Sie sind auf Seite 1von 21

Huawei AR100-S&AR110-S&AR120-S&AR150-

S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

10 Deploying WLAN AP

About This Chapter

10.1 Example for Configuring Wireless User Access to a WLAN


10.2 Example for Configuring WEP Open System Authentication and WEP Encryption
10.3 Example for Configuring Shared Key Authentication and WEP Encryption
10.4 Example for Configuring 802.1x+PEAP+TKIP(V200R003 and V200R005)
10.5 Example for Configuring 802.1x+TKIP (V200R006 and V200R007)
10.6 Example for Configuring 802.1x+PEAP+CCMP(V200R003 and V200R005)
10.7 Example for Configuring 802.1x+CCMP (V200R006 and V200R007)
10.8 Example for Configuring PSK Authentication and TKIP Encryption
10.9 Example for Configuring PSK Authentication and CCMP Encryption
10.10 Example for Configuring WAPI Authentication
10.11 Example for Configuring a WLAN QoS Policy

10.1 Example for Configuring Wireless User Access to a


WLAN
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-1, an enterprise provides the WLAN service for users. The device
functions as a Fat AP, serves as a DHCP server to allocate IP addresses to users, and provides
wireless network access service using NAT.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 572


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

NAT is configured on GigabitEthernet1/0/0. The public address of AR GigabitEthernet1/0/0 is


202.169.10.1/24 and the interface address of the AR connected to the carrier device is
100.10.20.2/24.

Figure 10-1 Networking diagram of WLAN service configurations

VLAN 100

STA1 GE 1/0/0
Network
STA2 Router
(FAT AP)

Procedure
Step 1 Configure the Router.
#
dhcp enable
#
vlan batch 100
#
dot1x enable //Enable 802.1X.
#
interface Vlanif100
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 100
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain the
default parameter settings.
security-profile name security id 1 //Create a security profile.
security-policy wpa2 //Configure the WPA2 security policy.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Set the
data encryption mode to CCMP.
service-set name huawei id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to WLAN-BSS 1.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic
profile.
security-profile id 1 //Bind the service set to the security
profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM
profile.

#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio interface to the radio profile.
service-set id 0 wlan 1 //Bind the radio interface to the service set.
#
acl number 2000 //Configure ACL 2000.
rule 1 permit source 192.168.0.0 0.0.0.255 //Configure rule 1 to permit packets
with the source IP address of 192.168.0.0.
#
nat address-group 1 202.169.10.100 202.169.10.200 //Configure a public address
pool.
#
interface GigabitEthernet1/0/0

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 573


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

ip address 202.169.10.1 255.255.255.0 //Configure a public IP address.


nat outbound 2000 address-group 1 //Bind the ACL to the address pool.
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2 //Configure a static route.
#

Step 2 Verify the configuration.

The WLAN with the SSID huawei is available for STAs connected to the AP, and these STAs
can connect to the WLAN.

Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values.
l After a traffic profile is created, parameters in the profile use default values.
l After a security profile is created, you can select the security policy based on actual
networking. The security policy mode can be WEP, WPA, WPA2, or WAPI.

10.2 Example for Configuring WEP Open System


Authentication and WEP Encryption
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-2, the device functions as the Fat AP to provide WLAN services and
uses WEP open system authentication and WEP encryption. The WLAN with the SSID
huawei is available for STAs connected to the AR.

Figure 10-2 Networking of WEP open system authentication and WEP encryption

VLAN 10

STA1
Network
STA2 Router
(FAT AP)

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 574


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Procedure
Step 1 Configure the router.
#
vlan 10
#
dhcp enable //Enable DHCP.
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 10.
#
interface Wlan-Bss0 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 10
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WEP open system authentication and WEP-40 encryption.
security-policy wep //Configure WEP shared key authentication.
wep authentication-method open-system data-encrypt
wep key wep-40 pass-phrase 0 cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU
%^%# //Configure WEP-40 encryption. Only later versions of ARV200R002C01
support cipher.
wep default-key 0 //Set the default key ID for WEP
encryption.
service-set name service-set id 0 //Create a service set.
Wlan-Bss 0 //Bind the service set to the WLAN-BSS 0 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. Users can
use WLAN services with WEP share key.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 575


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

10.3 Example for Configuring Shared Key Authentication


and WEP Encryption
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-3, the device functions as the Fat AP to provide WLAN services and
uses open system authentication and WEP encryption. The WLAN with the SSID huawei is
available for STAs connected to the AR.

Figure 10-3 Networking diagram of security policy configurations

VLAN 10

STA1
Network
STA2 Router
(FAT AP)

Procedure
Step 1 Configure the Router.
#
vlan 10
#
dhcp enable //Enable DHCP.
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 10.
#
interface Wlan-Bss0 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 10
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and set the authentication mode to WEP open system authentication and
the encryption mode to WEP-40.
security-policy wep //Configure WEP shared key authentication.
wep authentication-method share-key
wep key wep-40 pass-phrase 1 cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU
%^%# //Configure WEP-40 encryption. Only later versions of ARV200R002C01
support cipher.
wep default-key 1 //Set the
default key ID for WEP encryption.
service-set name service-set id 0 //Create a service set.
Wlan-Bss 0 //Bind the service set to the WLAN-BSS 0 interface.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 576


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

ssid huawei //Specify the SSID.


traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. The STAs
can associate with the AR.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the Router to view information about all STAs associated with a radio or service
set on a radio.

NOTE

In shared key authentication and WEP encryption mode, after the PC scans the SSID, if you double-
click the SSID and enter the key, association may fail.

----End

Configuration Notes
l The default country code of the router is CN. You can change it based on actual
networking.

10.4 Example for Configuring 802.1x+PEAP


+TKIP(V200R003 and V200R005)
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-4, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+TKIP. The WLAN with the SSID huawei is available for STAs
connected to the device.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 577


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Figure 10-4 Networking of 802.1x+PEAP+TKIP

I n t ernet

VLAN101

STA1 RADIUS Server


10.137.146.163
STA2 Router
(FAT AP)
Network

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+PEAP+TKIP.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 578


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

security-policy wpa
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.

10.5 Example for Configuring 802.1x+TKIP (V200R006 and


V200R007)
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-5, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.

NOTE

In V200R006 and later versions, the router does not support PEAP authentication.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 579


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Figure 10-5 Networking of 802.1x+TKIP

I n t ernet

VLAN101

STA1 RADIUS Server


10.137.146.163
STA2 Router
(FAT AP)
Network

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+TKIP.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 580


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

security-policy wpa
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.

10.6 Example for Configuring 802.1x+PEAP


+CCMP(V200R003 and V200R005)
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-6, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+CCMP. The WLAN with the SSID huawei is available for STAs
connected to the device.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 581


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Figure 10-6 Networking of 802.1x+PEAP+CCMP

I n t ernet

VLAN102

STA1 RADIUS Server


10.137.146.163
STA2 Router
(FAT AP)
Network

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.

#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
radius-server shared-key simple huawei //Configure teh shared key.
The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 582


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+PEAP+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.

10.7 Example for Configuring 802.1x+CCMP (V200R006


and V200R007)
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 583


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Networking Requirements
As shown in Figure 10-7, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+CCMP. The WLAN with the SSID huawei is available for STAs connected to
the device.

NOTE

In V200R006 and later versions, the router does not support PEAP authentication.

Figure 10-7 Networking of 802.1x+CCMP

I n t ernet

VLAN102

STA1 RADIUS Server


10.137.146.163
STA2 Router
(FAT AP)
Network

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.

#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 584


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

radius-server shared-key simple huawei //Configure teh shared key.


The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 585


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

10.8 Example for Configuring PSK Authentication and


TKIP Encryption
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-8, the device functions as the Fat AP to provide WLAN services and
uses PSK+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.

Figure 10-8 Networking of PSK authentication and TKIP encryption

VLAN 102

STA1
Network
STA2 Router
(FAT AP)

Procedure
Step 1 Configure the Router.
#
vlan 102
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA+PSK+TKIP.
security-policy wpa
wpa authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method tkip
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 586


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

security-profile id 1 //Bind the service set to the security profile.


radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. Users must
enter the preshared key 0123456789 to use WLAN services.
# Run the display security-profile { id profile-id | name profile-name } command on the
router to view the security profile.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

10.9 Example for Configuring PSK Authentication and


CCMP Encryption
Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-9, the device functions as the Fat AP to provide WLAN services and
uses PSK+CCMP. The WLAN with the SSID huawei is available for STAs connected to the
device.

Figure 10-9 Networking of PSK authentication and CCMP encryption

VLAN 101

STA1
Network
STA2 Router
(FAT AP)

Procedure
Step 1 Configure the Router.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 587


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

#
vlan 101
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA2+PSK+CCMP.
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. Users must
enter the preshared key to use WLAN services.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

10.10 Example for Configuring WAPI Authentication


Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 588


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Networking Requirements
As shown in Figure 10-10, the device functions as the Fat AP to provide WLAN services and
uses WAPI. The WLAN with the SSID huawei is available for STAs connected to the device.

Figure 10-10 Networking of WAPI authentication

I n t ernet

VLAN101

STA1
ASU Server
STA2 Router 10.10.10.1
(FAT AP)
Network

Procedure
Step 1 Configure the Router.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 0 //Create a security profile named
security.
security-policy wapi //Configure WAPI authentication.
wapi asu ip 10.10.10.1 //Set the ASU server IP address to
10.10.10.1.
wapi import certificate ap file-name flash:/huawei-ap.cer //Specify
the certificate file path and file name.
wapi import certificate asu file-name flash:/huawei-asu.cer //Specify
the ASU certificate file path and file name.
wapi import certificate issuer file-name flash:/huawei-issuer.cer //Specify
the issuer certificate file path and file name.
wapi import private-key file-name flash:/huawei-ap.cer //Specify
the private key file path and file name.
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 589


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There is a reachable route from the router to the ASU server.
l The ASU server needs to be configured.
l Before configuring the policies of security, the AP certificate huawei-ap.cer, ASU
server certificate huawei-asu.cer, issuer certificate huawei-issuer.cer, and AP private
key certificate huawei-ap.cer have been stored on the device.

10.11 Example for Configuring a WLAN QoS Policy


Specifications
This example applies only to the AR121W-S, AR101W-S, AR101GW-Lc-S, AR151W-P-S,
AR161W-S, and AR1220W-S.

Networking Requirements
As shown in Figure 10-11, STA1 and STA2 are connected to the network through the Router.
The Router functions as a Fat AP, and STA2 is a VIP customer. The requirements are as
follows:
l Video service requirements of STA1 and STA2 are met first.
l Communication requirements of STA2 are met first when the network bandwidth is
insufficient.

Figure 10-11 Networking diagram of WLAN QoS policy configurations

VLAN 101
STA1
Network
VLAN 102
STA2 Router
VIP (FAT AP)

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 590


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

Procedure
Step 1 Configure the Router.
#
dhcp enable //Enable DHCP.
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on the VLANIF interface.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 101
#
interface Wlan-Bss2
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmmf id 0
wmm-profile name huawei-vi id 1 // Create a WMM profile huawei-vi.
wmm edca ap ac-vi aifsn 1 ecw ecwmin 1 ecwmax 1 txoplimit 36 //Modify EDCA
parameters for video queues on an
AP to increase
the priority of video services.
wmm edca client ac-vi aifsn 1 ecw ecwmin 1 ecwmax 3 txoplimit 36 //Modify EDCA
parameters for video queues on
a STA to
increase the priority of video services.
traffic-profile name traf id 0
traffic-profile name huawei id 1 //Create a traffic profile huawei.
rate-limit client up 512 //Limit the STA upstream rate to 512 kbit/s.
rate-limit vap up 1024 //Limit the VAP upstream rate to 1024
kbit/s.
traffic-profile name huawei-vip id 2 //Create a traffic profile huawei-vip.
rate-limit client up 1024 //Limit the STA upstream rate to 1024
kbit/s.
rate-limit vap up 2048 //Limit the VAP upstream rate to 2048
kbit/s.
security-profile name secf id 0
security-profile name huawei id 1 //Crate a security profile huawei and use
default parameters.
service-set name huawei-1 id 0 //Create a service set huawei-1.
Wlan-Bss 1
ssid huawei-1 //Configure an SSID huawei-1.
traffic-profile id 1 //Bind the traffic profile huawei to the service set.
security-profile id 1
service-set name huawei-2 id 1 //Create a service set huawei-2.
Wlan-Bss 2
ssid huawei-2 //Configure an SSID huawei-2.
traffic-profile id 2 //Bind the traffic profile huawei-vip to the service set.
security-profile id 1
radio-profile name radiof id 0
wmm-profile id 0
radio-profile name huawei-vi id 1
wmm-profile id 1
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile huawei-vi to the radio
interface.
service-set id 0 wlan 1 //Bind the service set huawei-1 to the radio interface.
service-set id 1 wlan 2 //Bind the service set huawei-2 to the radio interface.

Step 2 Verify the configuration.

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 591


Copyright © Huawei Technologies Co., Ltd.
Huawei AR100-S&AR110-S&AR120-S&AR150-
S&AR160-S&AR200-S&AR1200-S&AR2200-
S&AR3200-S Series Enterprise Routers
CLI-based Typical Configuration Examples 10 Deploying WLAN AP

# Two WLANs with SSIDs huawei-1 and huawei-2 are available for STAs connected to the
Router. STA 1 and STA2 select WLANs with SSIDs huawei-1 and huawei-2.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the Router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l You can improve the priority of video services by modifying the following parameters
for the AC_VI queue in the WMM profile: arbitration inter frame spacing number
(AIFSN), exponent form of minimum contention window (ECWmin), exponent form of
maximum contention window (ECWmax), and transmission opportunity limit
(TXOPlimit).

Issue V2.6 (2018-07-06) Huawei Proprietary and Confidential 592


Copyright © Huawei Technologies Co., Ltd.