运维开发网

华为WLAN安全配置

运维开发网 https://www.qedev.com 2021-02-08 10:17 出处:51CTO 作者:Tony7483
华为WLAN安全配置

华为WLAN安全配置

1.交换机的基础配置

配置vlan

[SW]vlan batch 10 to 13

[SW-GigabitEthernet0/0/10]port link-type trunk

[SW-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13

[SW-GigabitEthernet0/0/10]port trunk pvid vlan 10

[SW-GigabitEthernet0/0/11]port link-type trunk

[SW-GigabitEthernet0/0/11]port trunk pvid vlan 10

[SW-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13

[SW-GigabitEthernet0/0/1]port link-type trunk

[SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13

[SW-LoopBack1]ip add 101.101.101.101 32

配置各vlan的网关

[SW-Vlanif10]ip add 10.1.10.1 24

[SW-Vlanif11]ip add 10.1.11.1 24

[SW-Vlanif12]ip add 10.1.12.1 24

[SW-Vlanif13]ip add 10.1.13.1 24

2.AC的基础配置

[AC]vlan batch 10 to 13

[AC-GigabitEthernet0/0/8]port link-type trunk

[AC-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13

查看vlan的配置

华为WLAN安全配置

配置三层接口ip地址

[AC-Vlanif10]ip add 10.1.10.100 24

[AC-Vlanif11]ip add 10.1.11.100 24

[AC-Vlanif12]ip add 10.1.12.100 24

[AC-Vlanif13]ip add 10.1.13.100 24

查看三层接口配置

华为WLAN安全配置

[AC]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 //配置默认路由指向交换机

检查AC和交换机上三层接口是否可达

华为WLAN安全配置

3.配置AC远程登录

[AC]aaa

[AC-aaa]local-user a1 password irreversible-cipher abc@123456

[AC-aaa]local-user a1 service-type telnet

[AC-aaa]local-user a1 privilege level 3

[AC]user-interface vty 0 4

[AC-ui-vty0-4]authentication-mode aaa

<AC>save //保存AC的配置

<SW>telnet 10.1.10.100 //在交换机上进行验证

4.创建AP组

[AC]wlan

[AC-wlan-view]ap-group name ap-group

5.配置AP上线

开启DHCP服务,为STA和AP分配IP地址

[AC]dhcp enable

[AC]ip pool ap

[AC-ip-pool-ap]network 10.1.10.0 mask 24

[AC-ip-pool-ap]gateway-list 10.1.10.1

[AC-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100

[AC]ip pool yw1

[AC-ip-pool-yw1]gateway-list 10.1.11.1

[AC-ip-pool-yw1]network 10.1.11.0 mask 24

[AC]ip pool yw2

[AC-ip-pool-yw2]network 10.1.12.0 mask 24

[AC-ip-pool-yw2]gateway-list 10.1.12.1

[AC-ip-pool-yw2]ip pool yw3

[AC-ip-pool-yw3]gateway-list 10.1.13.1

[AC-ip-pool-yw3]network 10.1.13.0 mask 24

在各vlanif接口下,使能DHCP

[AC-Vlanif10]dhcp select global

[AC-Vlanif11]dhcp select global

[AC-Vlanif12]dhcp select global

[AC-Vlanif13]dhcp select global

配置域管理模板和AC的国家代码

[AC]wlan

[AC-wlan-view]regulatory-domain-profile name domain

[AC-wlan-regulate-domain-domain]country-code CN

[AC]capwap source interface Vlanif 10 //配置AC源接口

[AC-wlan-view]ap auth-mode mac-auth //配置AP认证方式

查看AP的mac地址

华为WLAN安全配置

在AC上离线导入AP

[AC-wlan-view]ap-mac 00e0-fcb5-30f0 ap-id 0

[AC-wlan-ap-0]ap-group ap-group

[AC-wlan-ap-0]ap-name ap1

[AC-wlan-view]ap-mac 00e0-fc68-7480 ap-id 1

[AC-wlan-ap-1]ap-group ap-group

[AC-wlan-ap-1]ap-name ap2

检查AP状态

华为WLAN安全配置

6.配置WLAN业务

配置SSID模板

[AC-wlan-view]ssid-profile name yw1

[AC-wlan-ssid-prof-yw1]ssid yw1

[AC-wlan-view]ssid-profile name yw2

[AC-wlan-ssid-prof-yw2]ssid yw2

[AC-wlan-ssid-prof-yw2]ssid-profile name yw3

[AC-wlan-ssid-prof-yw3]ssid yw3

配置VAP模板、业务数据转发模式、业务vlan、引用ssid模板

[AC-wlan-view]vap-profile name yw1

[AC-wlan-vap-prof-yw1]forward-mode direct-forward

[AC-wlan-vap-prof-yw1]service-vlan vlan-id 11

[AC-wlan-vap-prof-yw1]ssid-profile yw1

[AC-wlan-view]vap-profile name yw2

[AC-wlan-vap-prof-yw2]forward-mode direct-forward

[AC-wlan-vap-prof-yw2]service-vlan vlan-id 12

[AC-wlan-vap-prof-yw2]ssid-profile yw2

[AC-wlan-vap-prof-yw2]vap-profile name yw3

[AC-wlan-vap-prof-yw3]forward-mode tunnel

[AC-wlan-vap-prof-yw3]service-vlan vlan-id 13

[AC-wlan-vap-prof-yw3]ssid-profile yw3

配置AP组引用域管理模板和VAP模板,AP上的射频0和1都使用VAP模板的配置

[AC-wlan-ap-group-ap-group]vap-profile yw1 wlan 1 radio all

[AC-wlan-ap-group-ap-group]vap-profile yw2 wlan 2 radio all

[AC-wlan-ap-group-ap-group]vap-profile yw3 wlan 3 radio all

查看vap状态

华为WLAN安全配置

华为WLAN安全配置

华为WLAN安全配置

连接无线终端后

查看关联到的相关用户信息

华为WLAN安全配置

在无线终端上ping loopback1口进行验证

华为WLAN安全配置

7.配置WEP认证

AC支持的六种安全策略,每一个VAP模板可以调用一种

华为WLAN安全配置

配置yw3认证方式和加密:认证方式为WEP share-key,加密采用WEP 40位

[AC-wlan-view]security-profile name yw3

[AC-wlan-sec-prof-yw3]security wep

[AC-wlan-sec-prof-yw3]security wep share-key

[AC-wlan-sec-prof-yw3]wep key 0 wep-40 pass-phrase abc123

[AC-wlan-view]vap-profile name yw3

[AC-wlan-vap-prof-yw3]security-profile yw3

查看安全模板配置

华为WLAN安全配置

查看指定ssid下面关联用户汇总信息

华为WLAN安全配置

查看终端关联详细信息

华为WLAN安全配置

8.配置WPA PSK认证

华为AC支持WPA选项为

华为WLAN安全配置

配置yw2的认证和加密:认证方式为WPA1-PSK,加密方式为TKIP

[AC-wlan-view]security-profile name yw2

[AC-wlan-sec-prof-yw2]security wpa psk pass-phrase abc2abc2 tkip

[AC-wlan-view]vap-profile name yw2

[AC-wlan-vap-prof-yw2]security-profile yw2

查看安全模板配置

华为WLAN安全配置

查看关联用户汇总信息

华为WLAN安全配置

查看终端关联信息

华为WLAN安全配置

测试连通性

华为WLAN安全配置

9.配置WPA EAP认证

WLAN的EAP认证架构需要客户端、认证者、认证服务器,认证功能服务器的配置略

在交换机上配置radius服务器网关地址

[SW]vlan 200

[SW-GigabitEthernet0/0/24]port link-type access

[SW-GigabitEthernet0/0/24]port default vlan 200

[SW]interface Vlanif 200

[SW-Vlanif200]ip address 10.254.1.1 24

配置radius认证服务器和认证计费方案

[AC]radius-server template rs

[AC-radius-rs]radius-server authentication 10.254.1.100 1812 source ip-address 10.1.10.100

[AC-radius-rs]radius-server accounting 10.254.1.100 1813 source ip-address 10.1.10.100

[AC-radius-rs]radius-server shared-key cipher rs001@123

[AC-radius-rs]undo radius-server user-name domain-included

配置aaa方案

[AC]aaa

[AC-aaa]authentication-scheme radius

[AC-aaa-authen-radius]authentication-mode radius

[AC-aaa]accounting-scheme radius

[AC-aaa-accounting-radius]accounting-mode radius

[AC-aaa-accounting-radius]accounting realtime 15

[AC-aaa]domain default

[AC-aaa-domain-default]authentication-scheme radius

[AC-aaa-domain-default]radius-server rs

测试aaa的配置

[AC]test-aaa rs rs001@123 radius-template rs

配置接入模板

[AC]dot1x-access-profile name yw1

配置认证模板,并绑定认证模板、radius认证方案、计费方案和服务器模板指定使用的radius认证

[AC]authentication-profile name yw1

[AC-authentication-profile-yw1]dot1x-access-profile yw1

[AC-authentication-profile-yw1]authentication-scheme radius

[AC-authentication-profile-yw1]radius-server rs

配置安全模板,定义加密方式为ccmp,认证方式为dot1x eap

[AC]wlan

[AC-wlan-view]security-profile name yw1

[AC-wlan-sec-prof-yw1]security wpa2 dot1x aes

vap模板引用安全模板和认证模板

[AC-wlan-view]vap-profile name yw1

[AC-wlan-vap-prof-yw1]security-profile yw1

[AC-wlan-vap-prof-yw1]authentication-profile yw1

验证配置结果

华为WLAN安全配置

[AC]display access-user ssid yw1 //查看ssid下面用户汇总信息

[AC]display station sta-mac 5489-98AF-2070 //查看终端关联的详细信息

0

精彩评论

暂无评论...
验证码 换一张
取 消