需求描述
1.AP部分: AP数量较少,考虑到成本,AP使用FAT模式。
2.交换机部分:下联接入有线网部分和AP部分。
3.防火墙部分:网关、DHCP、NAT
具体配置
1.AP部分
====修改AP工作模式==== ****查看AP工作模式**** [CN-SZBW-1F-OFFICE-AP11]display wlan device role Current running mode: FIT AP. ****将AP的工作模式由FIT修改为FAT**** reboot ctrl+b ctrl+y 3 ====全局配置==== sys sysn CN-SZBW-1F-OFFICE-AP21 vlan 100 to 106 ****配置国家码**** wlan global-configuration region-code CN ***配置管理地址**** int vlan 106 ip add 10.127.6.21 24 ip route-static 0.0.0.0 0 10.127.6.1 interface GigabitEthernet1/0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 to 4094 ****配置带外管理**** lldp global enable undo telnet server enable ssh server enable public-key local create rsa 2048 public-key local create dsa 2048 line vty 0 4 authentication-mode scheme protocol inbound ssh local-user cdg-admin class manage password simple Qh123.com! service-type ftp service-type ssh authorization-attribute user-role network-admin authorization-attribute user-role network-operator ****远程认证配置**** dot1x authentication-method eap radius scheme sangfor primary authentication 10.1.32.250 primary accounting 10.1.32.250 key authentication cipher $c$3$Kd+IJwv8R4g6L773E2hH+/dP34hPRakK0ZaTCBzE key accounting cipher $c$3$9XBg/uQOMYOctQnfyv8xvichgGnpZpfWZSyhbPwM user-name-format without-domain nas-ip 10.127.6.21 domain sangfor authentication lan-access radius-scheme sangfor authorization lan-access radius-scheme sangfor accounting lan-access radius-scheme sangfor ****配置802.1X认证无线服务模板**** wlan service-template cdg ssid CDG vlan 100 client cache aging-time 0 akm mode dot1x cipher-suite ccmp # 配置CCMP为加密套件,配置RSN、WPA为安全信息元素。 security-ie rsn security-ie wpa client-security authentication-mode dot1x dot1x domain sangfor service-template enable wlan service-template cdg ssid CDG vlan 100 client cache aging-time 0 akm mode dot1x cipher-suite ccmp security-ie rsn client-security authentication-mode dot1x dot1x domain sangfor service-template enable ****配置psk认证无线服务模板**** wlan service-template cdg-guest undo service-template enable ssid CDGSZ-Guest vlan 101 akm mode psk preshared-key pass-phrase simple Qhsz0519! cipher-suite ccmp security-ie rsn service-template enable ****将无线服务模板绑定到WLAN-Radio 1/0/1和WLAN-Radio1/0/2接口**** interface range WLAN-Radio1/0/1 to WLAN-Radio1/0/2 undo service-template 1 undo service-template 16 service-template cdg service-template cdg-guest ****配置漫游组**** # 创建漫游组office。 wlan mobility group qhszbw tunnel-type ipv4 # 配置漫游组IADTP隧道IP地址类型为IPv4。 source ip 10.100.2.121 # 配置FAT AP加入漫游组时建立IADTP隧道的源IP地址为设备自身的IP地址。 member auto-discovery # 通过漫游组成员自动添加功能,添加漫游组内的AP成员。 group enable # 开启漫游组功能。
display wlan mobility roam-in #查看漫游组信息。
display wlan mobility roam-track mac-address #查看到客户端漫游信息
display wlan mobility roam-out #查看漫游组信息。
display wlan mobility group #查看漫游组信息。
# 开启基于无线服务模板的客户端限速功能,并且配置限制从客户端到AP方向和从AP到客户端方向数据传输的最大速率,使从客户端到AP方向的固定速率为4000 Kbps,从AP到客户端方向的共享速率为16000 Kbps。
[AP-wlan-st-service] client-rate-limit enable
[AP-wlan-st-service] client-rate-limit inbound mode static cir 4000
[AP-wlan-st-service] client-rate-limit outbound mode dynamic cir 16000