(1)胖AP配置
#和三層交換機互聯位址
interface Vlan-interface1
ip address 192.168.0.50 255.255.255.0
#預設路由,下一跳指向三層交換機
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
#
vlan 10
#無線終端業務網關
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#無線終端dhcp位址池,配置設定192.168.10.0/24網段、網關位址和dns
dhcp server ip-pool vlan10
network 192.168.10.0 mask 255.255.255.0
gateway-list 192.168.10.1
dns-list 114.114.114.114
#dhcp禁止配置設定網關位址
dhcp server forbidden-ip 192.168.10.1
#使能dhcp
dhcp enable
#使能端口安全
port-security enable
#802.1x認證方式為eap
dot1x authentication-method eap
#配置radius方案,指定認證(授權)、計費伺服器位址和密鑰
radius scheme yanghaiyan
server-type extended
primary authentication 10.88.142.172
primary accounting 10.88.142.172
key authentication simple 123456
key accounting simple 123456
user-name-format without-domain
nas-ip 192.168.0.50
#配置域,調用radius方案
domain yanghaiyan
authentication lan-access radius-scheme yanghaiyan
authorization lan-access radius-scheme yanghaiyan
accounting lan-access radius-scheme yanghaiyan
#配置無線BSS接口為hybrid口,pvid設定為業務vlan10,untagged業務vlan10,端口模式設定為userlogin-secure-ext,強制認證域,關閉802.1X握手群組播觸發
interface WLAN-BSS10
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 10 untagged
port hybrid pvid vlan 10
port-security port-mode userlogin-secure-ext
port-security tx-key-type 11key
dot1x mandatory-domain yanghaiyan
undo dot1x handshake
undo dot1x multicast-trigger
#建立加密類型的無線服務模闆,配置ssid、加密套件和安全ie
wlan service-template 10 crypto
ssid yhy_fat-ap_imc-1x
cipher-suite ccmp
security-ie rsn
service-template enable
#radio下服務模闆和BSS接口綁定
interface WLAN-Radio1/0/2
service-template 10 interface wlan-bss 10
(2)三層交換機配置
#和iMC伺服器互聯位址
interface Vlan-interface1
ip address 10.88.142.102 255.255.255.0
#連接配接iMC伺服器接口
interface GigabitEthernet1/0/1
#
vlan 50
#和AP互聯位址
interface Vlan-interface50
ip address 192.168.0.1 255.255.255.0
#連接配接AP接口
interface GigabitEthernet1/0/5
port access vlan 50
poe enable
#無線終端網段的回程路由,下一跳指向AP
ip route-static 192.168.10.0 24 192.168.0.50
(3)iMC伺服器配置
#導入根證書
#導入伺服器證書,注意要輸入私鑰密碼
#增加接入裝置,注意業務類型為“LAN接入業務”,密碼要正确,以AP的管理位址(192.168.0.50)增加到裝置清單
#增加接入政策,首選EAP類型選擇“EAP-PEAP”,子類型為“EAP-MSCHAPv2”
#增加接入服務,調用接入政策
#增加接入使用者,配置賬号密碼,調用接入服務
(4)測試
#打開iNode用戶端,安全類型選WPA2,加密類型AES,選PEAP子類型MS-CHAPV2
#輸入賬号密碼,認證成功
#認證通過後,無線終端和iMC伺服器連通性正常
#iMC伺服器上檢視使用者已經線上
#檢視終端線上表項
display wlan client
Total Number of Clients : 1
Client Information
SSID: yhy_fat-ap_imc-1x
---------------------------------------------------------------------
MAC Address User Name APID/RID IP Address VLAN
---------------------------------------------------------------------
6480-99e9-3478 bTNZG... 1 /2 192.168.10.3 10
---------------------------------------------------------------------
#檢視終端詳細資訊
dis wlan client verbose
Total Number of Clients : 1
Client Information
---------------------------------------------------------------------
MAC Address : 6480-99e9-3478
User Name : b2cJHRgDMXQtSx1jJ1F+fQJPZcM= yhy
AID : 1
Radio Interface : WLAN-Radio1/0/2
SSID : yhy_fat-ap_imc-1x
BSSID : 70f9-6daf-ee10
Port : WLAN-BSS10
VLAN : 10
……
RSSI : 36
Rx/Tx Rate : 65/144.4
Client Type : WPA2(RSN)
Authentication Method : Open System
Authentication Mode : Central
AKM Method : Dot1X
4-Way Handshake State : PTKINITDONE
Group Key State : IDLE
Encryption Cipher : AES-CCMP
……
---------------------------------------------------------------------