H3C WX无线AC对接Portal认证 - 管理猿 2019 年 07 月 12 日 |访问: 3,509 次

H3C软件版本: version 7.1.064, Release 5226
Portal版本:portalv3
对接环境:公网&分布式『AC旁挂』
H3C服务器地址:222.222.222.222
Portal服务器地址:223.222.222.223
一:h3c开启DEBUGGING,确定问题的关键

<h3c>t d
<h3c>t m
<h3c>debugging portal all
<h3c>debugging radius all
<h3c>system-view
[h3c]info-center enable

二:h3c配置

sysname h3cac
telnet server enable
dhcp enable
dhcp server forbidden-ip 222.222.222.222 222.222.222.50
dhcp server forbidden-ip 222.222.222.254
dns server 114.114.114.114
password-recovery enable
vlan 1
vlan 47
vlan 51
dhcp server ip-pool ap
gateway-list 222.222.222.222
network 222.222.222.0 mask 255.255.255.0             
wlan service-template 3
 ssid @MAV     
 vlan 47       
 portal enable method direct
 portal domain zhuomai
 portal bas-ip 222.222.222.223
 portal apply web-server zhuomai
 portal apply mac-trigger-server zhuomai
 portal fail-permit web-server
 service-template enable              
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan all            
interface NULL0
interface Vlan-interface51
 ip address 222.222.222.222 255.255.255.0
interface GigabitEthernet1/0/7
 port link-mode route
scheduler logfile size 16
line class console
 user-role network-admin
line class vty 
 user-role network-operator
line con 0     
 user-role network-admin
line vty 0 31  
 authentication-mode scheme
 user-role network-operator
ip route-static 0.0.0.0 0 222.222.222.254
undo info-center enable
 undo info-center logfile enable
radius scheme zhuomai
 primary authentication 222.222.222.223
 primary accounting 222.222.222.223
 accounting-on enable
 accounting-on extended
 key authentication simple 123456
 key accounting simple 123456
 timer realtime-accounting 5
 user-name-format without-domain
 nas-ip 222.222.222.222
radius dynamic-author server 
 client ip 222.222.222.223 key simple 123456
domain system  
domain zhuomai 
 authorization-attribute idle-cut 15 10240
 authentication portal radius-scheme zhuomai
 authorization portal radius-scheme zhuomai
 accounting portal radius-scheme zhuomai
domain default enable system
role name level-0
 description Predefined level-0 role
role name level-1
 description Predefined level-1 role
role name level-2
 description Predefined level-2 role
role name level-3
 description Predefined level-3 role
role name level-4
 description Predefined level-4 role
role name level-5
 description Predefined level-5 role
role name level-6
 description Predefined level-6 role
role name level-7
 description Predefined level-7 role
role name level-8
 description Predefined level-8 role
role name level-9
 description Predefined level-9 role
role name level-10
 description Predefined level-10 role
role name level-11
 description Predefined level-11 role
role name level-12
 description Predefined level-12 role
role name level-13
 description Predefined level-13 role
role name level-14
 description Predefined level-14 role
user-group system
local-user admin class manage
 password hash $h$6$koUvnatJatyDj9zM$R0tQ+8ygUsSa8cT003Y8r+/0h36A82IDFod4LLyP6eJgN0zQW0E2XPJAfpTOFqMBccSg37fdTOC58IewXKYtKQ==
 service-type telnet http https
 authorization-attribute user-role network-admin
local-user dja123 class manage
 password hash $h$6$Qudg/FGI+MKCYppQ$8Oi3CSRRjziME2CIXzu4yrj2qvdNYfeLxVpc82liqqHTZ2+IhWa5ntjO193r1wgAUjstrp5zjBoiwjOhm0hWnQ==
 service-type ssh telnet terminal http https
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator              
 portal host-check enable
 portal packet log enable
 portal free-rule 0 source ip any destination ip 114.114.114.114 255.255.255.255
 portal free-rule 1 source ip any destination ip 222.222.222.223 255.255.255.255
 portal free-rule 2 source ip any destination ip 202.103.24.68 255.255.255.255
 portal free-rule 3 source ip any destination ip 202.103.44.150 255.255.255.255
 portal free-rule 5 source ip 114.114.114.114 255.255.255.255 destination ip any
 portal free-rule 6 source ip 222.222.222.223 255.255.255.255 destination ip any
 portal free-rule 8 source ip 202.103.44.150 255.255.255.255 destination ip any
 portal free-rule 9 source ip 202.103.24.68 255.255.255.255 destination ip any
 portal free-rule 10 source ip any destination ip 10.98.1.1 255.255.255.255
#              
portal web-server zhuomai
 url https://222.222.222.223:4432
 server-detect interval 500 retry 5 log trap
 server-type cmcc
 url-parameter ssid ssid
 url-parameter usermac source-mac
 url-parameter vlan vlan
 url-parameter wlanacip value 222.222.222.222
 url-parameter wlanacname value h3cac
 url-parameter wlanapmac ap-mac
 url-parameter wlanuserfisturl original-url
 url-parameter wlanuserip source-address
#              
portal server zhuomai
 ip 222.222.222.223 key simple 123456
 server-type cmcc
#              
 ip http enable
 ip https enable
#              
portal mac-trigger-server zhuomai
 ip 222.222.222.223 key simple 123456
 server-type cmcc
 binding-retry 1
 aaa-fail nobinding enable
#              
 wlan auto-ap enable
 wlan auto-persistent enable
#              
wlan global-configuration
#              
wlan ap-group default-group
 vlan 1        
 ap-model WA5530
  radio 1      
   radio enable
   channel band-width 20 
   service-template 1
   service-template 3
  radio 2      
   radio enable
   channel band-width 20 
   service-template 1
   service-template 3
  radio 3      
   radio enable
   service-template 1
   service-template 3
  module 1     
  gigabitethernet 1
  gigabitethernet 2         
  cloud-management server domain oasis.h3c.com
#              
return 

三:portal配置
QQ截图20190712161907.png
Radius为H3c设备类型
四:FAQ
两个服务器都是用端口映射对接,Portal映射50100,1812,1813。AC服务器映射2000,3799。全是UDP端口。
如果外网有多个出口,一定要指定内网设备使用映射IP作为默认出口(血的教训)

标签:none

添加新评论


评论:已有 3 人抢先你了

  1. 遇到challenge请求被拒绝的时候解决
    配置portal的客户端合法性检查是wlan : portal host-check wlan

    在设备上开启arp-snooping 和dhcp-snooping ,让wlan client 表从多个路径进行学习,保证认证成功的及时性。

    一般配置的网关不在AC上时,需添加命令portal host-check wlan ,并且开启dhcp-snooping和dhcp-snooping,在开启dhcp-snooping的时候,主要要把连接dhcp服务器的端口设置为trust。

    1. dhcp-snooping enable

  2. 在 version 7.1.064, Release 5226版本中,认证成功后接收Radius参数的是固定端口,不确定是否个例。
    该端口默认浮动,58240