Example for Configuring WLAN Services for a Wireless City Project (AC Bypass Deployment, Portal Authentication)

WLAN Service Overview

You can configure WLAN services to allow wireless users to easily access a wireless network and move around within its coverage area.

Configuration Notes

In this example, Portal authentication is used. To ensure network security, configure an appropriate security policy according to service requirements.
In direct forwarding mode, configure port isolation on the interface directly connected to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
Configure the management VLAN and service VLAN:
- In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel and forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Service packets and management packets can be forwarded normally only if the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.
- In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Service packets and management packets can be forwarded normally only if the network between the AC and APs is added to the management VLAN and the network between APs and upper-layer network is added to the service VLAN.
How to configure the source interface:
- In V200R006, run the wlan ac source interface { loopback loopback-number | vlanif vlan-id } command in the WLAN view.
- In V200R007 and V200R008, run the capwap source interface { loopback loopback-number | vlanif vlan-id } command in the system view.
No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

The following table lists applicable products and versions.

**Table 1** Applicable products and versions
Software Version	Product Model	AP Model and Version
V200R005C00	S7700, S9700	V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN
V200R006C00	S5720-HI, S7700, S9700	V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN
V200R007C00	S5720-HI, S7700, S9700	V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN V200R005C20: AP7030DE, AP9330DN
V200R008C00	S5720-HI, S7700, S9700	V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN V200R005C20: AP7030DE, AP9330DN V200R005C30: AP2030DN, AP4030DN, AP4130DN

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

Networking Requirements

A city needs to deploy the wireless smart city project and requires that Portal authentication be used for wireless users. Due to the large number of wireless users, high wireless service performance and Portal authentication performance are required.

As shown in Figure 1, the S9700 core switch functions as the gateway for STAs and APs and as a DHCP server to assign IP addresses to STAs and APs. The S9700 connects to APs through PoE access switches S5700-1 and S5700-2. The AC and APs are located on a Layer 3 network. The AC is the X series card on the S9700 and connected to the S9700 through Eth-Trunk in bypass mode.

To facilitate network planning and management, the access switches are only used to transparently transmit data at Layer 2.

Figure 1 Networking diagram for configuring WLAN services for a wireless city project

Data Planning

**Table 2** Network data planning
Item	Interface	VLAN	Description
AC	Eth-Trunk1	100	Configured to improve network bandwidth and reliability Add GE2/0/1 and GE2/0/2 to Eth-Trunk 1 and connect the two interfaces to the S9700.
S5700-1	GE0/0/1	10, 101	Connected to the AC
	GE0/0/2	10, 101	Connected to AP101
	GE0/0/3	10, 101	Connected to AP102
S5700-2	GE0/0/1	20, 102	Connected to the AC
	GE0/0/2	20, 102	Connected to AP201
	GE0/0/3	20, 102	Connected to AP202
S9700	GE1/0/1	10, 101	Connected to the S5700-1
	GE1/0/2	20, 102	Connected to the S5700-2
	GE1/0/3	300	Connected to the Controller
	GE1/0/4	101, 102	Connected to the upper-layer network
	Eth-Trunk1	100	Configured to improve network bandwidth and reliability Add GE1/0/5 and GE1/0/6 to Eth-Trunk 1 and connect the two interfaces to the AC.

**Table 3** Service data planning
Item	Data	Description
IP address of the AC's source interface	10.23.100.1/24	-
Country code	CN	-
WMM profile	Name: wmm	-
Radio profile	Name: radio	-
Security profile	Name: security Security and authentication policy: OPEN	-
Traffic profile	Name: traffic	-
Service set	Name: area_1 SSID: city-wlan WLAN virtual interface: WLAN-ESS1 Service data forwarding mode: direct forwarding	Provides WLAN network coverage for Area1.
Service set	Name: area_2 SSID: city-wlan WLAN virtual interface: WLAN-ESS2 Service data forwarding mode: direct forwarding	Provides WLAN network coverage for Area2.
DHCP server	The S9700 functions as the DHCP server to assign IP addresses to APs and STAs.	-
AP gateway and IP address pool range	VLANIF 10: 10.23.10.1/24 10.23.10.2-10.23.10.254/24	Gateway and IP address pool for AP101 and AP102
AP gateway and IP address pool range	VLANIF 20: 10.23.20.1/24 10.23.20.2-10.23.20.254/24	Gateway and IP address pool for AP201 and AP202
STA gateway and IP address pool range	VLANIF 101: 10.23.101.1/24 10.23.101.2-10.23.101.254/24	-
STA gateway and IP address pool range	VLANIF 102: 10.23.102.1/24 10.23.102.2-10.23.102.254/24	-
Server parameters	Authentication server: Active IP address: 10.23.30.1 Active IP address: 10.23.30.2 Standby IP address: 10.23.30.3 Port number: 1812 RADIUS shared key: Admin@123	Three Service Controllers (SCs) are deployed on the network. Controller1 and Controller2 are used for load balancing, and Controller3 serves as a backup. The Service Controller (SC) provides RADIUS server and Portal server functions; therefore, the IP address of the SC is used for the authentication server, accounting server, authorization server, and Portal server. Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server. Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as that of the authentication server and accounting server.
	Accounting server: Active IP address: 10.23.30.1 Active IP address: 10.23.30.2 Standby IP address: 10.23.30.3 Port number: 1813 RADIUS shared key: Admin@123
	Authorization server: Active IP address: 10.23.30.1 Active IP address: 10.23.30.2 Standby IP address: 10.23.30.3 RADIUS shared key: Admin@123
	Portal server: Active IP address: 10.23.30.1 Active IP address: 10.23.30.2 Standby IP address: 10.23.30.3 Port number that the AC uses to listen on Portal protocol packets: 2000 Destination port number in the packets that the AC sends to the Portal server: 50100 Portal shared key: Admin@123 Encryption key for the URL parameters that the AC sends to the Portal server: Admin@123

**Table 4** Radio channel data planning
Item	Data	Description
AP101	Radio 0: channel 1 and power level 10 Radio 1: channel 153 and power level 10	Use the WLAN Planner to plan AP installation locations, and the working channel and power of the AP radio. Set the channel mode and power mode to fixed, and configure the channel and power for each AP.
AP102	Radio 0: channel 6 and power level 10 Radio 1: channel 161 and power level 10
AP201	Radio 0: channel 1 and power level 10 Radio 1: channel 153 and power level 10
AP202	Radio 0: channel 6 and power level 10 Radio 1: channel 161 and power level 10

Configuration Roadmap

The configuration roadmap is as follows:

Configure all network devices to enable the APs, S5700-1, S5700-2, S9700, and AC to communicate with upper-layer devices.
Configure the AC as a DHCP server to assign IP addresses to the STAs and APs.
Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.
Configure basic WLAN services, including AC system parameters, AP management, and WLAN service parameters.
Configure VAPs and deliver VAP parameters to APs.
Verify the configuration to ensure that both wired and wireless users can access the Internet.

Procedure

Configure network devices to communicate with each other.

# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management VLAN) and VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs. You are advised to configure port isolation on these interfaces to reduce unnecessary broadcast traffic.

[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 10 101
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10  //Set a PVID for the interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable  //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit

# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-2 to VLAN 20 (management VLAN) and VLAN 102 (service VLAN). Set PVIDs for interfaces directly connected to APs. You are advised to configure port isolation on these interfaces to reduce unnecessary broadcast traffic.

[HUAWEI] sysname S5700-2
[S5700-2] vlan batch 20 102
[S5700-2] interface gigabitethernet 0/0/1
[S5700-2-GigabitEthernet0/0/1] port link-type trunk
[S5700-2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/1] quit
[S5700-2] interface gigabitethernet 0/0/2
[S5700-2-GigabitEthernet0/0/2] port link-type trunk
[S5700-2-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/2] port trunk pvid vlan 20  //Set a PVID for the interface directly connected to the AP.
[S5700-2-GigabitEthernet0/0/2] port-isolate enable  //Configure port isolation to reduce broadcast packets.
[S5700-2-GigabitEthernet0/0/2] quit
[S5700-2] interface gigabitethernet 0/0/3
[S5700-2-GigabitEthernet0/0/3] port link-type trunk
[S5700-2-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 102
[S5700-2-GigabitEthernet0/0/3] port trunk pvid vlan 20
[S5700-2-GigabitEthernet0/0/3] port-isolate enable
[S5700-2-GigabitEthernet0/0/3] quit

# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN 101, GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3 connected to the Controller to VLAN 300, GE1/0/4 connected to the upper-layer network to VLAN 101 and VLAN 102, and GE1/0/5 and GE1/0/6 connected to the AC to Eth-Trunk 1. Add Eth-Trunk 1 to VLAN 100.

[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700] interface gigabitethernet 1/0/2
[S9700-GigabitEthernet1/0/2] port link-type trunk
[S9700-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 102
[S9700-GigabitEthernet1/0/2] quit
[S9700] interface gigabitethernet 1/0/3
[S9700-GigabitEthernet1/0/3] port link-type trunk
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700-GigabitEthernet1/0/3] quit
[S9700] interface gigabitethernet 1/0/4
[S9700-GigabitEthernet1/0/4] port link-type trunk
[S9700-GigabitEthernet1/0/4] port trunk allow-pass vlan 101 102
[S9700-GigabitEthernet1/0/4] quit
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6  //Add GE1/0/5 and GE1/0/6 to Eth-Trunk1.
[S9700-Eth-Trunk1] quit

# On the S9700, configure VLANIF 100 for communication with the AC and VLANIF 300 for communication with the Controller.

[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24  //Configure an IP address for communication between the S9700 and AC.
[S9700-Vlanif100] quit
[S9700] interface vlanif300
[S9700-Vlanif300] ip address 10.23.30.10 24  //Configure an IP address for communication between the S9700 and Controller.
[S9700-Vlanif300] quit

# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1 and add Eth-Trunk 1 to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2  //Add GE2/0/1 and GE2/0/2 to Eth-Trunk1.
[AC-Eth-Trunk1] quit

# Configure VLANIF 100 on the AC for communication with the S9700.

[AC] interface vlanif100
[AC-Vlanif100] ip address 10.23.100.1 24  //Configure an IP address for communication between the S9700 and AC.
[AC-Vlanif100] quit

Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.

# Configure the S9700 to assign IP addresses to the STAs and APs from the global address pool.

[S9700] dhcp enable
[S9700] interface vlanif 10  //Configure a global address pool to assign IP addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700-Vlanif10] quit
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 2 ip-address 10.23.100.1  //Since a Layer 3 network is deployed between the AC and APs, configure Option43 to advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
[S9700] interface vlanif 20  //Configure a global address pool to assign IP addresses to AP201 and AP202.
[S9700-Vlanif20] description manage_ap2
[S9700-Vlanif20] ip address 10.23.20.1 24
[S9700-Vlanif20] dhcp select global
[S9700-Vlanif20] quit
[S9700] ip pool manage_ap2
[S9700-ip-pool-manage_ap2] gateway-list 10.23.20.1
[S9700-ip-pool-manage_ap2] network 10.23.20.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap2] option 43 sub-option 2 ip-address 10.23.100.1  //Since a Layer 3 network is deployed between the AC and APs, configure Option43 to advertise the AC¡¯s IP address to the APs.
[S9700-ip-pool-manage_ap2] quit
[S9700] interface vlanif 101  //Configure a global IP address pool to assign IP addresses to STAs connected to AP101 and AP102.
[S9700-Vlanif101] description manage_area1_sta
[S9700-Vlanif101] ip address 10.23.101.1 24
[S9700-Vlanif101] dhcp select global
[S9700-Vlanif101] quit
[S9700] ip pool manage_area1_sta
[S9700-ip-pool-manage_area1_sta] gateway-list 10.23.101.1
[S9700-ip-pool-manage_area1_sta] network 10.23.101.0 mask 255.255.255.0
[S9700-ip-pool-manage_area1_sta] quit
[S9700] interface vlanif 102  //Configure a global IP address pool to assign IP addresses to STAs connected to AP201 and AP202.
[S9700-Vlanif102] description manage_area2_sta
[S9700-Vlanif102] ip address 10.23.102.1 24
[S9700-Vlanif102] dhcp select global
[S9700-Vlanif102] quit
[S9700] ip pool manage_area2_sta
[S9700-ip-pool-manage_area2_sta] gateway-list 10.23.102.1
[S9700-ip-pool-manage_area2_sta] network 10.23.102.0 mask 255.255.255.0
[S9700-ip-pool-manage_area2_sta] quit

# Configure a default route to the S9700 on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.100.10

Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.

# Configure a RADIUS server template on the AC, and configure authentication, accounting, and authorization in the template.

[AC] radius-server template radius1 //Create the RADIUS server template radius1.
[AC-radius-radius1] radius-server authentication 10.23.30.1 1812 source ip-address 10.23.100.1 weight 80 //Configure the active RADIUS authentication server 1 and authentication port 1812. The AC uses the IP address 10.23.100.1 to communicate with the active RADIUS authentication server 1.
[AC-radius-radius1] radius-server authentication 10.23.30.2 1812 source ip-address 10.23.100.1 weight 80 //Configure the active RADIUS authentication server 2 and authentication port 1812. The AC uses the IP address 10.23.100.1 to communicate with the active RADIUS authentication server 2.
[AC-radius-radius1] radius-server authentication 10.23.30.3 1812 source ip-address 10.23.100.1 weight 20 //Configure the standby RADIUS authentication server, with the weight value lower than the active authentication server. Set the authentication port number to 1812. The AC uses the IP address 10.23.100.1 to communicate with the standby RADIUS authentication server.
[AC-radius-radius1] radius-server accounting 10.23.30.1 1813 source ip-address 10.23.100.1 weight 80 //Configure the active RADIUS accounting server 1 to collect user login and logout information and set the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the active RADIUS accounting server 1.
[AC-radius-radius1] radius-server accounting 10.23.30.2 1813 source ip-address 10.23.100.1 weight 80 //Configure the active RADIUS accounting server 2 to collect user login and logout information and set the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the active RADIUS accounting server 2.
[AC-radius-radius1] radius-server accounting 10.23.30.3 1813 source ip-address 10.23.100.1 weight 20 //Configure the standby RADIUS accounting server, with the weight value lower than the active accounting server. Set the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the standby RADIUS accounting server.
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the shared key for the RADIUS server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS automatic detection interval to 30s. The default value is 60s.
[AC-radius-radius1] quit
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to RADIUS. To facilitate account status information maintenance on the RADIUS server, including the login and logout information, and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time accounting and set the accounting interval to 15 minutes. By default, real-time accounting is disabled.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

# Configure a Portal server template for each of the three Controllers.

[AC] web-auth-server portal1  //Create the Portal server template portal1 for Controller1.
[AC-web-auth-server-portal1] server-ip 10.23.30.1  //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50100  //Set the destination port number used by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123  //Configure the shared key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.30.1:8080/portal  //Configure the URL to the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log  //Set the RADIUS automatic detection interval to 30s. The default value is 60s.
[AC-web-auth-server-portal1] quit
[AC] web-auth-server portal2  //Create the Portal server template portal2 for Controller2.
[AC-web-auth-server-portal2] server-ip 10.23.30.2
[AC-web-auth-server-portal2] port 50100 
[AC-web-auth-server-portal2] shared-key cipher Admin@123 
[AC-web-auth-server-portal2] url http://10.23.30.2:8080/portal 
[AC-web-auth-server-portal2] server-detect interval 30 action log
[AC-web-auth-server-portal2] quit
[AC] web-auth-server portal3  //Create the Portal server template portal3 for Controller3.
[AC-web-auth-server-portal3] server-ip 10.23.30.3 
[AC-web-auth-server-portal3] port 50100
[AC-web-auth-server-portal3] shared-key cipher Admin@123
[AC-web-auth-server-portal3] url http://10.23.30.3:8080/portal
[AC-web-auth-server-portal3] server-detect interval 30 action log
[AC-web-auth-server-portal3] quit

# Bind the Portal server templates to service VLANIF interfaces to enable Portal authentication.

[AC] vlan batch 101 102
[AC] interface vlanif 101
[AC-Vlanif101] domain name portal1 force  //Configure the forcible user domain portal1.
[AC-Vlanif101] domain name portal1  //Configure the default user domain portal1.
[AC-Vlanif101] authentication portal  //Configure Portal authentication.
[AC-Vlanif101] web-auth-server portal1 portal3 layer3  //Bind the Portal server templates portal1 and portal3.
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] domain name portal1 force 
[AC-Vlanif102] domain name portal1
[AC-Vlanif102] authentication portal
[AC-Vlanif102] web-auth-server portal2 portal3 layer3
[AC-Vlanif102] quit

Configure AC system parameters.

# Configure the AC's country code.

[AC] wlan ac-global country-code cn  //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.
Warning: Modifying the country code will clear channel configurations of the AP radio using the country code and reset the AP. If th
e new country code does not support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y

# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other  //The default AC ID is 0. Set the AC ID to 1.

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100
[AC] wlan

Manage the APs on the AC.

# Check the AP type IDs after obtaining the MAC addresses of the APs.

[AC-wlan-view] display ap-type all
  All AP types information:
  ------------------------------------------------------------------------------
  ID     Type
  ------------------------------------------------------------------------------
  17     AP6010SN-GN
  19     AP6010DN-AGN
  21     AP6310SN-GN
  23     AP6510DN-AGN
  25     AP6610DN-AGN
  27     AP7110SN-GN
  28     AP7110DN-AGN
  29     AP5010SN-GN
  30     AP5010DN-AGN
  31     AP3010DN-AGN
  33     AP6510DN-AGN-US
  34     AP6610DN-AGN-US
  35     AP5030DN
  36     AP5130DN
  37     AP7030DE
  38     AP2010DN
  39     AP8130DN
  40     AP8030DN
  42     AP9330DN
  43     AP4030DN
  44     AP4130DN
  45     AP3030DN
  46     AP2030DN
  ------------------------------------------------------------------------------
  Total number: 23

# Set the AP authentication mode to MAC address authentication (default setting). Add the APs offline according to the obtained AP type IDs.

[AC-wlan-view] ap id 101 type-id 19 mac 60de-4476-e320  //Add the AP6010DN-AGN offline with the MAC address 60de-4476-e320 and AP ID 101.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 102 type-id 19 mac 60de-4476-e340  //Add the AP6010DN-AGN offline with the MAC address 60de-4476-e340 and AP ID 102.
[AC-wlan-ap-102] quit
[AC-wlan-view] ap id 201 type-id 19 mac 60de-4476-e360  //Add the AP6010DN-AGN offline with the MAC address 60de-4476-e360 and AP ID 201.
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202 type-id 19 mac 60de-4476-e380  //Add the AP6010DN-AGN offline with the MAC address 60de-4476-e380 and AP ID 202.
[AC-wlan-ap-202] quit

# Configure AP regions and add the APs to the AP regions.

[AC-wlan-view] ap-region id 1  //Create AP region1 and add APs in area1 to AP region 1.
[AC-wlan-ap-region-1] ap-region-name area1  //Name the AP region1 area1.
[AC-wlan-ap-region-1] quit
[AC-wlan-view] ap id 101
[AC-wlan-ap-101] region-id 1  //Add AP 101 to AP region1.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 102
[AC-wlan-ap-102] region-id 1
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-region id 2  //Create AP region2 and add APs in area2 to AP region 2.
[AC-wlan-ap-region-2] ap-region-name area2
[AC-wlan-ap-region-2] quit
[AC-wlan-view] ap id 201
[AC-wlan-ap-201] region-id 2
[AC-wlan-ap-201] quit
[AC-wlan-view] ap id 202
[AC-wlan-ap-202] region-id 2
[AC-wlan-ap-202] quit

# Power on the APs and run the display ap all command to check the AP state. If the AP State field displays as normal, the APs have gone online.

[AC-wlan-view] display ap all
  All AP(s) information:
  Normal[4],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
  Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
  ------------------------------------------------------------------------------
  AP    AP               AP              Profile   AP              AP
                                         /Region
  ID    Type             MAC             ID        State           Sysname
  ------------------------------------------------------------------------------
  101   AP6010DN-AGN     60de-4476-e320    0/1     normal          ap-101
  102   AP6010DN-AGN     60de-4476-e340    0/1     normal          ap-102
  201   AP6010DN-AGN     60de-4476-e360    0/2     normal          ap-201
  202   AP6010DN-AGN     60de-4476-e380    0/2     normal          ap-202
  ------------------------------------------------------------------------------
  Total number: 4,printed: 4

Configure WLAN service parameters.

# Create the WMM profile wmm.

[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit

# Create the radio profile radio and bind the WMM profile wmm to the radio profile.

[AC-wlan-view] radio-profile name radio id 1 
[AC-wlan-radio-prof-radio] wmm-profile name wmm 
[AC-wlan-radio-prof-radio] power-mode fixed  //Set the power mode of the radio to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed  //Set the channel mode of the radio to fixed.
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit

# Create WLAN-ESS interface 1 and WLAN-ESS interface 2.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] port trunk allow-pass vlan 101 102  //Configure the wlan-ess interface to allow packets from wireless service VLANs to pass through, which is one of the prerequisites for intra-AC roaming.
[AC-Wlan-Ess1] quit
[AC] interface wlan-ess 2
[AC-Wlan-Ess2] port trunk allow-pass vlan 101 102
[AC-Wlan-Ess2] quit

# Create the security profile security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1  //Portal authentication has been enabled on the interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
[AC-wlan-sec-prof-security] quit

# Create the traffic profile traffic.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit

# Create service sets area1 and area2, and bind the service VLANs, WLAN-ESS interfaces, security profile, and traffic profile to the service sets. Set the forwarding mode to direct forwarding.

[AC-wlan-view] service-set name area1 id 1  //Create the service set area1.
[AC-wlan-service-set-area1] ssid city-wlan  //Set the SSID to city-wlan.
[AC-wlan-service-set-area1] wlan-ess 1  //Bind the WLAN-ESS interface.
[AC-wlan-service-set-area1] security-profile name security  //Bind the security profile security.
[AC-wlan-service-set-area1] traffic-profile name traffic  //Bind the traffic profile traffic.
[AC-wlan-service-set-area1] service-vlan 101  //Bind the service VLAN 101.
[AC-wlan-service-set-area1] forward-mode direct-forward  //Set the forwarding mode to direct forwarding (default setting).
[AC-wlan-service-set-area1] user-isolate  //Configure Layer 2 isolation for users connected to the same VAP.
[AC-wlan-service-set-area1] quit
[AC-wlan-view] service-set name area2 id 2
[AC-wlan-service-set-area2] ssid city-wlan  //Set the SSID to city-wlan. All service sets must be configured with the same SSID, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] wlan-ess 2
[AC-wlan-service-set-area2] security-profile name security  //Bind the security profile security. All service sets must have the same security profile bound, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] traffic-profile name traffic
[AC-wlan-service-set-area2] service-vlan 102
[AC-wlan-service-set-area2] forward-mode direct-forward
[AC-wlan-service-set-area2] user-isolate
[AC-wlan-service-set-area2] quit

Configure VAPs and deliver VAP parameters to the APs.

# Configure VAPs.

[AC-wlan-view] ap 101 radio 0  //Configure radio0 of the AP6010DN-AGN.
[AC-wlan-radio-101/0] radio-profile name radio  //Bind the radio profile to the radio.
[AC-wlan-radio-101/0] service-set name area1  //Bind the service set to the radio. A VAP is generated after the binding.
[AC-wlan-radio-101/0] channel 20mhz 1  //Configure the channel based on the planning result of the WLAN Planner.
[AC-wlan-radio-101/0] power-level 10  //Configure the power based on the planning result of the WLAN Planner.
[AC-wlan-radio-101/0] quit
[AC-wlan-view] ap 101 radio 1  //Configure radio1 of the AP6010DN-AGN.
[AC-wlan-radio-101/1] radio-profile name radio 
[AC-wlan-radio-101/1] service-set name area1
[AC-wlan-radio-101/1] channel 20mhz 153
[AC-wlan-radio-101/1] power-level 10
[AC-wlan-radio-101/1] quit
[AC-wlan-view] ap 102 radio 0
[AC-wlan-radio-102/0] radio-profile name radio
[AC-wlan-radio-102/0] service-set name area1
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] power-level 10
[AC-wlan-radio-102/0] quit
[AC-wlan-view] ap 102 radio 1
[AC-wlan-radio-102/1] radio-profile name radio
[AC-wlan-radio-102/1] service-set name area1
[AC-wlan-radio-102/1] channel 20mhz 161
[AC-wlan-radio-102/1] power-level 10
[AC-wlan-radio-102/1] quit
[AC-wlan-view] ap 201 radio 0
[AC-wlan-radio-201/0] radio-profile name radio
[AC-wlan-radio-201/0] service-set name area2
[AC-wlan-radio-201/0] channel 20mhz 1
[AC-wlan-radio-201/0] power-level 10
[AC-wlan-radio-201/0] quit
[AC-wlan-view] ap 201 radio 1
[AC-wlan-radio-201/1] radio-profile name radio 
[AC-wlan-radio-201/1] service-set name area2
[AC-wlan-radio-201/1] channel 20mhz 153
[AC-wlan-radio-201/1] power-level 10
[AC-wlan-radio-201/1] quit
[AC-wlan-view] ap 202 radio 0
[AC-wlan-radio-202/0] radio-profile name radio
[AC-wlan-radio-202/0] service-set name area2
[AC-wlan-radio-202/0] channel 20mhz 6
[AC-wlan-radio-202/0] power-level 10
[AC-wlan-radio-202/0] quit
[AC-wlan-view] ap 202 radio 1 
[AC-wlan-radio-202/1] radio-profile name radio
[AC-wlan-radio-202/1] service-set name area2
[AC-wlan-radio-202/1] channel 20mhz 161
[AC-wlan-radio-202/1] power-level 10
[AC-wlan-radio-202/1] quit

# Deliver the configuration to the APs.

[AC-wlan-view] commit all  //After the WLAN service configuration is complete on the AC, the configuration takes effect after you deliver it to the APs.
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y

Verify the configuration.

# After the configuration is complete, run the display vap all command. The command output shows that VAPs have been created.

[AC-wlan-view] display vap all
  All VAP Information(Total-8):
  SS: Service-set     BP: Bridge-profile     MP: Mesh-profile
  ----------------------------------------------------------------------
  AP ID  Radio ID  SS ID  BP ID  MP ID  WLAN ID  BSSID           Type
  ----------------------------------------------------------------------
  101    0         1      -      -      1        60de-4476-e320  service
  101    1         1      -      -      1        60de-4476-e330  service
  102    0         1      -      -      1        60de-4476-e340  service
  102    1         1      -      -      1        60de-4476-e350  service
  201    0         2      -      -      1        60de-4476-e360  service
  201    1         2      -      -      1        60de-4476-e370  service
  202    0         2      -      -      1        60de-4476-e380  service
  202    1         2      -      -      1        60de-4476-e390  service
  ----------------------------------------------------------------------
  Total: 8

# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN. The STAs are allocated IP addresses. After you enter the key, the STAs can access the wireless network. Run the display station assoc-info command on the AC. The command output shows that the STAs are connected to the WLAN city-wlan.

[AC-wlan-view] display station assoc-info all
  AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
  Rx/Tx: link receive rate/link transmit rate(Mbps)
  ------------------------------------------------------------------------------
  STA MAC         AP/Rf/WLAN Rx/Tx     Mode  RSSI   IP address
  SSID
  ------------------------------------------------------------------------------
  e019-1dc7-1e08  101/0/1    6/11      11n   -89    10.23.101.254
  city-wlan
  ------------------------------------------------------------------------------
  Total stations: 1

# STAs obtain IP addresses and connect to the network.

Configuration Files

S5700-1 configuration file

#
sysname S5700-1
#
vlan batch 10 101
#
interface GigabitEthernet0/0/1         
 port link-type trunk
 port trunk allow-pass vlan 10 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10 101
 port-isolate enable group 1
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10 101
 port-isolate enable group 1
#
return

S5700-2 configuration file

#
sysname S5700-2
#
vlan batch 20 102
#
interface GigabitEthernet0/0/1         
 port link-type trunk
 port trunk allow-pass vlan 20 102
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 20
 port trunk allow-pass vlan 20 102
 port-isolate enable group 1
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 20
 port trunk allow-pass vlan 20 102
 port-isolate enable group 1
#
return

S9700 configuration file

#
sysname S9700
#
vlan batch 10 20 100 to 102 300
#
dhcp enable
#
ip pool manage_ap1
 gateway-list 10.23.10.1
 network 10.23.10.0 mask 255.255.255.0
 option 43 sub-option 2 ip-address 10.23.100.1
#
ip pool manage_ap2
 gateway-list 10.23.20.1
 network 10.23.20.0 mask 255.255.255.0
 option 43 sub-option 2 ip-address 10.23.100.1
#
ip pool manage_area1_sta
 gateway-list 10.23.101.1
 network 10.23.101.0 mask 255.255.255.0
#
ip pool manage_area2_sta
 gateway-list 10.23.102.1
 network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
 description manage_ap1
 ip address 10.23.10.1 255.255.255.0
 dhcp select global
#
interface Vlanif20
 description manage_ap2
 ip address 10.23.20.1 255.255.255.0
 dhcp select global
#
interface Vlanif100
 ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
 description manage_area1_sta
 ip address 10.23.101.1 255.255.255.0
 dhcp select global
#
interface Vlanif102
 description manage_area2_sta
 ip address 10.23.102.1 255.255.255.0
 dhcp select global
#
interface Vlanif300
 ip address 10.23.30.10 255.255.255.0
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 101
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 20 102
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 300
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk allow-pass vlan 101 to 102
#
interface GigabitEthernet1/0/5
 eth-trunk 1
#
interface GigabitEthernet1/0/6
 eth-trunk 1
#
return

AC configuration file

#
sysname AC
#
vlan batch 100 to 102
#
wlan ac-global carrier id other ac id 1
#
radius-server template radius1
 radius-server shared-key cipher %#%#8M.(7SIkd!~zHjCXjHv%}13$Y#:t3:m]N$G^9yn3%#%#
 radius-server authentication 10.23.30.1 1812 source ip-address 10.23.100.1 weight 80
 radius-server authentication 10.23.30.2 1812 source ip-address 10.23.100.1 weight 80
 radius-server authentication 10.23.30.3 1812 source ip-address 10.23.100.1 weight 20
 radius-server accounting 10.23.30.1 1813 source ip-address 10.23.100.1 weight 80
 radius-server accounting 10.23.30.2 1813 source ip-address 10.23.100.1 weight 80
 radius-server accounting 10.23.30.3 1813 source ip-address 10.23.100.1 weight 20
 radius-server detect-server interval 30
#
web-auth-server portal1
 server-ip 10.23.30.1
 port 50100
 shared-key cipher %#%#a^9$8KWl#+C4xc2}#BEQ4!ZIOciEV7$%dT'S/3JX%#%#
 url http://10.23.30.1:8080/portal
 server-detect interval 30 action log
#
web-auth-server portal2
 server-ip 10.23.30.2
 port 50100
 shared-key cipher %#%#3'uk~,dhv>_!~;W!v6A3YiqL2UU|*4Q>{UH%Tw'A%#%#
 url http://10.23.30.2:8080/portal
 server-detect interval 30 action log
#
web-auth-server portal3
 server-ip 10.23.30.3
 port 50100
 shared-key cipher %#%#un.DDNfj[X\.u3&zIya<P,3wBg'cEQFedz,DoIO"%#%#
 url http://10.23.30.3:8080/portal
 server-detect interval 30 action log
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
 web-auth-server portal1 portal3 layer3
 domain name portal1 force
 domain name portal1
 authentication portal
#
interface Vlanif102
 web-auth-server portal2 portal3 layer3
 domain name portal1 force
 domain name portal1
 authentication portal
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/1
 eth-trunk 1
#
interface GigabitEthernet2/0/2
 eth-trunk 1
#
interface Wlan-Ess1
 port trunk allow-pass vlan 101 to 102
#
interface Wlan-Ess2
 port trunk allow-pass vlan 101 to 102
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
capwap source interface vlanif100
#
wlan
 ap-region id 1
  ap-region-name area1
 ap-region id 2
  ap-region-name area2
 ap id 101 type-id 19 mac 60de-4476-e320
  region-id 1
 ap id 102 type-id 19 mac 60de-4476-e340
  region-id 1
 ap id 201 type-id 19 mac 60de-4476-e360
  region-id 2
 ap id 202 type-id 19 mac 60de-4476-e380
  region-id 2
 wmm-profile name wmm id 1
 traffic-profile name traffic id 1
 security-profile name security id 1
 service-set name area1 id 1
  wlan-ess 1
  ssid city-wlan
  user-isolate
  traffic-profile id 1
  security-profile id 1
  service-vlan 101
 service-set name area2 id 2
  wlan-ess 2
  ssid city-wlan
  user-isolate
  traffic-profile id 1
  security-profile id 1
  service-vlan 102
 radio-profile name radio id 1
  channel-mode fixed
  power-mode fixed
  wmm-profile id 1
 ap 101 radio 0
  radio-profile id 1
  power-level 10
  service-set id 1 wlan 1
 ap 101 radio 1
  radio-profile id 1
  channel 20MHz 153
  power-level 10
  service-set id 1 wlan 1
 ap 102 radio 0
  radio-profile id 1
  channel 20MHz 6
  power-level 10
  service-set id 1 wlan 1
 ap 102 radio 1
  radio-profile id 1
  channel 20MHz 161
  power-level 10
  service-set id 1 wlan 1
 ap 201 radio 0
  radio-profile id 1
  power-level 10
  service-set id 2 wlan 1
 ap 201 radio 1
  radio-profile id 1
  channel 20MHz 153
  power-level 10
  service-set id 2 wlan 1
 ap 202 radio 0
  radio-profile id 1
  channel 20MHz 6
  power-level 10
  service-set id 2 wlan 1
 ap 202 radio 1
  radio-profile id 1
  channel 20MHz 161
  power-level 10
  service-set id 2 wlan 1
#
return