Use fast authorization to authorize the security group Employee_Group to the staff.

Use fast authorization to authorize the security group Guest_Group to the guest.

Security group:

Employee_Group

Guest_Group

Email server: 192.168.11.100

Video server: 192.168.11.110

Pre-authentication domain

DNS server

Employees can send domain names to the DNS server for resolution before being authenticated.

Post-authentication domain

Email servers, video server

After passing authentication, employees can access the mail server and video server. You can improve bandwidth for employees to access the video server.

After passing authentication, guests cannot access the mail server and can only access the video server. You can reduce bandwidth for guests to access the video server.

Procedure

  1. Configure the access switch.

    In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1X authentication, configure the access switch to transparently transmit 802.1X packets (EAP packets in this example because EAP mode is used).

    <HUAWEI> system-view
[HUAWEI] sysname l2switch
[l2switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[l2switch] vlan batch 12 14
[l2switch] interface gigabitEthernet 0/0/1
[l2switch-GigabitEthernet0/0/1] port link-type trunk
[l2switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 12 14
[l2switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/1] bpdu enable
[l2switch-GigabitEthernet0/0/1] quit
[l2switch] interface gigabitEthernet 0/0/3    //Wired access interface
[l2switch-GigabitEthernet0/0/3] port link-type access
[l2switch-GigabitEthernet0/0/3] port default vlan 14
[l2switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/3] bpdu enable
[l2switch-GigabitEthernet0/0/3] quit
[l2switch] interface gigabitEthernet 0/0/5    //Wireless access interface
[l2switch-GigabitEthernet0/0/5] port link-type access
[l2switch-GigabitEthernet0/0/5] port default vlan 12
[l2switch-GigabitEthernet0/0/5] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/5] bpdu enable
[l2switch-GigabitEthernet0/0/5] quit

  2. Configure the core switch.
    1. Switch the NAC configuration mode to unified mode.

      You must switch the NAC configuration mode to unified mode on a device with the free mobility function configured. When the switchover occurs, the device will reboot automatically.

      <HUAWEI> system-view
[HUAWEI] sysname coreswitch
[coreswitch] authentication unified-mode

    2. Configure interfaces and VLANs, and enable the DHCP server function.

      [coreswitch] vlan batch 11 to 14
[coreswitch] interface vlanif 11    //Configure the interface as the source interface for communication with the Agile Controller-Campus.
[coreswitch-Vlanif11] ip address 192.168.11.254 255.255.255.0
[coreswitch-Vlanif11] quit
[coreswitch] dhcp enable    //Enable DHCP.
[coreswitch] interface vlanif 12    //Configure the management VLAN for APs.
[coreswitch-Vlanif12] ip address 192.168.12.254 255.255.255.0
[coreswitch-Vlanif12] dhcp select interface     //Enable the DHCP server function to allow the switch to allocate IP addresses to APs.
[coreswitch-Vlanif12] quit
[coreswitch] interface vlanif 13    //Configure the wireless access service VLAN.
[coreswitch-Vlanif13] ip address 192.168.13.254 255.255.255.0
[coreswitch-Vlanif13] dhcp select interface    //Enable the DHCP server function to allow the switch to allocate IP addresses to mobile terminals.
[coreswitch-Vlanif13] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif13] quit
[coreswitch] interface vlanif 14    //Configure the wired access service VLAN.
[coreswitch-Vlanif14] ip address 192.168.14.254 255.255.255.0
[coreswitch-Vlanif14] dhcp select interface    //Enable the DHCP server function to allow the switch to allocate IP addresses to fixed PCs.
[coreswitch-Vlanif14] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif14] quit
[coreswitch] interface gigabitEthernet 1/0/11
[coreswitch-GigabitEthernet1/0/11] port link-type trunk
[coreswitch-GigabitEthernet1/0/11] port trunk allow-pass vlan 11
[coreswitch-GigabitEthernet1/0/11] quit
[coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] port link-type trunk
[coreswitch-GigabitEthernet1/0/12] port trunk allow-pass vlan 12 14
[coreswitch-GigabitEthernet1/0/12] quit

    3. Configure parameters for interoperation with the RADIUS server.

      [coreswitch] radius-server template policy    //Create the RADIUS server template policy.
[coreswitch-radius-policy] radius-server authentication 192.168.11.1 1812    //Configure an IP address for the RADIUS authentication server and set the authentication port number to 1812.
[coreswitch-radius-policy] radius-server accounting 192.168.11.1 1813        //Configure an IP address for the accounting server and set the accounting port number to 1813.
[coreswitch-radius-policy] radius-server shared-key cipher Admin@123                   //Configure a RADIUS shared key.
[coreswitch-radius-policy] quit
[coreswitch] radius-server authorization 192.168.11.1 shared-key cipher Admin@123    //Configure the IP address and shared key for the RADIUS authorization server.
[coreswitch] aaa
[coreswitch-aaa] authentication-scheme auth    //Create the authentication scheme auth.
[coreswitch-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
[coreswitch-aaa-authen-auth] quit
[coreswitch-aaa] accounting-scheme acco    //Create the accounting scheme acco.
[coreswitch-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
[coreswitch-aaa-accounting-acco] accounting realtime 15    //Set the accounting interval to 15 minutes.
[coreswitch-aaa-accounting-acco] quit
[coreswitch-aaa] domain default    //Enter the domain default and bind the RADIUS server template, authentication scheme, and accounting scheme to the domain.
[coreswitch-aaa-domain-default] radius-server policy
[coreswitch-aaa-domain-default] authentication-scheme auth
[coreswitch-aaa-domain-default] accounting-scheme acco
[coreswitch-aaa-domain-default] quit
[coreswitch-aaa] quit

    4. Configure parameters for interoperation with the Portal server.

      [coreswitch] url-template name huawei    //Create a URL template.
[coreswitch-url-template-huawei] url http://192.168.11.1:8080/portal    //Specify the URL of the Portal authentication page pushed to users.
[coreswitch-url-template-huawei] quit
[coreswitch] web-auth-server policy    //Create the Portal server template policy.
[coreswitch-web-auth-server-policy] server-ip 192.168.11.1    //Specify the IP address of the Portal server.
[coreswitch-web-auth-server-policy] port 50200    //Specify the port number of the Portal server. When the Agile Controller-Campus functions as the Portal server, the port number is fixed to 50200.
[coreswitch-web-auth-server-policy] shared-key cipher Admin@123    //Configure a Portal shared key.
[coreswitch-web-auth-server-policy] url-template huawei    //Bind the URL template.
[coreswitch-web-auth-server-policy] quit

    5. Configure NAC.

      1. Configure the 802.1X access profile d1.

        By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

        [coreswitch] dot1x-access-profile name d1
[coreswitch-dot1x-access-profile-d1] quit

      2. Configure the Portal access profile web1.

        [coreswitch] portal-access-profile name web1
[coreswitch-portal-acces-profile-web1] web-auth-server policy direct   //Configure Layer 2 Portal authentication.
[coreswitch-portal-acces-profile-web1] quit

      3. Configure the authentication-free rule profile default_free_rule.

        [coreswitch] free-rule-template name default_free_rule
[coreswitch-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.200 mask 24 source ip any    //Ensure that terminal can access the DNS server before being authenticated.
[coreswitch-free-rule-default_free_rule] free-rule 2 source vlan 12    //Ensure that APs can go online.
[coreswitch-free-rule-default_free_rule] quit

      4. Configure the authentication profile p1 for 802.1X + Portal combined authentication.

        [coreswitch] authentication-profile name p1
[coreswitch-authen-profile-p1] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
[coreswitch-authen-profile-p1] portal-access-profile web1    //Bind the Portal access profile web1.
[coreswitch-authen-profile-p1] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p1] quit

      5. Configure the authentication profile p_dot1x for 802.1X authentication.

        [coreswitch] authentication-profile name p_dot1x
[coreswitch-authen-profile-p_dot1x] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
[coreswitch-authen-profile-p_dot1x] free-rule-template default_free_rule    //Bind the authentication-free rule profile default_free_rule.
[coreswitch-authen-profile-p_dot1x] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p_dot1x] quit

      6. Configure the authentication profile p_portal for Portal authentication.

        [coreswitch] authentication-profile name p_portal
[coreswitch-authen-profile-p_portal] portal-access-profile web1    //Bind the Portal access profile web1.
[coreswitch-authen-profile-p_portal] free-rule-template default_free_rule    //Bind the authentication-free rule profile default_free_rule.
[coreswitch-authen-profile-p_portal] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p_portal] quit

    6. Configure GE1/0/12 as the access authentication point for fixed PCs and enable 802.1X + Portal combined authentication.

      [coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + Portal combined authentication.
[coreswitch-GigabitEthernet1/0/12] quit

    7. Configure the AP to go online.

      1. Configure the AC's source interface.

        [coreswitch] capwap source interface vlanif 12

      2. Create the AP group ap-group1.

        [coreswitch] wlan
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] quit

      3. Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

        [coreswitch-wlan-view] regulatory-domain-profile name domain1
[coreswitch-wlan-regulate-domain-domain1] country-code cn
[coreswitch-wlan-regulate-domain-domain1] quit
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  [coreswitch-wlan-ap-group-ap-group1] quit
[coreswitch-wlan-view] quit

      4. Import an AP offline on the AC. In this example, the AP's MAC address is 60de-4476-e360 and name is area_1.

        [coreswitch] wlan
[coreswitch-wlan-view] ap auth-mode mac-auth
[coreswitch-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[coreswitch-wlan-ap-0] ap-name area_1
[coreswitch-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  [coreswitch-wlan-ap-0] quit

      5. After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

        [coreswitch-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extrainfo : Extra information
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

    8. Configure WLAN service parameters.

      1. Create security profiles wlan-security1 and wlan-security2, and configure security policies. By default, the security policy is open system authentication in open mode.

        [coreswitch-wlan-view] security-profile name wlan-security1
[coreswitch-wlan-sec-prof-wlan-security1] quit
[coreswitch-wlan-view] security-profile name wlan-security2
[coreswitch-wlan-sec-prof-wlan-security2] security wpa2 dot1x aes
[coreswitch-wlan-sec-prof-wlan-security2] quit

      2. Create SSID profiles dot1x_test and portal_test, and set the SSID names to dot1x_test and portal_test, respectively.

        [coreswitch-wlan-view] ssid-profile name dot1x_test
[coreswitch-wlan-ssid-prof-dot1x_test] ssid dot1x_test
Warning: This action may cause service interruption. Continue?[Y/N]y
[coreswitch-wlan-ssid-prof-dot1x_test] quit
[coreswitch-wlan-view] ssid-profile name portal_test
[coreswitch-wlan-ssid-prof-portal_test] ssid portal_test
Warning: This action may cause service interruption. Continue?[Y/N]y
[coreswitch-wlan-ssid-prof-portal_test] quit

      3. Create VAP profiles dot1x_test and portal_test, configure the data forwarding mode and service VLANs, and apply the security profiles and SSID profiles to the VAP profiles.

        [coreswitch-wlan-view] vap-profile name dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-dot1x_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-dot1x_test] security-profile wlan-security2    //Bind the security policy profile wlan-security2.
[coreswitch-wlan-vap-prof-dot1x_test] ssid-profile dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] authentication-profile p_dot1x   //Bind the authentication profile p_dot1x.
[coreswitch-wlan-vap-prof-dot1x_test] quit
[coreswitch-wlan-view] vap-profile name portal_test
[coreswitch-wlan-vap-prof-portal_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-portal_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-portal_test] security-profile wlan-security1   //Bind the security policy profile wlan-security1.
[coreswitch-wlan-vap-prof-portal_test] ssid-profile portal_test
[coreswitch-wlan-vap-prof-portal_test] authentication-profile p_portal   //Bind the authentication profile p_portal.
[coreswitch-wlan-vap-prof-portal_test] quit

      4. Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and radio 1 of the APs.

        [coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] vap-profile dot1x_test wlan 1 radio all
[coreswitch-wlan-ap-group-ap-group1] vap-profile portal_test wlan 2 radio all
[coreswitch-wlan-ap-group-ap-group1] quit

    9. Commit the configuration.

      [coreswitch-wlan-view] commit all   //From V200R011C10, WLAN configurations are automatically delivered, without the need of running the commit all command.
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
[coreswitch-wlan-view] quit

    10. Configure XMPP parameters for interoperation with the Agile Controller-Campus and enable free mobility.

      [coreswitch] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254    //The value of src-ip is the IP address of VLANIF 11.

  3. Configure the Agile Controller-Campus.
    1. Add the core switch.

      1. Choose Resource > Device > Device Management and click Add.

      2. Click XMPP.

      3. Click OK. The switch's Status is and Synchronization Status is Success.
      4. On the core switch, check the switch's communication status with the Agile Controller-Campus.
        <coreswitch> display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1

    2. Create the staff and guest accounts.

      1. Choose Resource > User Management.
      2. Click Add to create the staff account.

      3. Click Add to create the guest account.

    3. Configure the employee group and guest group, and security groups mail server and video server.

      1. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management.
      2. Click Add and create Employee_Group.

      3. Click Add and create Guest_Group.

      4. Choose Static Security Group Management, click Add and create Email_Server.

      5. Click Add and create Video_Server.

      6. Click Global Deployment to deploy the security groups on the entire network.

    4. Authorize the employee group to employees and guest group to guests. After passing authentication, employees are added to the employee group and guests are added to the guest group.

      1. Choose Policy > Permission Control > Quick Authorization.
      2. Map employees to Employee group, set bandwidth, and click OK.

      3. Map guests to Guest group, set bandwidth, and click OK.

    5. Configure an access control policy to allow the employee group to access the mail and video servers and allow the guest group to access only the video server.

      The default policy configuration mode is customized group. If there is no customized group, add a customized group on the device management page first (choose Resource > Device > Device Manager > Free Mobility). You can also change the policy configuration mode to all devices (choose System > Terminal Configuration > Global Parameters > Business accompanying configuration mode).

      1. Choose Policy > Free Mobility > Permission Control.
      2. Click Add.

      3. Click OK and Global Deployment.

        After the access control policy is successfully deployed, you can run the following commands on the core switch to view deployment information.

        • display ucl-group all: displays security groups.
        • display acl all: displays the access control policy.

  4. Save the configuration of Core_SW.

    Choose Resource > Device > Device Management. Click corresponding to Core_SW to save the configuration.

    Saving the configuration is similar to running the save command on the device, which saves all the device configurations (including security groups, access right control policies, and QoS policies deployed on the controller) to the configuration file.

    If security groups, access right control policies, and QoS policies are saved to the device's configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access right control policies, and QoS policies are not deployed on the device.

  5. Verify the configuration.

    After passing 802.1X or Portal authentication anywhere, the employees can access the mail and video servers, and the videos can be smoothly played.

    After passing 802.1X or Portal authentication anywhere, the guests cannot access the mail server but can only access the video server, and the videos may freeze.

Configuration Files

  • Core switch configuration file

    #
sysname coreswitch
#
vlan batch 11 to 14
#
authentication-profile name p1
 dot1x-access-profile d1
 portal-access-profile web1
 access-domain default force
authentication-profile name p_dot1x
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain default force
authentication-profile name p_portal
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain default force
#
group-policy controller 192.168.11.1 password %^%#(K2]5P#C6'97.pR(gFv$K$KbGYN}R1Y76~K^;AP&%^%# src-ip 192.168.11.254
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %^%#teXm2B&.1O0:cj$OWPq7@!Y\!%}dC3Br>p,}l\L.%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
#
radius-server authorization 192.168.11.1 shared-key cipher %^%#FKIlCKv=f(AgM-G~W"}G.C\%;b'3A/zz-EJV;vi*%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.200 mask 255.255.255.0 source ip any
 free-rule 2 source vlan 12
#
url-template name huawei
 url http://192.168.11.1:8080/portal
#
web-auth-server policy
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#SQn,Cr"c;M&{#(R^:;P3F_H$3f3sr$C9%*G7R|u3%^%#
 url-template huawei
#
portal-access-profile name web1
 web-auth-server policy direct
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain default
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0
#
interface Vlanif12
 ip address 192.168.12.254 255.255.255.0
 dhcp select interface
#
interface Vlanif13
 ip address 192.168.13.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface Vlanif14
 ip address 192.168.14.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface GigabitEthernet1/0/11
 port link-type trunk
 port trunk allow-pass vlan 11
#
interface GigabitEthernet1/0/12
 port link-type trunk
 port trunk allow-pass vlan 12 14
 authentication-profile p1
#
capwap source interface vlanif12
#
wlan
 security-profile name wlan-security1
 security-profile name wlan-security2
  security wpa2 dot1x aes
 ssid-profile name dot1x_test
  ssid dot1x_test
 ssid-profile name portal_test
  ssid portal_test
 vap-profile name dot1x_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile dot1x_test
  security-profile wlan-security2
  authentication-profile p_dot1x
 vap-profile name portal_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile portal_test
  security-profile wlan-security1
  authentication-profile p_portal
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                               
  radio 1                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                               
  radio 2                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
 wlan work-group default
#
dot1x-access-profile name d1
#
return

  • Configuration file of the access switch

    #
sysname l2switch
#
vlan batch 12 14
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 12 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 12
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
return

Card or Switch Where the Authentication Control Point Can Be Deployed

Switch Version

Card or Switch Where the Authentication Control Point Can Be Deployed

V200R009C00
  • S5720-HI
  • S7700 and S9700 that use X series cards

Only the S5720-HI supports V200R011C00.

V200R010C00

V200R011C00, V200R011C10

V200R012C00 and later versions
  • S5720-HI, S5730-HI, and S6720-HI
  • S7700 and S9700 that use X series cards
Parent Topic: Typical Free Mobility Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic