华为设备访客管理

1.配置外网IP地址

[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
2.配置内网IP地址及划分vlan
（1）Agile controller地址配置

（2）LSW1的配置
[LSW1]vlan batch 12 23 26
[LSW1-Vlanif12]ip add 10.1.1.2 24
[LSW1-Vlanif23]ip add 10.1.23.2 24
[LSW1-Vlanif26]ip add 10.1.26.2 24
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 23
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 12
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port default vlan 26
（4）LSW2的配置
[LSW2]vlan batch 23 34 45
[LSW2-Vlanif23]ip add 10.1.23.3 24
[LSW2-Vlanif34]ip add 10.1.34.3 24
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 23
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 34 45
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk pvid vlan 34
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 34
（5）配置内网连通性
[LSW1]ospf 1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.26.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255
[LSW2]ospf 1
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.1.23.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[LSW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
3.配置内外网间互通性
（1）配置防火墙间安全策略
[FW1-zone-trust]add int g1/0/1
[FW1-zone-untrust]add interface g1/0/2
[FW1]security-policy
[FW1-policy-security]rule name out_server1
[FW1-policy-security-rule-out_server1]source-zone trust
[FW1-policy-security-rule-out_server1]destination-zone untrust
[FW1-policy-security-rule-out_server1]action permit
（2）配置NAT
[FW1]nat-policy
[FW1-policy-nat]rule name out_nat
[FW1-policy-nat-rule-out_nat]source-zone trust
[FW1-policy-nat-rule-out_nat]destination-zone untrust
[FW1-policy-nat-rule-out_nat]action source-nat easy-ip
4. AC基本配置
（1）配置vlan、IP地址和路由互通
[AC1]vlan batch 34 45
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 34 45
[AC1-Vlanif34]ip add 10.1.34.254 24
[AC1-Vlanif45]ip add 10.1.45.254 24
[AC1-ospf-1-area-0.0.0.0]network 10.1.45.0 0.0.0.255
[AC1-ospf-1-area-0.0.0.0]network 10.1.34.0 0.0.0.255
（2）配置DHCP功能，为接入用户分配地址
[AC1]dhcp enable
[AC1-Vlanif34]dhcp select interface
[AC1-Vlanif45]dhcp select interface
[AC1-Vlanif45]dhcp server dns-list 114.114.114.114 10.1.45.254
（2）检查配置

（3）检查与Agile controler路由是否可达

5.配置AP上线
（1）配置域管理模板
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code CN
（2）创建AP组
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
（3）配置AC源接口
[AC1]capwap source interface Vlanif 34
6.配置AP认证
（1）在AC上离线导入AP
[AC1-wlan-view]ap auth-mode mac-auth //默认是MAC认证
[AC1-wlan-view]ap-mac 00e0-fc53-0760 ap-id 0
[AC1-wlan-ap-0]ap-group ap-group1
[AC1-wlan-ap-0]ap-name ap0
（2）检查配合，状态最终为normal

7.配置WLAN业务
（1）配置安全模板
[AC1-wlan-view]security-profile name portal_authen
（2）配置SSID模板
[AC1-wlan-view]ssid-profile name guest
[AC1-wlan-ssid-prof-guest]ssid guest
（3）配置vap模板
[AC1-wlan-view]vap-profile name guest
[AC1-wlan-vap-prof-guest]forward-mode tunnel //业务数据采用隧道转发
[AC1-wlan-vap-prof-guest]service-vlan vlan-id 45 //配置业务vlan
[AC1-wlan-vap-prof-guest]security-profile portal_authen //引用安全模板
[AC1-wlan-vap-prof-guest]ssid-profile guest //引用ssid模板
（4）配置AP组并引用vap模板
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1]vap-profile guest wlan 1 radio all //设置vap id为1，vap上射频0和1都使用vap模板

8.配置Portal准入控制
（1）创建radius服务器模板
[AC1]radius-server template radius
[AC1-radius-radius]radius-server authentication 10.1.26.6 1812 source ip-address 10.1.34.254
[AC1-radius-radius]radius-server accounting 10.1.26.6 1813 source ip-address 10.1.34.254
[AC1-radius-radius]radius-server shared-key cipher ABCabc@123
[AC1-radius-radius]radius-server user-name original
[AC1]radius-server authorization 10.1.26.6 shared-key cipher ABCabc@123
（2）创建aaa认证模板
[AC1]aaa
[AC1-aaa]authentication-scheme radius
[AC1-aaa-authen-radius]authentication-mode radius
[AC1-aaa]accounting-scheme radius
[AC1-aaa-accounting-radius]accounting-mode radius
（3）创建url模板
[AC1]url-template name url_0
[AC1-url-template-url_0]url http://10.1.26.6:8080/portal
（4）创建web-server模板
[AC1]web-auth-server portal_auth
[AC1-web-auth-server-portal_auth]server-ip 10.1.26.6
[AC1-web-auth-server-portal_auth]port 50200 //默认端口
[AC1-web-auth-server-portal_auth]shared-key cipher ABCabc@123
[AC1-web-auth-server-portal_auth]url-template url_0
（5）允许认证前访问Agile controller
[AC1]free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule]free-rule 1 destination ip 10.1.26.6 mask 24
（6）创建portal接入模板
[AC1]portal-access-profile name portal_access_profile
[AC1-portal-access-profile-portal_access_profile]web-auth-server portal_auth direct
（7）创建认证模板，并应用MAC和portal接入模板、认证模板、计费方案及radius服务器
[AC1]authentication-profile name macportal_authen_profile
[AC1-authentication-profile-macportal_authen_profile]portal-access-profile portal_access_profile
[AC1-authentication-profile-macportal_authen_profile]free-rule-template default_free_rule
[AC1-authentication-profile-macportal_authen_profile]authentication-scheme radius
[AC1-authentication-profile-macportal_authen_profile]accounting-scheme radius
[AC1-authentication-profile-macportal_authen_profile]radius-server radius
（8）应用认证模板
[AC1-wlan-view]vap-profile name guest
[AC1-wlan-vap-prof-guest]authentication-profile macportal_authen_profile
9.Agile controller配置略