华为配置Hotspot2.0无线网络示例

配置Hotspot2.0无线网络示例

组网图形

图1 配置Hotspot2.0无线网络组网图

组网需求
配置思路
配置注意事项
操作步骤
配置文件

组网需求

某网络服务商在原有移动网络业务的基础上，新增部署WLAN网络接入业务，为用户提供更好的网络体验。但传统的WLAN网络业务需要用户手动选择SSID，手动接入网络并设置认证信息，用户体验较差。为了提升用户体验，部署Hotspot2.0业务，使用SIM作为用户的身份凭证，让用户无感知的自动接入正确的网络。

配置思路

采用如下的思路配置Hotspot2.0业务：

配置网络互通和WLAN基本业务，WLAN基本业务的配置可以参考配置FAT AP二层组网示例。
根据服务商的AAA服务器信息，配置WPA2-802.1X认证。
配置禁止AP下行的广播/组播报文。
根据服务商的网络信息，配置Hotspot2.0业务。

表1 数据规划表
配置项	数据
DHCP服务器	AP作为DHCP服务器为STA分配IP地址
AP的IP地址	10.23.101.1/24
STA的IP地址池	10.23.101.3～10.23.101.254/24
SSID模板	名称：wlan-ssid SSID名称：wlan-net
安全模板	名称：wlan-security 安全策略：WPA2+802.1X+AES
认证模板	名称：wlan-dot1x 引用模板：802.1X接入模板wlan-dot1x 认证方案：wlan-authen
流量模板	名称：wlan-traffic 功能：ARP代理和ND代理，禁止下行广播/组播报文
Hotspot2.0模板	名称：wlan-hs2 网络类型：公共免费网络 P2P交叉连接功能：不禁止场所类型：咖啡馆（对应的组类型和子类型编码为1和13） HESSID：60de-4476-e360 IP地址支持状态：IPv4和IPv6可用网络认证类型：需要接收使用条款及条件。蜂窝网络信息：46000 网络连接能力：允许SSH 热点运营商友好名称：mobileA 频段指示编号：81 热点运营商域名：www.mobileA.com NAI域：www.mobileA.com 场所名称：Coffee 漫游联盟标识：50-6f-9a
VAP模板	名称：wlan-vap 业务VLAN：101 引用模板：SSID模板wlan-ssid、安全模板wlan-security、流量模板wlan-traffic、Hotspot2.0模板wlan-hs2、认证模板wlan-dot1x
AAA服务器	AAA类型：RADIUS 认证服务器IP地址：10.24.100.1 认证服务器端口号：1812 RADIUS服务器共享密钥：Huawei@123 重传次数：2 RADIUS认证模式为：先进行Radius认证，后进行本地认证

配置注意事项

纯组播报文由于协议要求在无线空口没有ACK机制保障，且无线空口链路不稳定，为了纯组播报文能够稳定发送，通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入，则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击，建议在直连AP的交换机接口上配置组播报文抑制功能。配置前请确认是否有组播业务，如果有，请谨慎配置限速值。

操作步骤

配置网络互通和WLAN基本业务，WLAN基本业务的配置可以参见配置FAT AP二层组网示例，AP上行的对端地址为10.23.101.2/24。

配置WPA2-802.1X认证

# 配置RADIUS服务器模板。
<AP> system-view
[AP] radius-server template wlan-radius
[AP-radius-wlan-radius] radius-server authentication 10.24.100.1 1812
[AP-radius-wlan-radius] radius-server shared-key cipher Huawei@123
[AP-radius-wlan-radius] radius-server retransmit 2
[AP-radius-wlan-radius] undo radius-server user-name domain-included
[AP-radius-wlan-radius] quit
# 配置AAA认证方案，优先进行RADIUS认证。
[AP] aaa
[AP-aaa] authentication-scheme wlan-authen
[AP-aaa-authen-wlan-authen] authentication-mode radius local
[AP-aaa-authen-wlan-authen] quit
[AP-aaa] quit
# 配置802.1X接入模板，使用eap中继方式。
[AP] dot1x-access-profile name wlan-dot1x
[AP-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap
[AP-dot1x-access-profile-wlan-dot1x] quit
# 配置认证模板，引用已配置的AAA认证方案、RADIUS服务器模板和802.1X接入模板。
[AP] authentication-profile name wlan-dot1x
[AP-authentication-profile-wlan-dot1x] dot1x-access-profile wlan-dot1x
[AP-authentication-profile-wlan-dot1x] authentication-scheme wlan-authen
[AP-authentication-profile-wlan-dot1x] radius-server wlan-radius
[AP-authentication-profile-wlan-dot1x] quit
# 配置WPA2-802.1X-AES安全策略。
[AP] wlan
[AP-wlan-view] security-profile name wlan-security
[AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AP-wlan-sec-prof-wlan-security] quit
# 配置到RADIUS服务器的静态路由。
[AP] ip route-static 10.24.100.1 32 10.23.101.2

配置流量模板，禁止AP转发下行的广播/组播报文


[AP-wlan-view] traffic-profile name wlan-traffic
[AP-wlan-traffic-prof-wlan-traffic] traffic-optimize arp-proxy enable
[AP-wlan-traffic-prof-wlan-traffic] traffic-optimize bcmc deny all
[AP-wlan-traffic-prof-wlan-traffic] quit

配置Hotspot2.0业务

# 根据服务商提供的网络信息参数配置模板，创建名为“wlan-hs2”的Hotspot2.0模板，引用前请确保VAP模板已引用了WPA2-802.1X的安全模板。[AP-wlan-view] cellular-network-profile name wlan-hs2
[AP-wlan-cellular-network-prof-wlan-hs2] plmn-id 46000
[AP-wlan-cellular-network-prof-wlan-hs2] quit
[AP-wlan-view] connection-capability-profile name wlan-hs2
[AP-wlan-co-cap-prof-wlan-hs2] connection-capability tcp-ssh on
[AP-wlan-co-cap-prof-wlan-hs2] quit
[AP-wlan-view] operator-name-profile name wlan-hs2
[AP-wlan-wlan-op-name-prof-wlan-hs2] operator-friendly-name language-code eng name mobileA
[AP-wlan-wlan-op-name-prof-wlan-hs2] quit
[AP-wlan-view] operating-class-profile name wlan-hs2
[AP-wlan-op-class-prof-wlan-hs2] operating-class-indication 81
[AP-wlan-op-class-prof-wlan-hs2] quit
[AP-wlan-view] operator-domain-profile name wlan-hs2
[AP-wlan-op-domain-prof-wlan-hs2] domain-name www.mobileA.com
[AP-wlan-op-domain-prof-wlan-hs2] quit
[AP-wlan-view] nai-realm-profile name wlan-hs2
[AP-wlan-nai-realm-prof-wlan-hs2]  nai-realm realm-name www.mobileA.com
[AP-wlan-nai-realm-prof-wlan-hs2] quit
[AP-wlan-view] venue-name-profile name wlan-hs2
[AP-wlan-ve-na-prof-wlan-hs2] venue-name language-code eng name Coffee
[AP-wlan-ve-na-prof-wlan-hs2] quit
[AP-wlan-view] roaming-consortium-profile name wlan-hs2
[AP-wlan-ro-co-prof-wlan-hs2] roaming-consortium-oi 50-6f-9a in-beacon
[AP-wlan-ro-co-prof-wlan-hs2] quit
[AP-wlan-view] hotspot2-profile name wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] network-type public-free internet-access
[AP-wlan-hotspot2-prof-wlan-hs2] undo p2p-cross-connect disable
[AP-wlan-hotspot2-prof-wlan-hs2] venue-type group-code 1 type-code 13
[AP-wlan-hotspot2-prof-wlan-hs2] hessid 60de-4476-e360
[AP-wlan-hotspot2-prof-wlan-hs2] ipv4-address-avail available
[AP-wlan-hotspot2-prof-wlan-hs2] network-authen-type acceptance
[AP-wlan-hotspot2-prof-wlan-hs2] cellular-network-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] connection-capability-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operator-name-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operating-class-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] operator-domain-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] nai-realm-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] venue-name-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] roaming-consortium-profile wlan-hs2
[AP-wlan-hotspot2-prof-wlan-hs2] quit

将认证模板、流量模板和Hotspot2.0模板应用到VAP模板。

[AP-wlan-view] vap-profile name wlan-vap
[AP-wlan-vap-prof-wlan-vap] authentication-profile wlan-dot1xWarning: This action may cause service interruption. Continue?[Y/N]y
[AP-wlan-vap-prof-wlan-vap] traffic-profile wlan-trafficWarning: This action may cause service interruption. Continue?[Y/N]y
[AP-wlan-vap-prof-wlan-vap] hotspot2-profile wlan-hs2
[AP-wlan-vap-prof-wlan-vap] quit
[AP-wlan-view] quit

验证配置结果

配置完成后，通过执行命令display vap ssid wlan-net查看如下信息，当“Status”项显示为“ON”时，表示AP对应的射频上的VAP已创建成功。[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC         RfID WID  SSID     BSSID          Status  Auth type   STA
--------------------------------------------------------------------------------
00bc-da3f-e900 0    1    wlan-net 00BC-DA3F-E900 ON  WPA2-802.1X 0
-------------------------------------------------------------------------------
Total: 1
STA进入AP的覆盖范围后，自动接入WLAN网络，其接入的SSID为“wlan-net”。[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC          Ap name        Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address    SSID
------------------------------------------------------------------------------
14cf-9202-13dc   00bc-da3f-e900 0/2      2.4G  11n   19/13      -63   101   10.23.101.254 wlan-net
------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

配置文件

AP的配置文件#sysname AP
#
vlan batch 101
#
authentication-profile name wlan-dot1xdot1x-access-profile wlan-dot1xauthentication-scheme wlan-authenradius-server wlan-radius
#
dot1x-access-profile name wlan-dot1x
#
dhcp enable
#
radius-server template wlan-radiusradius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!%^%#radius-server authentication 10.24.100.1 1812 weight 80radius-server retransmit 2undo radius-server user-name domain-included
#
aaaauthentication-scheme wlan-authenauthentication-mode radius local
#
interface Vlanif101ip address 10.23.101.1 255.255.255.0dhcp select interfacedhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 101
#
wlantraffic-profile name wlan-traffictraffic-optimize bcmc deny alltraffic-optimize arp-proxy enablesecurity-profile name wlan-securitysecurity wpa2 dot1x aesssid-profile name wlan-ssidssid wlan-netoperating-class-profile name wlan-hs2operating-class-indication 81roaming-consortium-profile name wlan-hs2roaming-consortium-oi 50-6f-9a in-beaconcellular-network-profile name wlan-hs2plmn-id 46000connection-capability-profile name wlan-hs2connection-capability tcp-ssh onoperator-domain-profile name wlan-hs2domain-name www.mobileA.comoperator-name-profile name wlan-hs2operator-friendly-name language-code eng name mobileAvenue-name-profile name wlan-hs2venue-name language-code eng name Coffeenai-realm-profile name wlan-hs2nai-realm realm-name www.mobileA.comhotspot2-profile name wlan-hs2hessid 60de-4476-e360network-type public-free internet-accessvenue-type group-code 1 type-code 13 ipv4-address-avail availablenetwork-authen-type acceptancecellular-network-profile wlan-hs2connection-capability-profile wlan-hs2operator-name-profile wlan-hs2operator-domain-profile wlan-hs2venue-name-profile wlan-hs2nai-realm-profile wlan-hs2operating-class-profile wlan-hs2roaming-consortium-profile wlan-hs2vap-profile name wlan-vapauthentication-profile wlan-dot1xservice-vlan vlan-id 101ssid-profile wlan-ssidsecurity-profile wlan-securitytraffic-profile wlan-traffichotspot2-profile wlan-hs2
#
interface Wlan-Radio0/0/0vap-profile wlan-vap wlan 2channel 20mhz 6
#
ip route-static 10.24.100.1 255.255.255.0 10.23.101.2
#
return