AR500, AR510, and AR530 V200R007

 About This Document

 Configuration Precautions
 APs Supported by the Device
 AR and FIT AP version mapping
 Licensing Requirements and Limitations for WLAN-AC
 WLAN-AC Service Configuration
 Roaming Configuration
 WDS Configuration
 WLAN Reliability Configuration
 WLAN Security Configuration

o Introduction to WLAN Security

o User Access Security Principles
o Service Security Principles
o Applications
o Default Configuration
o Configuring WLAN Security
o Configuration Examples
 Example for Configuring WEP Authentication
 Example for Configuring WPA+PSK Authentication
 Example for Configuring WPA+802.1X Authentication
 Example for Configuring Preshared Key-Based WAPI
 Example for Configuring Certificate-Based WAPI
 Example for Configuring Wireless MAC Address Authentication
 Example for Configuring WLAN Portal Authentication
 WLAN QoS Configuration
 Radio Resource Management
Search in th

Rate and give feedback:     

Example for Configuring WEP Authentication

Networking Requirements
As shown in Figure 9-14, the AC connects to the upper network, and APs connect to the AC
through an access switch.
Because of the openness feature of WLANs, if no security policy is used in a WLAN, service
data are threatened. User data can be protected using WEP authentication.
Figure 9-14  Networking diagram of WEP authentication

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the switch and AC to enable APs to communicate with the AC.
2. Configure basic attributes for the AC, including the AC ID, carrier ID, and source
interface that the AC uses to communicate with APs. Configure the AC as a DHCP
server.
3. Set the AP authentication mode and add the AP to an AP region.
4. Configure VAPs and deliver VAP parameters so that STAs can access the WLAN.
Pay attention to the following items when configuring VAPs:
a. Configure a WLAN-ESS interface and bind it to a service set so that radio
packets can be sent to the WLAN service module after reaching an AC.
b. Configure a radio profile on the AP and bind it to a radio to enable STAs to
communicate with the AP.
c. Configure a security profile on the AP and configure the security policy as
Share-key.
d. Configure a service set, set a traffic profile to it to ensure security and QoS for
STAs.
e. Configure a VAP and deliver VAP parameters so that STAs can access the
WLAN.

Procedure
1. Configure the access switch.
# Configure the access switch to tag AP management packets with the management
VLAN ID.

 NOTE:
Isolate the interfaces of all the Layer 2 switches that connect to the downstream
interfaces within the management and service VLANs of the APs. Otherwise,
unnecessary packets are broadcast in the VLAN or WLAN users of different APs
cannot communicate with each other at Layer 2.
When the port isolation function is not enabled, configure undo port trunk allow-
pass vlan 1 on all interfaces on devices including the switches, AC, and all devices
between the switches and AC to prevent packet conflicts and interface resource
occupation.
 Configure the upstream interfaces to transparently transmit service VLANs on the
access switch to communicate with upstream devices according to the networking
situation.
<Huawei> system-view
[Huawei] vlan batch 101 800
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type trunk
[Huawei-Ethernet0/0/1] port trunk pvid vlan 800
[Huawei-Ethernet0/0/1] port trunk allow-pass vlan 101 800
[Huawei-Ethernet0/0/1] port-isolate enable
[Huawei-Ethernet0/0/1] quit
[Huawei] interface ethernet 0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 101 800
[Huawei-Ethernet0/0/2] quit
2. Configure the AC.
a. Configure the AC interface that connects to the access switch, and enable
DHCP on the AC.
b. <Huawei> system-view
c. [Huawei] sysname AC
d. [AC] vlan batch 101 800
e. [AC] dhcp enable
f. [AC] interface Vlanif 800
g. [AC-Vlanif800] ip address 172.16.1.1 24
h. [AC-Vlanif800] dhcp select interface
i. [AC-Vlanif800] quit
j. [AC] interface Vlanif 101
k. [AC-Vlanif101] ip address 10.1.1.1 24
l. [AC-Vlanif101] dhcp select interface
m. [AC-Vlanif101] quit
n. [AC] interface ethernet 2/0/0
o. [AC-Ethernet2/0/0] port link-type trunk
p. [AC-Ethernet2/0/0] port trunk allow-pass vlan 101 800
q. [AC-Ethernet2/0/0] quit
r. Configure global parameters on the AC.
# Configure the AC ID, carrier ID, country code, and source interface.
[AC] wlan ac-global ac id 1 carrier id other
[AC] wlan ac-global country-code cn
[AC] capwap source interface Vlanif 800
[AC] wlan ac
s. Configure APs and enable them to go online.
# Configure AP authentication mode as MAC address authentication.
[AC-wlan-view] ap-auth-mode mac-auth
# Query the AP device type.
[AC-wlan-view] display ap-type all
All AP types information:

---------------------------------------------------------------
---------------
ID Type

---------------------------------------------------------------
---------------
 17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN

---------------------------------------------------------------
---------------
Total number: 22
# Add the AP offline based on the AP type ID. Assume that the AP type is
AP6010DN-AGN, and the MAC address of the AP is 60de-4476-e360.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-view] ap id 1 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-1] quit
# Check whether APs have gone online.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-
failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]

---------------------------------------------------------------
---------------
AP AP AP Profile AP
AP
/Region
ID Type MAC ID State
Sysname

---------------------------------------------------------------
---------------
1 AP6010DN-AGN 60de-4476-e360 0/6 normal
ap-1

---------------------------------------------------------------
---------------
Total number: 1,printed: 1
# Add APs to AP regions.
[AC-wlan-view] ap-region id 5
 [AC-wlan-ap-region-5] quit
[AC-wlan-view] ap id 1
[AC-wlan-ap-1] region-id 5
[AC-wlan-ap-1] quit
[AC-wlan-view] quit
t. Configure WLAN-ESS interfaces.
u. [AC] interface Wlan-Ess 0
v. [AC-Wlan-Ess0] port link-type hybrid
w. [AC-Wlan-Ess0] port hybrid tagged vlan 101
x. [AC-Wlan-Ess0] quit
y. Configure AP parameters.
# Configure radios for APs.
[AC] wlan ac
[AC-wlan-view] wmm-profile name huawei-ap
[AC-wlan-wmm-prof-huawei-ap] quit
[AC-wlan-view] radio-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] quit
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name huawei-ap
[AC-wlan-radio-1/0] quit
# Configure a security profile.
[AC-wlan-view] security-profile name huawei-ap
[AC-wlan-sec-prof-huawei-ap] security-policy wep
[AC-wlan-sec-prof-huawei-ap] wep authentication-method share-
key
[AC-wlan-sec-prof-huawei-ap] wep key wep-104 pass-phrase 0
cipher 0123456789abc
[AC-wlan-sec-prof-huawei-ap] quit
# Configure a traffic profile.
[AC-wlan-view] traffic-profile name huawei-ap
[AC-wlan-traffic-prof-huawei-ap] quit
Configure a service set for the AP.
[AC-wlan-view] service-set name huawei
[AC-wlan-service-set-huawei] ssid huawei
[AC-wlan-service-set-huawei] wlan-ess 0
[AC-wlan-service-set-huawei] service-vlan 101
[AC-wlan-service-set-huawei] security-profile name huawei-ap
[AC-wlan-service-set-huawei] traffic-profile name huawei-ap
[AC-wlan-service-set-huawei] quit
z. Configure VAPs and deliver configuration to the APs.
aa. [AC-wlan-view] ap 1 radio 0
bb. [AC-wlan-radio-1/0] service-set name huawei
cc. [AC-wlan-radio-1/0] quit
dd. [AC-wlan-view] commit ap 1
ee. Warning: Committing configuration may cause service
interruption, continue?[Y/N]
ff. : y
gg. [AC-wlan-view] quit
3. Test the WLAN service configuration.
The WLAN with SSID huawei is available for wireless access users.
If a STA is configured with an incorrect shared key, the STA cannot access the
WLAN.
 After the PC scans the SSID, if you double-click the SSID and enter the key,
association may fail. The SSID and key need to be configured manually on the PC.
 Configuration on the Windows XP operating system:
a. On the Association tab page of the Wireless network
properties dialog box, add SSID huawei, set the network authentication
mode to shared-key mode and encryption mode to WEP, and configure the
network key and corresponding key index.
 Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and
select Manually create a network profile. Add SSID huawei, set the
encryption and authentication modes, and click Next.
b. Scan SSIDs to search WLANs. Double-click SSID huawei, click
the Security tab, and set the key index on the Security tab page.

Configuration Files
 Configuration file of the access switch
 #

 vlan batch 101 800

 #

 interface Ethernet0/0/1

 port link-type trunk

 port trunk pvid vlan 800

 port trunk allow-pass vlan 101 800

 port-isolate enable group 1

 #

 interface Ethernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 101 800

 #

 return

 AC configuration file
 #

 sysname AC

 #

 vlan batch 101 800

 #
 wlan ac-global carrier id other ac id 1

 #

 dhcp enable

 #

 interface Vlanif101

 ip address 10.1.1.1 255.255.255.0

 dhcp select interface

 #

 interface Vlanif800

 ip address 172.16.1.1 255.255.255.0

 dhcp select interface

 #

 interface Wlan-Ess0

 port hybrid tagged vlan 101

 #

 interface Ethernet2/0/0

 port link-type trunk

 port trunk allow-pass vlan 101 800

 #
 capwap source interface vlanif800
 #
 wlan ac
 ap-region id 5
 ap id 1 type-id 19 mac 60de-4476-e360 sn AB34002078
 region-id 5
 wmm-profile name huawei-ap id 0
 traffic-profile name huawei-ap id 0
 security-profile name huawei-ap id 0
 wep authentication-method share-key
 wep key wep-104 pass-phrase 0 cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%#
 service-set name huawei id 0
 wlan-ess 0
 ssid huawei
 traffic-profile id 0
 security-profile id 0
 service-vlan 101
 radio-profile name huawei-ap id 0
 wmm-profile id 0
  ap 1 radio 0
 radio-profile id 0
 service-set id 0 wlan 1
 #
return

Translation

Favorite

Download
Updated: 2019-06-12

Related Version
AR510 V200R010
AR510 V200R009
AR510 V200R008

Related Documents
AR511 V200R007 Vehicle-Mounted Features in One Manual (AR511GW-LM7)
AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - VPN
AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - Basic Configuration

Share
    

 PreviousNext