华为配置Hotspot2.0无线网络示例

配置Hotspot2.0无线网络示例

组网图形

图1配置Hotspot2.0无线网络组网图

组网需求
配置思路
配置注意事项
操作步骤
配置文件

组网需求

某网络服务商在原有移动网络业务的基础上，新增部署WLAN网络接入业务，为用户提供更好的网络体验。但传统的WLAN网络业务需要用户手动选择SSID，手动接入网络并设置认证信息，用户体验较差。为了提升用户体验，部署Hotspot2.0业务，使用SIM作为用户的身份凭证，让用户无感知的自动接入正确的网络。

配置思路

采用如下的思路配置Hotspot2.0业务：

配置网络互通和WLAN基本业务，WLAN基本业务的配置可以参考配置FAT AP二层组网示例。
根据服务商的AAA服务器信息，配置WPA2-802.1X认证。
配置禁止AP下行的广播/组播报文。
根据服务商的网络信息，配置Hotspot2.0业务。

配置项	数据
DHCP服务器	AP作为DHCP服务器为STA分配IP地址
AP的IP地址	10.23.101.1/24
STA的IP地址池	10.23.101.3～10.23.101.254/24
SSID模板	* 名称：wlan-ssid * SSID名称：wlan-net
安全模板	* 名称：wlan-security * 安全策略：WPA2+802.1X+AES
认证模板	* 名称：wlan-dot1x * 引用模板：802.1X接入模板wlan-dot1x * 认证方案：wlan-authen
流量模板	* 名称：wlan-traffic * 功能：ARP代理和ND代理，禁止下行广播/组播报文
Hotspot2.0模板	* 名称：wlan-hs2 * 网络类型：公共免费网络 * P2P交叉连接功能：不禁止 * 场所类型：咖啡馆（对应的组类型和子类型编码为1和13） * HESSID：60de-4476-e360 * IP地址支持状态：IPv4和IPv6可用 * 网络认证类型：需要接收使用条款及条件。 * 蜂窝网络信息：46000 * 网络连接能力：允许SSH * 热点运营商友好名称：mobileA * 频段指示编号：81 * 热点运营商域名：www.mobileA.com * NAI域：www.mobileA.com * 场所名称：Coffee * 漫游联盟标识：50-6f-9a
VAP模板	* 名称：wlan-vap * 业务VLAN：101 * 引用模板：SSID模板wlan-ssid、安全模板wlan-security、流量模板wlan-traffic、Hotspot2.0模板wlan-hs2、认证模板wlan-dot1x
AAA服务器	* AAA类型：RADIUS * 认证服务器IP地址：10.24.100.1 * 认证服务器端口号：1812 * RADIUS服务器共享密钥：Huawei@123 * 重传次数：2 * RADIUS认证模式为：先进行Radius认证，后进行本地认证
[表1数据规划表]

配置注意事项

纯组播报文由于协议要求在无线空口没有ACK机制保障，且无线空口链路不稳定，为了纯组播报文能够稳定发送，通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入，则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击，建议在直连AP的交换机接口上配置组播报文抑制功能。配置前请确认是否有组播业务，如果有，请谨慎配置限速值。

操作步骤

配置网络互通和WLAN基本业务，WLAN基本业务的配置可以参见配置FAT AP二层组网示例，AP上行的对端地址为10.23.101.2/24。

配置WPA2-802.1X认证

javascript 复制代码

# 配置RADIUS服务器模板。
<AP> system-view
[AP] radius-server template wlan-radius
[AP-radius-wlan-radius] radius-server authentication 10.24.100.1 1812
[AP-radius-wlan-radius] radius-server shared-key cipher Huawei@123
[AP-radius-wlan-radius] radius-server retransmit 2
[AP-radius-wlan-radius] undo radius-server user-name domain-included
[AP-radius-wlan-radius] quit
# 配置AAA认证方案，优先进行RADIUS认证。
[AP] aaa
[AP-aaa] authentication-scheme wlan-authen
[AP-aaa-authen-wlan-authen] authentication-mode radius local
[AP-aaa-authen-wlan-authen] quit
[AP-aaa] quit
# 配置802.1X接入模板，使用eap中继方式。
[AP] dot1x-access-profile name wlan-dot1x
[AP-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap
[AP-dot1x-access-profile-wlan-dot1x] quit
# 配置认证模板，引用已配置的AAA认证方案、RADIUS服务器模板和802.1X接入模板。
[AP] authentication-profile name wlan-dot1x
[AP-authentication-profile-wlan-dot1x] dot1x-access-profile wlan-dot1x
[AP-authentication-profile-wlan-dot1x] authentication-scheme wlan-authen
[AP-authentication-profile-wlan-dot1x] radius-server wlan-radius
[AP-authentication-profile-wlan-dot1x] quit
# 配置WPA2-802.1X-AES安全策略。
[AP] wlan
[AP-wlan-view] security-profile name wlan-security
[AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AP-wlan-sec-prof-wlan-security] quit
# 配置到RADIUS服务器的静态路由。
[AP] ip route-static 10.24.100.1 32 10.23.101.2

配置流量模板，禁止AP转发下行的广播/组播报文

javascript 复制代码

[AP-wlan-view] traffic-profile name wlan-traffic
[AP-wlan-traffic-prof-wlan-traffic] traffic-optimize arp-proxy enable
[AP-wlan-traffic-prof-wlan-traffic] traffic-optimize bcmc deny all
[AP-wlan-traffic-prof-wlan-traffic] quit

配置Hotspot2.0业务

javascript 复制代码

# 根据服务商提供的网络信息参数配置模板，创建名为"wlan-hs2"的Hotspot2.0模板，引用前请确保VAP模板已引用了WPA2-802.1X的安全模板。

[AP-wlan-view] cellular-network-profile name wlan-hs2
[AP-wlan-cellular-network-prof-wlan-hs2] plmn-id 46000
[AP-wlan-cellular-network-prof-wlan-hs2] quit
[AP-wlan-view] connection-capability-profile name wlan-hs2
[AP-wlan-co-cap-prof-wlan-hs2] connection-capability tcp-ssh on
[AP-wlan-co-cap-prof-wlan-hs2] quit
[AP-wlan-view] operator-name-profile name wlan-hs2
[AP-wlan-wlan-op-name-prof-wlan-hs2] operator-friendly-name language-code eng name mobileA
[AP-wlan-wlan-op-name-prof-wlan-hs2] quit
[AP-wlan-view] operating-class-profile name wlan-hs2
[AP-wlan-op-class-prof-wlan-hs2] operating-class-indication 81
[AP-wlan-op-class-prof-wlan-hs2] quit
[AP-wlan-view] operator-domain-profile name wlan-hs2
[AP-wlan-op-domain-prof-wlan-hs2] domain-name www.mobileA.com
[AP-wlan-op-domain-prof-wlan-hs2] quit
[AP-wlan-view] nai-realm-profile name wlan-hs2
[AP-wlan-nai-realm-prof-wlan-hs2]  nai-realm realm-name www.mobileA.com
[AP-wlan-nai-realm-prof-wlan-hs2] quit
[AP-wlan-view] venue-name-profile name wlan-hs2
[AP-wlan-ve-na-prof-wlan-hs2] venue-name language-code eng name Coffee
[AP-wlan-ve-na-prof-wlan-hs2] quit
[AP-wlan-view] roaming-consortium-profile name wlan-hs2
[AP-wlan-ro-co-prof-wlan-hs2] roaming-consortium-oi 50-6f-9a in-beacon
[AP-wlan-ro-co-prof-wlan-hs2] quit
[AP-wlan-view] hotspot2-profile name wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] network-type public-free internet-access
[AP-wlan-hotspot2-prof-wlan-hs2] undo p2p-cross-connect disable
[AP-wlan-hotspot2-prof-wlan-hs2] venue-type group-code 1 type-code 13
[AP-wlan-hotspot2-prof-wlan-hs2] hessid 60de-4476-e360
[AP-wlan-hotspot2-prof-wlan-hs2] ipv4-address-avail available
[AP-wlan-hotspot2-prof-wlan-hs2] network-authen-type acceptance
[AP-wlan-hotspot2-prof-wlan-hs2] cellular-network-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] connection-capability-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operator-name-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operating-class-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operator-domain-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] nai-realm-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] venue-name-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] roaming-consortium-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] quit

将认证模板、流量模板和Hotspot2.0模板应用到VAP模板。

javascript 复制代码

[AP-wlan-view] vap-profile name wlan-vap
[AP-wlan-vap-prof-wlan-vap] authentication-profile wlan-dot1x
 Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-wlan-vap-prof-wlan-vap] traffic-profile wlan-traffic
 Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-wlan-vap-prof-wlan-vap] hotspot2-profile wlan-hs2
[AP-wlan-vap-prof-wlan-vap] quit
[AP-wlan-view] quit

验证配置结果

javascript 复制代码

配置完成后，通过执行命令display vap ssid wlan-net查看如下信息，当"Status"项显示为"ON"时，表示AP对应的射频上的VAP已创建成功。

[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC         RfID WID  SSID     BSSID          Status  Auth type   STA
--------------------------------------------------------------------------------
00bc-da3f-e900 0    1    wlan-net 00BC-DA3F-E900 ON  WPA2-802.1X 0
-------------------------------------------------------------------------------
Total: 1
STA进入AP的覆盖范围后，自动接入WLAN网络，其接入的SSID为"wlan-net"。

[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC          Ap name        Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address    SSID
------------------------------------------------------------------------------
14cf-9202-13dc   00bc-da3f-e900 0/2      2.4G  11n   19/13      -63   101   10.23.101.254 wlan-net
------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

配置文件

javascript 复制代码

AP的配置文件

#
 sysname AP
#
vlan batch 101
#
authentication-profile name wlan-dot1x
 dot1x-access-profile wlan-dot1x
 authentication-scheme wlan-authen
 radius-server wlan-radius
#
dot1x-access-profile name wlan-dot1x
#
dhcp enable
#
radius-server template wlan-radius
 radius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!%^%#
 radius-server authentication 10.24.100.1 1812 weight 80
 radius-server retransmit 2
 undo radius-server user-name domain-included
#
aaa
 authentication-scheme wlan-authen
  authentication-mode radius local
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
wlan
 traffic-profile name wlan-traffic
  traffic-optimize bcmc deny all
  traffic-optimize arp-proxy enable
 security-profile name wlan-security
  security wpa2 dot1x aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 operating-class-profile name wlan-hs2
  operating-class-indication 81
 roaming-consortium-profile name wlan-hs2
  roaming-consortium-oi 50-6f-9a in-beacon
 cellular-network-profile name wlan-hs2
  plmn-id 46000
 connection-capability-profile name wlan-hs2
  connection-capability tcp-ssh on
 operator-domain-profile name wlan-hs2
  domain-name www.mobileA.com
 operator-name-profile name wlan-hs2
  operator-friendly-name language-code eng name mobileA
 venue-name-profile name wlan-hs2
  venue-name language-code eng name Coffee
 nai-realm-profile name wlan-hs2
  nai-realm realm-name www.mobileA.com
 hotspot2-profile name wlan-hs2
  hessid 60de-4476-e360
  network-type public-free internet-access
  venue-type group-code 1 type-code 13 
  ipv4-address-avail available
  network-authen-type acceptance
  cellular-network-profile wlan-hs2
  connection-capability-profile wlan-hs2
  operator-name-profile wlan-hs2
  operator-domain-profile wlan-hs2
  venue-name-profile wlan-hs2
  nai-realm-profile wlan-hs2
  operating-class-profile wlan-hs2
  roaming-consortium-profile wlan-hs2
 vap-profile name wlan-vap
  authentication-profile wlan-dot1x
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  traffic-profile wlan-traffic
  hotspot2-profile wlan-hs2
#
interface Wlan-Radio0/0/0
 vap-profile wlan-vap wlan 2
 channel 20mhz 6
#
ip route-static 10.24.100.1 255.255.255.0 10.23.101.2
#
return