Huawei wireless device configuration wpa2-802.1x-aes security policy

To configure LSW and AC, send AP And AC Can transmit between CAPWAP message
[LSW1]vlan batch 100
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[AC1]vlan batch 100
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

To configure AC Interworking with the upper network equipment
[AC1]vlan batch 101 102 103
[AC1-Vlanif101]ip add 10.1.101.1 24
[AC1-Vlanif102]ip add 10.1.102.1 24
[AC1-Vlanif103]ip add 10.1.103.1 24
[AC1-GigabitEthernet0/0/2]port link-type access
[AC1-GigabitEthernet0/0/2]port default vlan 102
[AC1-GigabitEthernet0/0/3]port link-type trunk
[AC1-GigabitEthernet0/0/3]port trunk allow-pass vlan 103
[AC1-GigabitEthernet0/0/3]port trunk pvid vlan 103
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.102.2

To configure AC to AP Distribute IP Address ,AR to STA Distribute IP Address
[AC1]dhcp enable
[AC1-Vlanif100]ip add 10.1.100.1 24
[AC1-Vlanif100]dhcp select interface
[AC1-Vlanif101]dhcp select relay
[AC1-Vlanif101]dhcp relay server-ip 10.1.102.2
[AR1]dhcp enable
[AR1-ip-pool-sta]gateway-list 10.1.101.1
[AR1-ip-pool-sta]dns-list 8.8.8.8
[AR1-ip-pool-sta]network 10.1.101.0 mask 24
[AR1-GigabitEthernet0/0/0]ip add 10.1.102.2 24
[AR1-GigabitEthernet0/0/0]dhcp select global
[AR1]ip route-static 10.1.101.0 24 10.23.102.1

To configure RADIUS Certification parameters
establish RADIUS Server template
[AC1]radius-server template radius1
[AC1-radius-radius1]radius-server authentication 10.1.103.2 1812
[AC1-radius-radius1]radius-server shared-key cipher [email protected]
establish RADIUS Way of authentication
[AC1]aaa
[AC1-aaa]authentication-scheme radius1
[AC1-aaa-authen-radius1]authentication-mode radius
establish AAA Domain and configure the RADIUS Server template and authentication scheme
[AC1-aaa]domain 123.com
[AC1-aaa-domain-123.com]radius-server radius1
[AC1-aaa-domain-123.com]authentication-scheme radius1

To configure 802.1X Access template , management 802.1X Access control parameters
establish 802.1X Access template
[AC1]dot1x-access-profile name wlan-dot1x
The configuration authentication method is EAP Relay mode
[AC1-dot1x-access-profile-wlan-dot1x]dot1x authentication-method eap

Create an authentication template , binding 802.1X Access template , And configure the user mandatory domain
[AC1]authentication-profile name wlan-authentication
[AC1-authentication-profile-wlan-authentication]dot1x-access-profile wlan-dot1x
[AC1-authentication-profile-wlan-authentication]access-domain 123.com dot1x force

To configure AP go online
establish AP Group
[AC1]wlan
[AC1-wlan-view]ap-group name ap-group1
Create domain management template , Configure... Under the domain management template AC Country code and in AP Reference domain management template under group
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code cn
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
[AC1]capwap source interface Vlanif 100
stay AC Import online and offline AP, And will AP Join in AP Group
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc19-7cf0
[AC1-wlan-ap-0]ap-name ap1
[AC1-wlan-ap-0]ap-group ap-group1

To configure WLAN Business parameters
Create a security template , And configure the security policy
[AC1]wlan
[AC1-wlan-view]security-profile name wlan-security
[AC1-wlan-sec-prof-wlan-security]security wpa2 dot1x aes
establish SSID Templates , And configuration SSID name
[AC1-wlan-view]ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid]ssid wlan-net
establish VAP Templates , Configure business data forwarding mode 、 Business VLAN, And reference the security template 、 Certification templates and SSID Templates
[AC1-wlan-view]vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap]forward-mode tunnel
[AC1-wlan-vap-prof-wlan-vap]service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap]security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap]authentication-profile wlan-authentication
[AC1-wlan-vap-prof-wlan-vap]ssid-profile wlan-ssid
To configure AP Group reference VAP Templates ,AP RF on 0 And RF 1 All use VAP Template configuration
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap wlan 1 radio 1

To configure AP RF channel and power
Turn off the RF channel and power auto tuning function
[AC1-wlan-view]rrm-profile name default
[AC1-wlan-rrm-prof-default]calibrate auto-channel-select disable
[AC1-wlan-rrm-prof-default]calibrate auto-txpower-select disable
To configure AP RF channel and power
[AC1-wlan-view]ap-id 0
[AC1-wlan-ap-0]radio 0
[AC1-wlan-radio-0/0]channel 20mhz 6
[AC1-wlan-radio-0/0]eirp 127
[AC1-wlan-ap-0]radio 1
[AC1-wlan-radio-0/1]channel 20mhz 149
[AC1-wlan-radio-0/1]eirp 127