1.配置外网IP地址
[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
2.配置内网IP地址及划分vlan
(1)Agile controller地址配置
(2)LSW1的配置
[LSW1]vlan batch 12 23 26
[LSW1-Vlanif12]ip add 10.1.1.2 24
[LSW1-Vlanif23]ip add 10.1.23.2 24
[LSW1-Vlanif26]ip add 10.1.26.2 24
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 23
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 12
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port default vlan 26
(4)LSW2的配置
[LSW2]vlan batch 23 34 45
[LSW2-Vlanif23]ip add 10.1.23.3 24
[LSW2-Vlanif34]ip add 10.1.34.3 24
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 23
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 34 45
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk pvid vlan 34
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 34
(5)配置内网连通性
[LSW1]ospf 1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.26.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255
[LSW2]ospf 1
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[LSW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
3.配置内外网间互通性
(1)配置防火墙间安全策略
[FW1-zone-trust]add int g1/0/1
[FW1-zone-untrust]add interface g1/0/2
[FW1]security-policy
[FW1-policy-security]rule name out_server1
[FW1-policy-security-rule-out_server1]source-zone trust
[FW1-policy-security-rule-out_server1]destination-zone untrust
[FW1-policy-security-rule-out_server1]action permit
(2)配置NAT
[FW1]nat-policy
[FW1-policy-nat]rule name out_nat
[FW1-policy-nat-rule-out_nat]source-zone trust
[FW1-policy-nat-rule-out_nat]destination-zone untrust
[FW1-policy-nat-rule-out_nat]action source-nat easy-ip
4. AC基本配置
(1)配置vlan、IP地址和路由互通
[AC1]vlan batch 34 45
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 34 45
[AC1-Vlanif34]ip add 10.1.34.254 24
[AC1-Vlanif45]ip add 10.1.45.254 24
[AC1-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[AC1-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255
(2)配置DHCP功能,为接入用户分配地址
[AC1]dhcp enable
[AC1-Vlanif34]dhcp select interface
[AC1-Vlanif45]dhcp select interface
[AC1-Vlanif45]dhcp server dns-list 114.114.114.114 10.1.45.254
(2)检查配置
(3)检查与Agile controler路由是否可达
5.配置AP上线
(1)配置域管理模板
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code CN
(2)创建AP组
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
(3)配置AC源接口
[AC1]capwap source interface Vlanif 34
6.配置AP认证
(1)在AC上离线导入AP
[AC1-wlan-view]ap auth-mode mac-auth //默认是MAC认证
[AC1-wlan-view]ap-mac 00e0-fc53-0760 ap-id 0
[AC1-wlan-ap-0]ap-group ap-group1
[AC1-wlan-ap-0]ap-name ap0
(2)检查配合,状态最终为normal
7.配置WLAN业务
(1)配置安全模板
[AC1-wlan-view]security-profile name portal_authen
(2)配置SSID模板
[AC1-wlan-view]ssid-profile name guest
[AC1-wlan-ssid-prof-guest]ssid guest
(3)配置vap模板
[AC1-wlan-view]vap-profile name guest
[AC1-wlan-vap-prof-guest]forward-mode tunnel //业务数据采用隧道转发
[AC1-wlan-vap-prof-guest]service-vlan vlan-id 45 //配置业务vlan
[AC1-wlan-vap-prof-guest]security-profile portal_authen //引用安全模板
[AC1-wlan-vap-prof-guest]ssid-profile guest //引用ssid模板
(4)配置AP组并引用vap模板
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile guest wlan 1 radio all //设置vap id为1,vap上射频0和1都使用vap模板
8.配置Portal准入控制
(1)创建radius服务器模板
[AC1]radius-server template radius
[AC1-radius-radius]radius-server authentication 10.1.26.6 1812 source ip-address 10.1.34.254
[AC1-radius-radius]radius-server accounting 10.1.26.6 1813 source ip-address 10.1.34.254
[AC1-radius-radius]radius-server shared-key cipher ABCabc@123
[AC1-radius-radius]radius-server user-name original
[AC1]radius-server authorization 10.1.26.6 shared-key cipher ABCabc@123
(2)创建aaa认证模板
[AC1]aaa
[AC1-aaa]authentication-scheme radius
[AC1-aaa-authen-radius]authentication-mode radius
[AC1-aaa]accounting-scheme radius
[AC1-aaa-accounting-radius]accounting-mode radius
(3)创建url模板
[AC1]url-template name url_0
[AC1-url-template-url_0]url http://10.1.26.6:8080/portal
(4)创建web-server模板
[AC1]web-auth-server portal_auth
[AC1-web-auth-server-portal_auth]server-ip 10.1.26.6
[AC1-web-auth-server-portal_auth]port 50200 //默认端口
[AC1-web-auth-server-portal_auth]shared-key cipher ABCabc@123
[AC1-web-auth-server-portal_auth]url-template url_0
(5)允许认证前访问Agile controller
[AC1]free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule]free-rule 1 destination ip 10.1.26.6 mask 24
(6)创建portal接入模板
[AC1]portal-access-profile name portal_access_profile
[AC1-portal-access-profile-portal_access_profile]web-auth-server portal_auth direct
(7)创建认证模板,并应用MAC和portal接入模板、认证模板、计费方案及radius服务器
[AC1]authentication-profile name macportal_authen_profile
[AC1-authentication-profile-macportal_authen_profile]portal-access-profile portal_access_profile
[AC1-authentication-profile-macportal_authen_profile]free-rule-template default_free_rule
[AC1-authentication-profile-macportal_authen_profile]authentication-scheme radius
[AC1-authentication-profile-macportal_authen_profile]accounting-scheme radius
[AC1-authentication-profile-macportal_authen_profile]radius-server radius
(8)应用认证模板
[AC1-wlan-view]vap-profile name guest
[AC1-wlan-vap-prof-guest]authentication-profile macportal_authen_profile
9.Agile controller配置略