对于安全认证来说,也是无线比较重要的一块,在SOHO级别以及小型环境中,比较倾向于预共享的方式进行认证,也就是配置一个大家知道的密码,输入后就能连接到无线网络,常用的有WEP、WPA、WPA2,WEP已经渐渐的淘汰了,非常容易被破解,推荐的是WPA2的AES,对应小型环境或者SOHO级别的来说还是比较容易部署的。当然认证还有很多,比如基于MAC地址认证、dot1x方式 或者portal网页认证等,这些方式会在后续陆续演示。
掌握目标1、AC的基本业务配置2、认证方式的配置
拓扑写了对应的IP网段,以及各自的VLAN信息,可以对应配置看
路由的配置interface GigabitEthernet0/0/0ip address 10.1.200.1 255.255.255.0#interface LoopBack100ip address 100.100.100.100 255.255.255.255#ospf 1 router-id 1.1.1.1default-route-advertise alwaysarea 0.0.0.0network 10.1.200.1 0.0.0.0
AC的配置#interface Vlanif100ip address 10.1.100.1 255.255.255.0dhcp select interface#interface Vlanif101ip address 10.1.101.1 255.255.255.0dhcp select interfacedhcp server dns-list 8.8.8.8#interface Vlanif102ip address 10.1.102.1 255.255.255.0dhcp select interfacedhcp server dns-list 8.8.8.8#interface Vlanif103ip address 192.168.103.1 255.255.255.0dhcp select interfacedhcp server dns-list 8.8.8.8#interface Vlanif200ip address 10.1.200.2 255.255.255.0
说明:该VLAN接口地址一个是用于与AR路由器相连,其余的是作为无线客户端的网关
interface GigabitEthernet0/0/1port link-type trunkport trunk pvid vlan 100port trunk allow-pass vlan 100 to 102#interface GigabitEthernet0/0/2port link-type trunkport trunk pvid vlan 100port trunk allow-pass vlan 100 to 102#interface GigabitEthernet0/0/3port link-type accessport default vlan 200
说明:这里由于AP是双频的,也可以每个AP发送多个SSID,所以要允许对应的VLAN流量。
interface Wlan-Ess0port hybrid untagged vlan 101#interface Wlan-Ess1port hybrid untagged vlan 102#interface Wlan-Ess2port hybrid untagged vlan 103
ospf 1 router-id 2.2.2.2area 0.0.0.0network 10.1.200.2 0.0.0.0area 0.0.0.1network 10.1.100.1 0.0.0.0network 10.1.101.1 0.0.0.0network 10.1.102.1 0.0.0.0network 192.168.103.1 0.0.0.0
wlanwlan ac source interface vlanif100ap id 0 type-id 19 mac 00e0-fc03-7820 sn 210235448310F3277942ap id 1 type-id 19 mac 00e0-fc03-9730 sn 2102354483100A13F850wmm-profile name wmm1 id 0traffic-profile name tra1 id 0security-profile name open id 0
security-profile name wep40 id 1wep authentication-method share-keywep key wep-40 pass-phrase 0 simple 12345
security-profile name wpapsk id 2security-policy wpawpa authentication-method psk pass-phrase simple huaweipsk encryption-method ccmp
定义了3种不同的认证方式,分别为open、WEP与WPA
service-set name vlan101 id 0wlan-ess 0ssid vlan101traffic-profile id 0security-profile id 1service-vlan 101service-set name vlan102 id 1wlan-ess 1ssid vlan102traffic-profile id 0security-profile id 2service-vlan 102service-set name guest103 id 2wlan-ess 2ssid guest103user-isolatetraffic-profile id 0security-profile id 0service-vlan 103radio-profile name 2g id 0wmm-profile id 0ap 0 radio 0radio-profile id 0service-set id 0 wlan 1service-set id 1 wlan 2service-set id 2 wlan 3ap 1 radio 0radio-profile id 0channel 20MHz 6service-set id 0 wlan 1service-set id 1 wlan 2service-set id 2 wlan 3 #
最后记得comm下发业务给AP即可。
上一篇回顾
下一篇学习
由浅入深玩转华为WLAN-9 基于无线的MAC地址认证