9.2.4.9. Huawei
9.2.4.9.1. AC6605 Controller
OpenNAC Enterprise supports this controller with the following technologies:
Wireless 802.1X
Wireless MAC Authentication
Controller configuration
Setup NTP server:
<AC>system-view
[AC] ntp-service unicast-server 208.69.56.110
Setup the RADIUS server (@IP of OpenNAC) authentication + accounting:
Note
In this configuration we will use the IP address of the VIP of OpenNAC: 192.168.1.2; Registration VLAN : 145, Isolation VLAN : 146
<AC>system-view
[AC] radius-server template radius_opennac
[AC-radius-radius_opennac] radius-server authentication 192.168.1.2 1812 weight 80
[AC-radius-radius_opennac] radius-server accounting 192.168.1.2 1813 weight 80
[AC-radius-radius_opennac] radius-server shared-key cipher Testing123
[AC-radius-radius_opennac] undo radius-server user-name domain-included
[AC-radius-radius_opennac] quit
[AC] radius-server authorization 192.168.1.2 shared-key cipher Testing123 server-group radius_opennac
[AC] aaa
[AC-aaa] authentication-scheme radius_opennac
[AC-aaa-authen-radius_opennac] authentication-mode radius
[AC-aaa-authen-radius_opennac] quit
[AC-aaa] accounting-scheme radius_opennac
[AC-aaa-accounting-radius_opennac] accounting-mode radius
[AC-aaa-accounting-radius_opennac] quit
[AC-aaa] domain your.domain.com
[AC-aaa-domain-your.domain.com] authentication-scheme radius_opennac
[AC-aaa-domain-your.domain.com] accounting-scheme radius_opennac
[AC-aaa-domain-your.domain.com] radius-server radius_opennac
[AC-aaa-domain-your.domain.com] quit
[AC-aaa] quit
Create an Secure dot1x ssid
Activate the dotx globally:
<AC>system-view
[AC] dot1x enable
Create your secure dot1x ssid:
Configure WLAN-ESS 0 interfaces:
[AC] interface Wlan-Ess 0
[AC-Wlan-Ess0] port hybrid untagged vlan 145 to 146
[AC-Wlan-Ess0] dot1x enable
[AC-Wlan-Ess0] dot1x authentication-method eap
[AC-Wlan-Ess0] permit-domain name your.domain.com
[AC-Wlan-Ess0] force-domain name your.domain.com
[AC-Wlan-Ess0] default-domain your.domain.com
[AC-Wlan-Ess0] quit
Configure AP parameters:
Configure radios for APs:
[AC] wlan
[AC-wlan-view] wmm-profile name huawei-ap
[AC-wlan-wmm-prof-huawei-ap] quit
[AC-wlan-view] radio-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] radio-type 80211gn
[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] quit
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name huawei-ap
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]: y
[AC-wlan-radio-1/0] quit
Configure a security profile named huawei-ap. Set the security policy to WPA authentication, authentication method to 802.1X+PEAP, and encryption mode to CCMP:
[AC-wlan-view] security-profile name huawei-ap-wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] security-policy wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] wpa-wpa2 authentication-method dot1x encryption-method ccmp
[AC-wlan-sec-prof-huawei-ap-wpa2] quit
Configure a traffic profile:
[AC-wlan-view] traffic-profile name huawei-ap
[AC-wlan-wmm-traffic-huawei-ap] quit
Configure service sets for APs, and set the data forwarding mode to direct forwarding:
The direct forwarding mode is used by default.
[AC-wlan-view] service-set name OpenNAC-dot1x
[AC-wlan-service-set-OpenNAC-dot1x] ssid OpenNAC-Secure
[AC-wlan-service-set-OpenNAC-dot1x] wlan-ess 0
[AC-wlan-service-set-OpenNAC-dot1x] service-vlan 1
[AC-wlan-service-set-OpenNAC-dot1x] security-profile name huawei-ap-wpa2
[AC-wlan-service-set-OpenNAC-dot1x] traffic-profile name huawei-ap
[AC-wlan-service-set-OpenNAC-dot1x] forward-mode tunnel
[AC-wlan-service-set-OpenNAC-dot1x] quit
Configure VAPs and deliver configurations to the APs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name OpenNAC-dot1x
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1
Create your Open ssid
Activate the mac-auth globally:
<AC>system-view
[AC] mac-authen
[AC] mac-authen username macaddress format with-hyphen
[AC] mac-authen domain your.domain.com
Create your Open ssid:
Configure WLAN-ESS 1 interfaces:
[AC] interface Wlan-Ess 1
[AC-Wlan-Ess1] port hybrid untagged vlan 145 to 146
[AC-Wlan-Ess1] mac-authen
[AC-Wlan-Ess1] mac-authen username macaddress format without-hyphen
[AC-Wlan-Ess1] permit-domain name your.domain.com
[AC-Wlan-Ess1] force-domain name your.domain.com
[AC-Wlan-Ess1] default-domain your.domain.com
[AC-Wlan-Ess1] quit
Configure AP parameters:
Configure a security profile named huawei-ap-wep. Set the security policy to WEP authentication.
[AC]wlan
[AC-wlan-view] security-profile name huawei-ap-wep
[AC-wlan-sec-prof-huawei-ap-wep] security-policy wep
[AC-wlan-sec-prof-huawei-ap-wep] quit
Configure service sets for APs, and set the data forwarding mode to direct forwarding:
The direct forwarding mode is used by default.
[AC-wlan-view] service-set name OpenNAC-WEP
[AC-wlan-service-set-OpenNAC-WEP] ssid OpenNAC-Open
[AC-wlan-service-set-OpenNAC-WEP] wlan-ess 1
[AC-wlan-service-set-OpenNAC-WEP] service-vlan 1
[AC-wlan-service-set-OpenNAC-WEP] security-profile name huawei-ap-wep
[AC-wlan-service-set-OpenNAC-WEP] traffic-profile name huawei-ap (already created before)
[AC-wlan-service-set-OpenNAC-WEP] forward-mode tunnel
[AC-wlan-service-set-OpenNAC-WEP] quit
Configure VAPs and deliver configurations to the APs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name OpenNAC-WEP
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1