< Home

Example for Configuring Unified Access for Wired and Wireless Users

Overview of Unified Access for Wired and Wireless Users

In practice, both wired and wireless users need to access one network. For example, the PCs and printers of a company connect to the network in wired mode, and laptops and mobile phones connect wirelessly. After unified access for wired and wireless users is configured on a network, users of both types can access the network and be managed in a unified manner.

Networking Requirements

A hospital needs to deploy both a wired and a wireless network. To simplify management and maintenance, the administrator requires that wired and wireless users be centrally managed on the AC, non-authentication and Portal authentication be configured for the wired and wireless users respectively, and wireless users roam under the same AC.

As shown in Figure 1, the AC connects to the egress gateway Router in the uplink direction. In the downlink direction, the AC connects to and manages APs through S5720-1 and S5720-2 access switches. The S5720-1 and S5720-2 are deployed in the first and second floors, respectively. An AP2010DN is deployed in each room to provide both wired and wireless access. The AP5030DN is deployed in the corridor to provide wireless network coverage. The S5720-1 and S5720-2 are PoE switches directly providing power to connected APs.

To facilitate network planning and management, the access switches are only used to transparently transmit data at Layer 2, and all gateways are configured on the AC

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

Figure 1 Networking for unified wired and wireless access

Data Planning

Table 1 Network data planning

Item

Interface

VLAN

Description

AC

GE1/0/1

100, 201

Connected to the S5720-1

GE1/0/2

100, 202

Connected to the S5720-2

GE1/0/3

200

Connected to the Agile Controller

GE1/0/4

300

Connected to the egress gateway

S5720-1

GE0/0/1

100, 201

Connected to the AC

GE0/0/2

100, 201

Connected to AP101

GE0/0/3

100, 201

Connected to AP102

GE0/0/4

100, 201

Connected to AP103

S5720-2

GE0/0/1

100, 202

Connected to the AC

GE0/0/2

100, 202

Connected to AP201

GE0/0/3

100, 202

Connected to AP202

GE0/0/4

100, 202

Connected to AP203

AP101 and AP102

Eth0/0/0

Eth0/0/1

GE0/0/0

201

GE0/0/0 connects to the S5720-1.

Eth0/0/0 and Eth0/0/1 connects to wired users.

AP101 and AP102 are AP2010DNs and are deployed in rooms on the first floor to provide wired and wireless access.

AP103

GE0/0/0

201

GE0/0/0 connects to the S5720-1.

AP103 is an AP5030DN and is deployed in the corridor on the first floor to provide wireless access.

AP201 and AP202

Eth0/0/0

Eth0/0/1

GE0/0/0

202

GE0/0/0 connects to the S5720-2.

Eth0/0/0 and Eth0/0/1 connects to wired users.

AP201 and AP202 are AP2010DNs and are deployed in rooms on the second floor to provide wired and wireless access.

AP203

GE0/0/0

202

GE0/0/0 connects to the S5720-2.

AP203 is an AP5030DN and is deployed in the corridor on the second floor to provide wireless access.
Table 2 Service data planning

Item

Data

Description

AC's source interface address

10.23.100.1/24

-

AP group
  • Name: ap-group1
  • Referenced profiles: VAP profile wlan-vap1, regulatory domain profile domain1, and radio profiles radio-2g and radio-5g

-
  • Name: ap-group2
  • Referenced profiles: VAP profile wlan-vap2, regulatory domain profile domain1, and radio profiles radio-2g and radio-5g

Portal access profile

  • Name: portal1

  • Referenced template: Portal server template portal1

-

Authentication profile

  • Name: portal1

  • Referenced profile: Portal access profile portal1

-

Regulatory domain profile
  • Name: domain1
  • Country code: CN

-

AP wired port profile

Name: wired1, wired2, wired3, or wired4

-

RRM profile

Name: rrm1

-

Radio profile

  • Name: radio-2g and radio-5g

  • Referenced profile: RRM profile rrm1

-

Security profile
  • Name: wlan-security
  • Security and authentication policy: OPEN

-

SSID profile
  • Name: wlan-ssid
  • SSID: hospital-wlan

-

Traffic profile

Name: traffic1

-

VAP profile
  • Name: wlan-vap1
  • SSID: hospital-wlan
  • Data forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profiles: security profile wlan-security, SSID profile wlan-ssid, authentication profile portal1, and traffic profile traffic1

Provides WLAN network coverage for the first floor of the building.
  • Name: wlan-vap2
  • SSID: hospital-wlan
  • Data forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 102
  • Referenced profiles: security profile wlan-security, SSID profile wlan-ssid, authentication profile portal1, and traffic profile traffic1

Provides WLAN network coverage for the second floor of the building.

DHCP server

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

-

AP gateway and IP address pool range

VLANIF 100: 10.23.100.1/24

10.23.100.2-10.23.100.254/24

-

Gateway and IP address pool range of the wireless users

VLANIF 101: 10.23.101.1/24

10.23.101.2-10.23.101.254/24

-

VLANIF 102: 10.23.102.1/24

10.23.102.2-10.23.102.254/24

-

Gateway and IP address pool range of the wired users

VLANIF 201: 10.23.201.1/24

10.23.201.2-10.23.201.254/24

-

VLANIF 202: 10.23.202.1/24

10.23.202.2-10.23.202.254/24

-

Server parameters
Authentication server:
  • IP address: 10.23.200.1
  • Port number: 1812
  • RADIUS shared key: Admin@123
  • The Service Controller (SC) of the Agile Controller provides RADIUS server and Portal server functions; therefore, the IP address of the SC is used for the authentication server, accounting server, authorization server, and Portal server.
  • Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as that of the authentication server and accounting server.
Accounting server:
  • IP address: 10.23.200.1
  • Port number: 1813
  • RADIUS shared key: Admin@123
Authorization server:
  • IP address: 10.23.200.1
  • RADIUS shared key: Admin@123
Portal server:
  • IP address: 10.23.200.1
  • Port number that the AC uses to listen on Portal protocol packets: 2000
  • Destination port number in the packets that the AC sends to the Portal server: 50100
  • Portal shared key: Admin@123
  • Encryption key for the URL parameters that the AC sends to the Portal server: Admin@123
Table 3 Radio channel data planning

Item

Data

Description

AP101

Radio 0: channel 1 and power level 10

Use the WLAN Planner to plan AP installation locations, and the working channel and power of the AP radio. Set the channel mode and power mode to fixed, and configure the channel and power for each AP.

AP102

Radio 0: channel 6 and power level 10

AP103

Radio 0: channel 11 and power level 10

Radio 1: channel 153 and power level 10

AP201

Radio 0: channel 1 and power level 10

AP202

Radio 0: channel 6 and power level 10

AP203

Radio 0: channel 11 and power level 10

Radio 1: channel 157 and power level 10

Configuration Roadmap

  1. Configure network interworking of the AC, APs, S5720-1, S5720-2, and other network devices.
  2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and wireless users.
  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.
  4. Configure basic WLAN services, including AC system parameters, AP management, and WLAN service parameters.
  5. Configure VAPs and deliver VAP parameters to APs.
  6. Verify the configuration to ensure that both wired and wireless users can access the Internet.

Procedure

  1. Configure the VLANs to which interfaces of S5720-1 and S5720-2 belong.

    The S5720-1 is used as an example here. The configuration on the S5720-2 is similar.

    1. Choose Configuration > Fast WLAN Config > AC to access the Ethernet interface configuration page.
    2. Click interface data under Interface Name. In the Modify Ethernet Interface dialog box, set Default VLAN and Link type, enter VLAN IDs in the Added VLAN ID text box, and click to add interfaces in tagged mode, as shown in Figure 2, Figure 3, Figure 4, and Figure 5. Click OK.

      Figure 2 Configuring GE0/0/1

      Figure 3 Configuring GE0/0/2

      Figure 4 Configuring GE0/0/3

      Figure 5 Configuring GE0/0/4

  2. Configure the VLANs to which interfaces of an AC belong.
    1. Choose Configuration > Fast WLAN Config > AC to access the Ethernet interface configuration page.
    2. Click interface data under Interface Name. In the Modify Ethernet Interface dialog box, set Link type, enter VLAN IDs in the Added VLAN ID text box, and click to add interfaces in tagged mode, as shown in Figure 6, Figure 7, Figure 8, and Figure 9. Click OK.

      Figure 6 Configuring GE1/0/1

      Figure 7 Configuring GE1/0/2

      Figure 8 Configuring GE1/0/3

      Figure 9 Configuring GE1/0/4

  3. Configure VLANIF 200 on the AC for communicating with the Agile Controller.
    1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
    2. Click 200 under VLAN ID. In the Modify VLAN dialog box, select Create VLANIF, and set IPv4 address and Mask, as shown in Figure 10. Click OK.

      Figure 10 Configuring VLANIF 200

  4. Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.

    • Configure an IP address pool for the AC to assign IP addresses to APs.
      1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
      2. Click 100 under VLAN ID. In the Modify VLAN dialog box, select Create VLANIF, and set IPv4 address and Mask, as shown in Figure 11. Click OK.
        Figure 11 Configuring VLANIF 100

      3. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. Set DHCP status to ON to enable the DHCP function.
      4. Click Create. On the Create DHCP Address Pool page, set Address pool type to Interface address pool, select Vlanif100 for Select Interface, and click OK, as shown in Figure 12.
        Figure 12 Configuring an IP address pool

    • Configure an IP address pool for the AC to assign IP addresses to STAs.
      1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
      2. Click Create. In the Create VLAN dialog box, enter VLAN IDs in the VLAN ID text box, select Create VLANIF, and set IPv4 address and Mask, as shown in Figure 13 and Figure 14. Click OK.
        Figure 13 Configuring VLANIF 101

        Figure 14 Configuring VLANIF 102

      3. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. Set DHCP status to ON to enable the DHCP function.
      4. Click Create. On the Create DHCP Address Pool page, set Address pool type to Interface address pool, select Vlanif101 for Select Interface, and click OK, as shown in Figure 15. Repeat the preceding operations for Vlanif102, as shown in Figure 16.
        Figure 15 Configuring an IP address pool on VLANIF 101

        Figure 16 Configuring an IP address pool on VLANIF 102

    • Configure an IP address pool for the AC to assign IP addresses to PCs.
      1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
      2. Click 201 under VLAN ID. In the Modify VLAN dialog box, select Create VLANIF, and set IPv4 address and Mask, as shown in Figure 17 and Figure 18. Click OK.
        Figure 17 Configuring VLANIF 201

        Figure 18 Configuring VLANIF 202

      3. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. Set DHCP status to ON to enable the DHCP function.
      4. Click Create. On the Create DHCP Address Pool page, set Address pool type to Interface address pool, select Vlanif201 for Select Interface, and click OK, as shown in Figure 19. Repeat the preceding operations for Vlanif202, as shown in Figure 20.
        Figure 19 Configuring an IP address pool on VLANIF 201

        Figure 20 Configuring an IP address pool on VLANIF 202

  5. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication on the AC.

    • Configure a RADIUS server template, and configure authentication, accounting, and authorization in the template on the AC.
      1. Choose Configuration > Security Services > AAA, click the RADIUS tab, and click Create. Create and configure RADIUS server template radius1, as shown in Figure 21. Click OK.
        Figure 21 Configuring a RADIUS server

      2. Choose Configuration > Security Services > AAA, click the RADIUS tab, and click Create to create and configure the authentication server, as shown in Figure 22. Click OK.
        Figure 22 Configuring an authorization server

      3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > Domain Profile to access the Domain Profile List page. Click Create to access the Create Domain Profile page. Set Profile name to portal1, click OK, create the authentication domain portal1, and bind the RADIUS server template radius1 to the domain, as shown in Figure 23. Click Apply.
        Figure 23 Configuring an authentication domain

    • Configure a Portal server.
      Choose Configuration > Security Services > AAA, click the External Portal Server tab, and click Create to create and configure the Portal authentication server, as shown in Figure 24. Click OK.
      Figure 24 Configuring a Portal server

    • Enable Portal authentication for STAs. Non-authentication is adopted for wired users.
      1. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > Portal Profile to access the Portal Profile List page. Click Create to access the Create Portal Profile page. Set Profile name to portal1 and click OK. On the Portal profile portal1 configuration page that is displayed, bind the Portal server portal1 to the Portal profile, and click Apply, as shown in Figure 25.
        Figure 25 Configuring a Portal profile

      2. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile to access the Authentication Profile List page. Click Create to access the Create Authentication Profile page. Set Profile name to portal1 and click OK, as shown in Figure 26.
        Figure 26 Creating an authentication profile

      3. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > portal1 > Portal Profile and select portal1 from the Portal Profile drop-down list box. Click Apply and bind the Portal profile portal1, as shown in Figure 27.
        Figure 27 Binding a Portal profile

      4. Choose Configuration > Security Services > AAA Profile Mgmt > Authentication Profile > portal1 > Domain Profile and select portal1 from the Domain Profile drop-down list box. Click Apply and bind the domain profile portal1, as shown in Figure 28.
        Figure 28 Binding a domain profile

  6. Configure APs to go online.

    • Create a regulatory domain profile, configure the AC's country code in the profile, and apply the profile to the AP group.
      1. Choose Configuration > Wireless Services > AP Group > AP Group, click Create, and enter names in the AP group name text box, as shown in Figure 29. Click OK.
        Figure 29 Creating an AP group



      2. Choose Configuration > Wireless Services > AP Group > AP Group, and click ap-group1 to access the AP group configuration page. Choose Radio Management > Regulatory Domain Profile, click Create, set Profile name to domain1 to create a regulatory domain profile, and bind the profile to the AP group ap-group1, as shown in Figure 30. Click Apply. Use the same method to bind the profile to ap-group2.
        Figure 30 Binding a domain profile

    • Configure the source interface and authentication method.

      Choose Configuration > Wireless Services > AC Config to access the AC Configuration page. Set AC source address to Vlanif100 and AP authentication mode to MAC address authentication, as shown in Figure 31. Click Apply.

      Figure 31 Configuring the source interface and authentication method

    • Import APs offline.
      1. Choose Configuration > Fast WLAN Config > AP, and click ap-group1 in the AP group list. Click the AP Manage tab on the right, and click Add to access the page for adding APs.
      2. Set Mode to Manually add, enter values in the AP MAC, AP ID, AP type text boxes, and click OK, as shown in Figure 32. Use the same method to add APs to ap-group2, as shown in Figure 33.
        Figure 32 Adding an AP to ap-group1

        Figure 33 Adding an AP to ap-group2

    • Configure the uplink interface GE0/0/0, and downlink interfaces Eth0/0/0 and Eth0/0/1 on the AP2010DN to allow wired packets to pass.
      1. Choose Configuration > Wireless Services > Profile > AP > AP Wired Port Profile to access the AP Wired Port Profile List page. Click Create to access the Create AP Wired Port Profile page. Set Profile name to wired1 and click OK. Click the created AP wired interface profile, set parameters, and click Apply, as shown in Figure 34. Use the same method to configure wired2, wired3, and wired4, as shown in Figure 35, Figure 36, and Figure 37.
        Figure 34 Configuring wired1

        Figure 35 Configuring wired2

        Figure 36 Configuring wired3

        Figure 37 Configuring wired4

      2. Choose Configuration > Wireless Services > AP Config > AP Info, and click an AP ID to access the AP Customized Settings page. Choose AP > AP Wired Port Settings, click an interface in AP Wired Port Configuration List to access the page for binding an AP wired port profile. Select the wired port profile to bind and click OK. Figure 38, Figure 39, Figure 40, and Figure 41 show the configuration results.
        Figure 38 Binding an AP wired port profile to ap-id 101

        Figure 39 Binding an AP wired port profile to ap-id 102

        Figure 40 Binding an AP wired port profile to ap-id 201

        Figure 41 Binding an AP wired port profile to ap-id 202

  7. Configure WLAN service parameters.

    • Create an RRM profile rrm1.
      Choose Configuration > Wireless Services > Profile > Radio Management > RRM Profile to access the RRM Profile List page. Click Create to access the Create RRM Profile page. Set Profile name to rrm1 and click OK. On the RRM profile rrm1 configuration page that is displayed, click Apply, as shown in Figure 42.
      Figure 42 Creating an RRM profile rrm1

    • Create a radio profile and bind it to the RRM profile rrm1.
      1. Choose Configuration > Wireless Services > Profile > Radio Management > 2G Radio Profile to access the 2G Radio Profile List page. Click Create to access the Create 2G Radio Profile page. Set Profile name to radio-2g and click OK, as shown in Figure 43.
        Figure 43 Creating radio profile radio-2g

      2. Choose Configuration > Wireless Services > Profile > Radio Management > 5G Radio Profile to access the 5G Radio Profile List page. Click Create to access the Create 5G Radio Profile page. Set Profile name to radio-5g and click OK, as shown in Figure 44.
        Figure 44 Creating radio profile radio-5g

      3. Choose Configuration > Wireless Services > Profile > Radio Management > 2G Radio Profile > radio-2g > RRM Profile, and set RRM Profile to rrm1, as shown in Figure 45. Click Apply. Use the same method to bind the RRM profile rrm1 to the 5G radio profile radio-5g, as shown in Figure 46.
        Figure 45 Binding the RRM profile rrm1 to the 2G radio profile radio-2g

        Figure 46 Binding the RRM profile rrm1 to the 5G radio profile radio-5g

    • Creating a security profile
      Choose Configuration > Wireless Services > Profile > Wireless Service > Security Profile, click Create, set Profile name to wlan-security, and configure this security profile, as shown in Figure 47. Click Apply.
      Figure 47 Creating security profile wlan-security

    • Create an SSID profile.
      Choose Configuration > Wireless Services > Profile > Wireless Service > SSID Profile, click Create, set Profile name to wlan-ssid, and configure this SSID profile, as shown in Figure 48. Click Apply.
      Figure 48 Creating SSID profile wlan-ssid

    • Create a traffic profile.
      Choose Configuration > Wireless Services > Profile > Wireless Service > Traffic Profile, click Create, set Profile name to traffic1, and configure this traffic profile, as shown in Figure 49. Click Apply.
      Figure 49 Creating traffic profile traffic1

    • Create a VAP profile.
      1. Choose Configuration > Wireless Services > Profile > Wireless Service > VAP Profile, click Create, set Profile name to wlan-vap1, and configure this VAP profile, as shown in Figure 50. Click Apply. Use the same method to create a VAP profile wlan-vap2, as shown in Figure 51.
        Figure 50 Creating VAP profile wlan-vap1

        Figure 51 Creating VAP profile wlan-vap2

      2. Choose Configuration > Wireless Services > Profile > Wireless Service > VAP Profile > wlan-vap1 > SSID Profile, set SSID Profile to wlan-ssid, and click Apply, as shown in Figure 52. The SSID profile is bound successfully.
        Figure 52 Binding an SSID profile

      3. Use the same method to bind the security profile, traffic profile, and authentication profile to VAP profiles, as shown in Figure 53.
        Figure 53 Configuration of VAP profiles

    • Bind VAP profiles and a radio profile to AP groups.
      1. Choose Configuration > Wireless Services > AP Group > AP Group, and click ap-group1 to access the AP Customized Settings page. Click VAP Configuration, click Add on the right, set parameters, and click Apply, as shown in Figure 54. Use the same method to bind VAP profiles to ap-group2, as shown in Figure 55.
        Figure 54 Binding a VAP profile to ap-group1

        Figure 55 Binding a VAP profile to ap-group2

      2. Choose Configuration > Wireless Services > AP Group > AP Group, and click ap-group1 to access the AP Customized Settings page. Choose Radio Management > Radio 0 > 2G Radio Profile, and select profiles in the 2G Radio Profile text box, as shown in Figure 56. Click Apply to complete the configuration of the 2G radio profile.
        Figure 56 Binding a 2G radio profile to ap-group1

      3. Choose Configuration > Wireless Services > AP Group > AP Group, and click ap-group1 to access the AP Customized Settings page. Choose Radio Management > Radio 1 > 5G Radio Profile, and select profiles in the 5G Radio Profile text box, as shown in Figure 57. Click Apply to complete the configuration of the 5G radio profile.
        Figure 57 Binding a 5G radio profile to ap-group1

      4. Use the same method to bind 2G and 5G radio profiles to ap-group2, as shown in Figure 58.
        Figure 58 Binding radio profiles to ap-group2

  8. Configure a VAP.

    1. Choose Configuration > Wireless Services > AP Config > AP Info, and click 101 to access the AP Customized Settings page. Choose Radio Management > Radio 0, set parameters, and click Apply, as shown in Figure 59. The VAP configuration is complete.
      Figure 59 Configuring a VAP

    2. Use the same method to configure VAPs for APs 102, 103, 201, 202, and 203, as shown in Figure 60.
      Figure 60 Configuring VAPs













Operation Result

  1. Choose Monitoring > Wireless Service > SSID > VAP, and view VAP information, as shown in Figure 61.
    Figure 61 VAP list

  2. When a STA detects and associates with the wireless network hospital-wlan successfully, the STA is assigned an IP address. Enter the password to access the wireless network. Choose Monitoring > User > Wireless User Statistics, and view STA information, as shown in Figure 62.
    Figure 62 STA list

  3. STAs and PCs obtain IP addresses and connect to the network properly.
Parent Topic: Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >