Hcip-Wlan Lab Guide: Huawei WLAN Certification Training

Huawei WLAN Certification Training
HCIP-WLAN
Lab Guide
ISSUE: 2.0
HUAWEI TECHNOLOGIES CO., LTD
2
Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Address:
Republic of China
Website: https://e.huawei.com
Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co.,Ltd
HCIP-WLAN V2.0 Lab Guide Page 1
Huawei Certification System

Huawei Certification is an integral part of the company's "Platform + Ecosystem"
strategy, and it supports the ICT infrastructure featuring "Cloud-Pipe-Device". It evolves
to reflect the latest trends of ICT development. Huawei Certification consists of two
categories: ICT Infrastructure Certification, and Cloud Service & Platform Certification,
making it the most extensive technical certification program in the industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Huawei Certification covers all ICT fields and adapts to the industry trend of ICT
convergence. With its leading talent development system and certification standards, it
is committed to fostering new ICT talent in the digital era, and building a sound ICT
talent ecosystem.
HCIP-WLAN (Huawei Certified ICT Professional-Wireless Local Area Network,
Huawei Certified Senior Network Communications Engineer WLAN direction) is
intended for frontline engineers of Huawei local offices and representative offices, and
other technical personnel who want to learn about Huawei WLAN products. The HCIP-
WLAN certification covers Huawei WLAN networking architecture, WLAN roaming,
radio resource management, access authentication, WLAN network planning, WLAN
network optimization, and troubleshooting.
Huawei certification helps you open the window of the industry, open the door to
change, and stand on the top of the tide in the WLAN network world.
About This Document
Overview
This document is applicable to the candidates who are preparing for the HCIA-WLAN
exam and the readers who want to understand the WLAN networking architecture,
WLAN roaming, RRM, access authentication, WLAN planning and optimization, and
WLAN fault troubleshooting.
Description
This lab guide consists of 12 labs, covering basic configurations, and configurations and
implementation of WLAN networking, reliability, cloud management, access
authentication, roaming, network planning, O&M, and troubleshooting.
⚫ Lab 1: WAC + Fit AP networking. Through basic operations and configurations, this
lab helps readers further understand the WAC + Fit AP networking and understand
basic AP onboarding configurations.
⚫ Lab 2: Leader AP networking. Through basic networking configurations, this lab helps
readers further understand the WAC + Fit AP networking and understand basic AP
onboarding configurations.
⚫ Lab 3: VRRP HSB. This lab focuses on the VRRP HSB networking in the WAC
reliability networking, helping you understand the WLAN reliability networking
architecture and construction method.
⚫ Lab 4: Cloud management networking. This lab helps you get familiar with the
architecture of Huawei cloud management solution and master the methods of
managing WACs and APs on the cloud management platform.
⚫ Lab 5: 802.1X authentication. This lab describes 802.1X authentication security
features and instructs you to deploy 802.1X authentication.
⚫ Lab 6: Portal authentication. This lab describes Portal authentication security features
and instructs you to deploy Portal authentication.
⚫ Lab 7: WLAN roaming. This lab focuses on inter-WAC Layer 3 roaming and its
deployment, helping you get familiar with the WLAN roaming solutions.
⚫ Lab 8: radio resource management. This lab focuses on WLAN radio calibration, band
steering, load balancing, and user CAC, helping you get familiar with network
optimization methods and implementation methods.
⚫ Lab 9: Indoor WLAN planning. This lab provides instructions on designing an indoor
WLAN so that you can understand how to use the network planning tool and learn
network planning details.
⚫ Lab 10: Outdoor WLAN planning. This lab provides instructions on designing an
outdoor WLAN so that you can understand how to use the network planning tool
and learn network planning details.
⚫ Lab 11: CampusInsight intelligent O&M. This lab uses CampusInsight to perform
O&M management, helping you get familiar with CampusInsight functions.
⚫ Lab 12: Comprehensive troubleshooting. This lab focuses on troubleshooting faults in
Portal authentication scenarios, helping you rectify faults on a WLAN.
Background Knowledge Required

This course is for Huawei Certification HCIP training course. To fully understand this
course, you need to:
⚫ Have a good grasp of advanced WLAN knowledge and basic datacom knowledge.
⚫ Be familiar with Huawei software and hardware configurations, including switches,
WACs, APs, iMaster NCE-Campus, and iMaster NCE-CampusInsight.
⚫ Be familiar with the WLAN project planning process and understand the basic usage
of the network planning tool WLAN Planner.
Common Icons
Lab Environment Description

Networking Description
This lab environment is prepared for WLAN engineers who are preparing for the HCIP-
WLAN exam. Each lab environment consists of three WACs, five APs, one core switch, one
access switch, one iMaster NCE-Campus server, and one iMaster NCE-CampusInsight
server. Each set of lab environment is applicable to one trainee at a time.
Device Introduction
To meet the HCIP-WLAN lab requirements, it is recommended that each lab environment
adopt the following configurations.
The following table lists the devices, models, and versions.
Device Name Device Model Software Version
Core switch CloudEngine S5732-H24UM2CC V200R021C00SPC100
Access switch CloudEngine S5732-H24UM2CC V200R021C00SPC100
WAC AirEngine 9700-M1 V200R021C00SPC100
AirEngine 5761-11 V200R021C00SPC200

AP
AirEngine 6761-21T V200R021C00SPC200
iMaster NCE-Campus V300R021C00SPC110

Server
iMaster NCE-CampusInsight V100R021C10SPC100
Lab Environment Preparation

Checking Devices
Before carrying out labs, make sure that all required devices are ready and allow for
proper logins. The following table lists the devices.
Device Name Quantity Remarks
iMaster NCE-Campus 1 Shared by all groups
iMaster NCE-CampusInsight 1 Shared by all groups
Core switch One for each group
Access switch One for each group PoE power supply
AirEngine 9700-M1 Three for each group
AirEngine 5761-11 Four for each group
This AP serves as the

AirEngine 6761-21T One for each group
leader AP.
Laptop Two for each group Used to test the WLAN.

Lab Topology
The lab topology is described as follows:

AP1 through AP5 are connected to the access switch SW-Access. SW-Access provides PoE
power for APs.
The access switch SW-Access is connected to the core switch SW-Core through the
MultiGE0/0/9 interface.
WAC1 through WAC3 are connected to the core switch SW-Core in off-path mode.
The core switch SW-Core is connected to the iMaster NCE-Campus and iMaster NCE-
CampusInsight servers. The interconnection network segment is 172.21.0.0/17 (which can
be adjusted based on the site requirements).
Contents
1 WAC + Fit AP Networking Lab ..................................................................................................... 13

1.1 Introduction ..............................................................................................................................................................................13
1.1.1 About This Lab .....................................................................................................................................................................13
1.1.2 Objectives ..............................................................................................................................................................................13
1.1.3 Networking Topology ........................................................................................................................................................13
1.1.4 Lab Planning .........................................................................................................................................................................14
1.2 Lab Configuration ..................................................................................................................................................................15
1.2.1 Configuration Roadmap ...................................................................................................................................................15
1.2.2 Configuration Procedure ..................................................................................................................................................15
1.3 Verification ................................................................................................................................................................................20
1.3.1 Checking the AP Onboarding Status and SSID Information ...............................................................................20
1.3.2 Associating a STA with the WLAN and Testing Network Connectivity ...........................................................21
1.4 Reference Configuration ......................................................................................................................................................22
1.4.1 WAC1 Configuration ..........................................................................................................................................................22
1.4.2 SW-Core Configuration .....................................................................................................................................................24
1.4.3 SW-Access Configuration .................................................................................................................................................25
1.5 Quiz .............................................................................................................................................................................................25
2 Leader AP Networking Lab ........................................................................................................... 26
2.1 Introduction ..............................................................................................................................................................................26
2.1.1 About This Lab .....................................................................................................................................................................26
2.1.2 Objectives ..............................................................................................................................................................................26
2.1.4 Lab Planning .........................................................................................................................................................................27
2.3 Verification ................................................................................................................................................................................35
2.3.1 Checking the AP Onboarding Status and SSID Information ...............................................................................35
2.3.2 Checking the Radio Status ...............................................................................................................................................36
2.3.3 Checking VLAN Information ...........................................................................................................................................37
2.4.3 Leader AP Configuration ..................................................................................................................................................39

2.5 Quiz .............................................................................................................................................................................................41
3 VRRP HSB Lab ................................................................................................................................... 43
3.1 Introduction ..............................................................................................................................................................................43
3.1.1 About This Lab .....................................................................................................................................................................43
3.1.2 Objectives ..............................................................................................................................................................................43
3.1.4 Lab Planning .........................................................................................................................................................................44
3.3 Verification ................................................................................................................................................................................53
3.3.1 Checking the AP Onboarding Status ...........................................................................................................................53
3.3.2 Checking VAP Information ..............................................................................................................................................54
3.3.3 Checking the VRRP Status ...............................................................................................................................................55
3.3.4 Checking the HSB Service Status ..................................................................................................................................55
3.3.5 Checking the HSB Group Status ....................................................................................................................................56
3.3.6 Checking the Wireless Configuration Synchronization Status ...........................................................................57
3.5 Quiz .............................................................................................................................................................................................64
4 Cloud Management Networking Lab ......................................................................................... 65
4.1 Introduction ..............................................................................................................................................................................65
4.1.1 About This Lab .....................................................................................................................................................................65
4.1.2 Objectives ..............................................................................................................................................................................65
4.1.4 Lab Planning .........................................................................................................................................................................66
4.3 Verification ................................................................................................................................................................................83
4.3.1 Checking Cloud Management Information on WAC3 ...........................................................................................83
4.3.3 Checking the Device Running Status on NCE ...........................................................................................................84
4.3.4 Checking the STA Access Status on NCE ....................................................................................................................85

4.4.2 AP5 Configuration ..............................................................................................................................................................88
4.5 Quiz .............................................................................................................................................................................................93
5 802.1X Authentication Lab ............................................................................................................ 94
5.1 Introduction ..............................................................................................................................................................................94
5.1.1 About This Lab .....................................................................................................................................................................94
5.1.2 Objectives ..............................................................................................................................................................................94
5.1.4 Lab Planning .........................................................................................................................................................................95
5.3 Verification ............................................................................................................................................................................. 108
5.3.1 Checking the AP Onboarding Status ........................................................................................................................ 108
5.3.2 Checking VAP Information ........................................................................................................................................... 108
5.3.3 Associating a STA with the WLAN and Verifying Authentication .................................................................. 108
5.3.4 Checking Terminal Authentication Logs on NCE ................................................................................................. 113
5.3.5 Checking Terminal Authentication on WAC1 ........................................................................................................ 113
5.4 Reference Configuration ................................................................................................................................................... 114
5.4.1 WAC1 Configuration ....................................................................................................................................................... 114
5.4.2 SW-Core Configuration .................................................................................................................................................. 117
5.4.3 SW-Access Configuration .............................................................................................................................................. 117
5.5 Quiz .......................................................................................................................................................................................... 118
6 Portal Authentication Lab .......................................................................................................... 119
6.1 Introduction ........................................................................................................................................................................... 119
6.1.1 About This Lab .................................................................................................................................................................. 119
6.1.2 Objectives ........................................................................................................................................................................... 119
6.1.3 Networking Topology ..................................................................................................................................................... 119
6.1.4 Lab Planning ...................................................................................................................................................................... 120
6.2 Lab Configuration ............................................................................................................................................................... 122
6.2.1 Configuration Roadmap ................................................................................................................................................ 122
6.2.2 Configuration Procedure ............................................................................................................................................... 122
6.3 Verification ............................................................................................................................................................................. 133
6.3.2 Checking VAP Information ........................................................................................................................................... 133
6.3.3 Verifying STA Access to a WLAN in Portal Authentication Mode .................................................................. 133
6.3.4 Checking Terminal Authentication Logs on NCE ................................................................................................. 134

6.3.5 Checking Terminal Authentication on WAC1 ........................................................................................................ 135
6.5 Quiz .......................................................................................................................................................................................... 140
7 WLAN Roaming Lab ..................................................................................................................... 142
7.1 Introduction ........................................................................................................................................................................... 142
7.1.1 About This Lab .................................................................................................................................................................. 142
7.1.2 Objectives ........................................................................................................................................................................... 142
7.1.4 Lab Planning ...................................................................................................................................................................... 143
7.3 Verification ............................................................................................................................................................................. 153
7.3.2 Checking the VAP Status ............................................................................................................................................... 153
7.3.3 Checking the Mobility Group Status ......................................................................................................................... 154
7.3.4 Observing the STA Roaming Status .......................................................................................................................... 154
7.5 Quiz .......................................................................................................................................................................................... 162
8 RRM Lab .......................................................................................................................................... 163
8.1 Introduction ........................................................................................................................................................................... 163
8.1.1 About This Lab .................................................................................................................................................................. 163
8.1.2 Objectives ........................................................................................................................................................................... 163
8.1.4 Lab Planning ...................................................................................................................................................................... 164
8.3 Verification ............................................................................................................................................................................. 167
8.3.1 Checking RRM Profile Information ............................................................................................................................ 167
8.3.2 Checking the 2.4 GHz Radio Profile Configuration ............................................................................................. 169
8.3.3 Checking the 5 GHz Radio Profile Configuration ................................................................................................. 170

8.3.4 Checking the Radio Status ............................................................................................................................................ 171
8.5 Quiz .......................................................................................................................................................................................... 176
9 Indoor WLAN Planning Lab ....................................................................................................... 177
9.1 Introduction ........................................................................................................................................................................... 177
9.1.1 About This Lab .................................................................................................................................................................. 177
9.1.2 Objectives ........................................................................................................................................................................... 177
9.1.3 Lab Scenarios..................................................................................................................................................................... 177
9.1.4 Preparations ....................................................................................................................................................................... 178
9.3 Quiz .......................................................................................................................................................................................... 206
10 Outdoor WLAN Planning Lab ................................................................................................. 208
10.1 Introduction ........................................................................................................................................................................ 208
10.1.1 About This Lab ............................................................................................................................................................... 208
10.1.2 Objectives ......................................................................................................................................................................... 208
10.1.3 Lab Scenarios .................................................................................................................................................................. 208
10.1.4 Preparations .................................................................................................................................................................... 209
10.2 Lab Configuration ............................................................................................................................................................. 211
10.2.1 Configuration Roadmap .............................................................................................................................................. 211
10.2.2 Configuration Procedure ............................................................................................................................................. 211
10.3 Quiz ........................................................................................................................................................................................ 227
11 CampusInsight O&M Lab ......................................................................................................... 229
11.1 Introduction ........................................................................................................................................................................ 229
11.1.1 About This Lab ............................................................................................................................................................... 229
11.1.2 Objectives ......................................................................................................................................................................... 229
11.1.3 Networking Topology .................................................................................................................................................. 229
11.1.4 Lab Planning ................................................................................................................................................................... 230
11.3 Verification .......................................................................................................................................................................... 242
11.3.1 Checking the SNMP Configuration on WAC1 ..................................................................................................... 242
11.3.2 Checking VAP information on WAC1 ..................................................................................................................... 242

11.4 Reference Configuration................................................................................................................................................. 243
11.4.1 WAC1 Configuration .................................................................................................................................................... 243
11.4.2 SW-Core Configuration ............................................................................................................................................... 246
11.4.3 SW-Access Configuration............................................................................................................................................ 247
11.5 Quiz ........................................................................................................................................................................................ 247
12 WLAN Troubleshooting Lab .................................................................................................... 248
12.1 Introduction ........................................................................................................................................................................ 248
12.1.1 About This Lab ............................................................................................................................................................... 248
12.1.2 Objectives ......................................................................................................................................................................... 248
12.1.3 Networking Topology .................................................................................................................................................. 248
12.1.4 Lab Planning ................................................................................................................................................................... 249
12.3 Verification .......................................................................................................................................................................... 260
12.3.1 Checking VAP Information ......................................................................................................................................... 260
12.3.2 Associating a STA with the WLAN and Verifying Authentication ............................................................... 261
12.4 Reference Configuration................................................................................................................................................. 261
12.4.1 WAC1 Configuration .................................................................................................................................................... 261
12.4.2 SW-Core Configuration ............................................................................................................................................... 264
12.4.3 SW-Access Configuration............................................................................................................................................ 265
12.5 Quiz ........................................................................................................................................................................................ 266
1 WAC + Fit AP Networking Lab
1.1 Introduction
1.1.1 About This Lab
This lab instructs you to configure WAC + Fit AP networking to enable APs and STAs to
go online on the WLAN.
1.1.2 Objectives
⚫ Understand the basic configuration process of the WLAN service.
⚫ Configure APs and STAs to go online.
⚫ Describe the WAC + Fit AP networking architecture.
1.1.3 Networking Topology
Figure 1-1 WAC + Fit AP networking topology

1.1.4 Lab Planning

Table 1-1 VLAN planning
Device Port Port Type VLAN Settings
PVID: 1
MultiGE0/0/1 Trunk
Allow-pass: VLANs 100 and 101
SW-Core
PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
Table 1-2 IP address planning

Device Port IP Address
VLANIF 100 10.23.100.254/24

SW-Core
VLANIF 101 10.23.101.254/24
WAC1 VLANIF 100 10.23.100.1/24
Table 1-3 WLAN service parameter planning

WLAN Service Parameter
Forwarding mode Direct forwarding
Management VLAN 100
Service VLAN 101
AP group ap-group1
VAP profile wlan-net
Security profile wlan-net

Security policy WPA/WPA2+PSK+AES
Password a12345678
SSID profile wlan-net
SSID wlan-net
1.2 Lab Configuration

1.2.1 Configuration Roadmap
1. Configure VLAN information for SW-Core, SW-Access, and WAC1.
2. Configure IP addresses for network devices to ensure network connectivity.
3. Configure the DHCP server on SW-Core to ensure that APs can obtain management
IP addresses.
4. On WAC1, configure the CAPWAP source interface or source address and the AP
authentication mode.
5. Configure WLAN service parameters to implement STA access.
1.2.2 Configuration Procedure

Step 1 Configure VLAN information.
# Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the
downlink interface to allow packets from VLANs 100 and 101 to pass through, and set
the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101
to pass through and set the PVID to 1.
# Create VLANs 100 and 101 on SW-Access.
<Huawei> system-view
[Huawei] sysname SW-Access
[SW-Access] vlan batch 100 101
# Configure the type of the downlink interface on SW-Access and the VLAN to which the
interface belongs.
[SW-Access] interface MultiGE 0/0/1

[SW-Access-MultiGE0/0/1] port link-type trunk
[SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101
[SW-Access-MultiGE0/0/1] port trunk pvid vlan 100
[SW-Access-MultiGE0/0/1] quit
# Configure the type of the uplink interface on SW-Access and the allowed VLANs for the
interface.

# Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink
interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and
101 to pass through.
# Create VLANs 100 and 101 on SW-Core.
[Huawei] sysname SW-Core
[SW-Core] vlan batch 100 101
# Configure the type of the downlink interface on SW-Core and the allowed VLANs for
the interface.
[SW-Core] interface MultiGE 0/0/9

[SW-Core-MultiGE 0/0/9] port link-type trunk
[SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101
[SW-Core-MultiGE 0/0/9] quit
# Configure the type of the interface connecting SW-Core to WAC1 and the allowed
VLANs for the interface.

# Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and
configure the interface to allow packets from VLANs 100 and 101 to pass through.
# Create VLANs 100 and 101 on WAC1.
<AirEngine9700-M1> system-view
[AirEngine9700-M1] sysname WAC1
[WAC1] vlan batch 100 101
# Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface.
[WAC1] interface GigabitEthernet 0/0/1

[WAC1-GigabitEthernet /0/1] port link-type trunk

[WAC1-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101
[WAC1-GigabitEthernet /0/1] quit
Step 2 Configure IP addresses for devices.
# Configure IP addresses for SW-Core.
[SW-Core] interface vlanif 100

[SW-Core-Vlanif100] ip address 10.23.100.254 24
[SW-Core-Vlanif100] quit
# Configure an IP address for WAC1.
[WAC1] interface vlan 100

[WAC1-Vlanif100] ip address 10.23.100.1 24
[WAC1-Vlanif100] quit
Step 3 Configure a DHCP server.
# Enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses
to APs.
[SW-Core] dhcp enable

[SW-Core-Vlanif100] dhcp select interface
# Configure VLANIF 101 on SW-Core to assign IP addresses to STAs.

Step 4 Configure AP onboarding.
# Enable the function of establishing CAPWAP DTLS sessions in none authentication

mode. (V200R021C00 and later versions)
[WAC1] capwap dtls no-auth enable

Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is
enabled and brings security risks. After the device goes online for the first time, disable this function
to prevent security risks. Continue? [Y/N]: y
# Configure the CAPWAP source interface on WAC1. Ensure that the following
parameters have been configured in advance:
DTLS PSK: a1234567
Inter-WAC DTLS PSK: a1234567
Fit AP management parameters (user name/password): admin/Huawei@123

Global login password of the offline management VAP: a1234567
[WAC1] capwap dtls psk a1234567

[WAC1] capwap dtls inter-controller psk a1234567
[WAC1] capwap source interface vlanif 100
Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters,
underscores, and digits, and must start with a letter):admin
Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48-
188 characters that must be a combination of at least three of the following: lowercase letters a to z,
uppercase letters A to Z, digits, and special characters):Huawei@123
Confirm password:Huawei@123
Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text
characters that must be a combination of at least two of the following: lowercase letters a to z,
uppercase letters A to Z, digits, and special characters):a1234567
Confirm PSK:a1234567
Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may
be interrupted.
Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a
version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs
V200R021C00 or later.
# Create an AP group.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
# On WAC1, set the AP authentication mode to MAC address authentication.
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
# Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them
as required.)
[WAC1] wlan
[WAC1-wlan-view] ap-id 0 ap-mac 9cb2-e82d-54f0
[WAC1-wlan-ap-0] ap-group ap-group1
[WAC1-wlan-ap-0] ap-name AP1
[WAC1-wlan-ap-0] quit
[WAC1-wlan-view] ap-id 1 ap-mac 9cb2-e82d-5410
# Run the display ap all command to verify that the three APs are online and in normal
state.
[WAC1] display ap all

Total AP information:
nor : normal [3]
ExtraInfo : Extra information
-------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
-------------------------------------------------------------------------------------------------------
0 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.177 AirEngine5761-11 nor 0 9M:47S -
1 9cb2-e82d-5410 AP2 ap-group1 10.23.100.36 AirEngine5761-11 nor 0 7M:14S -
-------------------------------------------------------------------------------------------------------
Total: 3
Step 5 Configure WLAN services.
# Configure the country code in a regulatory domain profile. The default country code is
CN. (If the device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name domain1
[WAC1-wlan-regulate-domain-domain1] country-code CN
[WAC1-wlan-regulate-domain-domain1] quit
# Bind the regulatory domain profile to the AP group.

[WAC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and
may restart APs. Continue?[Y/N]: y
# Create the security profile wlan-net and configure a security policy in the profile.
[WAC1] wlan
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes
[WAC1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[WAC1-wlan-view] ssid-profile name wlan-net

[WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[WAC1-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and
bind the security profile and SSID profile to the VAP profile.
[WAC1-wlan-view] vap-profile name wlan-net

[WAC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net

[WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[WAC1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group and apply configurations in the VAP profile wlan-
net to radios 0 and 1 on APs in the AP group.

[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
# Check the VAP status.
[WAC1] display vap all

Info: This operation may take a few seconds, please wait.
WID : WLAN ID
------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
------------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON WPA/WPA2-PSK 0 wlan-net
0 AP1 1 1 9CB2-E82D-5500 ON WPA/WPA2-PSK 0 wlan-net
------------------------------------------------------------------------------
Total:
1.3 Verification
1.3.1 Checking the AP Onboarding Status and SSID Information
# Run the display ap all command on WAC1 to check the AP onboarding result.

nor : normal [3]
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Total: 3
# The preceding command output shows AP information, including the MAC address, AP
group, dynamically obtained IP address, model, and onboarding status of each AP on
WAC1.
# Run the display vap all command on WAC1 to check VAP information.

WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 6
# The preceding command output shows VAP information, including the AP name, BSSID
name, SSID name, and authentication mode of a VAP.
1.3.2 Associating a STA with the WLAN and Testing Network

Connectivity
# Enable a STA to scan and connect to the WLAN wlan-net.
# Test the network connectivity between the STA and the service gateway.
1.4 Reference Configuration

1.4.1 WAC1 Configuration
Software Version V200R021C00SPC100
#
sysname WAC1
#
http secure-server ssl-policy default_policy
http server enable
#
vlan batch 100 to 101
#
stp enable
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name macportal_authen_profile
authentication-profile name portal_authen_profile
#
ssl policy default_policy type server
pki-realm default
version tls1.2
ciphersuite ecdhe_rsa_aes128_gcm_sha256 ecdhe_rsa_aes256_gcm_sha384
#
aaa
authentication-scheme default
authentication-mode local
authentication-scheme radius
authentication-mode radius
authorization-scheme default
authorization-mode local
accounting-scheme default
accounting-mode none
local-aaa-user password policy administrator
domain default
radius-server default
domain default_admin
local-user admin password irreversible-cipher
$1a$Z#*{";)Ik6$LUMXJS;VWR$p7mWZtx|EN3q#M`}27Bg+[8<)ELp.$
local-user admin privilege level 15
local-user admin service-type telnet ssh http
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
management-interface
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
interface Ethernet0/0/47
ip address 169.254.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
capwap dtls psk %^%#yo9h*3&U`Ry!ihRA+uoI~E6I,`g2w1U~T9Z3-A^+%^%#
capwap dtls inter-controller psk %^%#Vro-.X&7';8.D+~k{]a0*6,H7.{2[McU1_Q1qxPY%^%#
capwap dtls no-auth enable
#
wlan
temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%#
ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%#
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#51sYLQj@,Ph}m2@A1j:Of3n/)t5j=+!I"K+9yB{.%^%# aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
ssid-profile name wlan-net
ssid wlan-net
vap-profile name default
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
wids-spoof-profile name default
wids-whitelist-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-net wlan 1
radio 1
ap-id 0 type-id 144 ap-mac 9cb2-e82d-54f0
ap-name AP1
ap-group ap-group1
ap-id 1 type-id 144 ap-mac 9cb2-e82d-5410
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
#
return
1.4.2 SW-Core Configuration

!Software Version V200R021C00SPC100
#
sysname SW-Core
#
#
dhcp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
interface MultiGE0/0/1
#
#
#
#
#
#
#
return
1.4.3 SW-Access Configuration

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
port trunk pvid vlan 100
#
#
#
#
return
1.5 Quiz
During the WLAN service configuration on a WAC, engineers usually group APs and
configure services based on AP groups. Why is it not recommended that WLAN services
be configured based on a single AP?
Answer:
To configure WLAN services on a single AP, the administrator needs to configure WLAN
service parameters on each AP. When there are a large number of APs, the configuration
workload increases. Additionally, when the configuration changes, the administrator
needs to modify the configuration of each AP one by one, which is inconvenient for O&M
and management. This problem can be easily resolved by performing configurations
based on AP groups.
2 Leader AP Networking Lab
2.1 Introduction
This lab instructs you to configure and verify the leader AP networking to enable APs and
STAs to go online.
2.1.2 Objectives
⚫ Describe the leader AP networking architecture.
⚫ Understand the WLAN service configuration method in the leader AP networking.
⚫ Understand the service check method of the leader AP.
Figure 2-1 Leader AP networking topology

In the leader AP networking topology, AP1, AP2, and AP3 are Fit APs, and AP4 is the
leader AP. The leader AP manages the WLAN in a unified manner.
SW-Core is a core switch and also functions as a DHCP server to assign IP addresses to
APs and STAs. SW-Access is an access switch that provides PoE power supply for APs.
2.1.4 Lab Planning

PVID: 1
SW-Core MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
PVID: 100
SW-Access MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 100
MultiGE0/0/4 Trunk

VLANIF 100 10.23.100.254/24

SW-Core
VLANIF 101 10.23.101.254/24
Leader AP VLANIF 100 Dynamically obtained through DHCP

Management VLAN 100
Service VLAN 101
AP group default
VAP profile Automatically generated
Security profile Automatically generated
Password a12345678
SSID profile Automatically generated
SSID wlan-net
AP Zone default

1. Configure VLAN information and interface modes for SW-Core and SW-Access.
2. Configure SW-Core as a DHCP server to ensure that APs can obtain IP addresses.
3. Set the working mode of AP4 to Fat.
4. Configure the name and system time of AP4 and check the AP onboarding status.

Step 1 Configure VLAN information.
# Configure the type of the downlink interface on SW-Access and the VLAN to which the
interface belongs.


interface.
[[SW-Access] interface MultiGE 0/0/9

# Configure the core switch SW-Core. Create VLANs 100 and 101, and configure the
downlink interface to allow packets from VLANs 100 and 101 to pass through.
# Configure the type of the downlink interface on SW-Core and the VLAN to which the
interface belongs.

# Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs.

# Enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses
to APs.


# On SW-Core, check the IP addresses obtained by AP1, AP2, AP3, and AP4.
[SW-Core] display ip pool interface Vlanif100 used

Pool-name : Vlanif100
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 10.23.100.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :4
Idle :250 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
10.23.100.1 10.23.100.254 254 4 250(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
116 10.23.100.117 9cb2-e82d-5110 DHCP 86299 Used
170 10.23.100.171 eca1-d1f7-7dd0 DHCP 86299 Used
213 10.23.100.214 9cb2-e82d-5410 DHCP 86329 Used
224 10.23.100.225 9cb2-e82d-54f0 DHCP 86304 Used
-------------------------------------------------------------------------------------
# The command output shows that AP1 through AP4 have obtained IP addresses.
Step 3 Switch the AP4's working mode.
# By default, an AP works in Fit AP mode. You need to switch AP4 to the Fat AP mode
first.
# This lab assumes the MAC address of AP4 as eca1-d1f7-7dd0 and the default IP
address of the leader AP as 169.254.2.1/24.
# Enable the management PC to search for the WLAN with the SSID hw_manage_7dd0
and connect the PC to the WLAN. The wireless network adapter of the management PC
automatically obtains an IP address on the 169.254.2.0/24 network segment. If the IP
address cannot be automatically obtained, manually set the IP address of the
management PC, for example, to 169.254.2.100/24.
# Visit https://169.254.2.1 on a browser to manage AP4. Upon your first login to AP4, you
need to configure the user name and password. In this lab, the user name is admin and
the password is Huawei@123.
# Log in to AP4 again.

# Change the working mode of AP4 to Fat. Then AP4 automatically restarts.
# After AP4 restarts, enable the PC to search for the SSID HUAWEI-LeaderAP-7DD0 and
connect the PC to this SSID. If the AP version is V200R021C00 or earlier, visit
https://192.168.1.1; if the AP version is V200R021C01 or later, visit https://169.254.2.1.
# Upon your first login to the leader AP, you need to configure basic information such as
the user name, password, and console port authentication type. In this lab, set the
password to Huawei@123.
# On the page that is displayed, configure the Fit AP account and offline VAP, and set
their passwords both to Huawei@123.
Step 4 Configure the AP name and system time.
# After you log in to AP4, the system prompts you to configure the AP name and system
time.
# Set the AP name to Leader AP. Set the country and time zone based on the site
requirements. In this lab, set the country to China, time zone to UTC +08:00:00, system
time to Manual, click PC Time, and click Apply.
Step 5 Check the AP onboarding status.
# The default AP authentication mode of the leader AP is non-authentication. Therefore,

AP1, AP2, and AP3 automatically go online on the leader AP after obtaining IP addresses.
# Choose Configuration > AP Configuration. On the AP Configuration tab page, you can
find that all APs are online. The AP with the ID of 0 is the leader AP itself. By default, all
APs are in the default AP zone.
# On the AP Configuration page, click the modify icon in the Operation column to
change the AP name. The following figure shows AP names after the modification.
Step 6 Configure WLAN service parameters.
# Configure WLAN services using the configuration wizard. Choose Wizard > Config
Wizard and click Multi-AP Configuration, as shown in the following figure.
# Set Internet access mode to Bridging. In this lab, SW-Core serves as both the AP
gateway and service gateway, the management VLAN of the AP is VLAN 100, and the
service VLAN is VLAN 101.
# Configure Wi-Fi signals. Set Wireless network name to wlan-net, Service VLAN ID to
101, Encryption mode to Password authentication, and Key to a12345678. Select all valid
radios and click Apply.
2.3 Verification
2.3.1 Checking the AP Onboarding Status and SSID Information
# On the web page, choose Monitoring > Summary. The onboarding status, SSID, and
device status of each AP on the leader AP are displayed.
2.3.2 Checking the Radio Status

# Choose Advanced > Radio Config > Radio Planning to check the radio status.
2.3.3 Checking VLAN Information

# During the leader AP configuration, the management VLAN and service VLAN are
automatically created and do not need to be configured separately.
# Choose Advanced > Interface > VLAN to view VLAN information.

Connectivity

#
sysname SW-Core
#
#
dhcp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
return
2.4.3 Leader AP Configuration

#
http secure-server server-source -i Vlanif1
http server enable
#
#
dhcp enable
#
acl name nat 2000
rule 1 permit
#
interface Vlanif1
nat outbound 2000
ip address dhcp-alloc unicast
#
interface Vlanif100
ip address 169.254.2.1 255.255.255.0
dhcp server dns-list 169.254.2.1
#
interface Vlanif101
#
ip address 169.254.3.1 255.255.255.0
#
port hybrid tagged vlan 2 to 4094
dhcp snooping trusted
#
port hybrid tagged vlan 2 to 4094
#
interface NULL0
#
interface LoopBack1023
ip address 192.168.254.254 255.255.255.255
#
capwap dtls control-link encrypt off
#
wlan
temporary-management psk %^%#G6e>(-F%#0224pAP=ww-{d9uW99'GH<=Ls829jd2%^%#
ap username admin password cipher %^%#2:|"2joHRTx#3S:3RhXG.C)-HN+d--t@^y<1i8E,%^%#
traffic-profile name huawei-leaderap
traffic-profile name webf0BpYGRa8w7E
security-profile name huawei-leaderap
security open
security-profile name webf0BpYGRa8w7E
security wpa-wpa2 psk pass-phrase %^%#.F}COC([W0!x-j"1FZJK),9M<:I]KL1%8NY)]I65%^%# aes
ssid-profile name huawei-leaderap
ssid HUAWEI-LeaderAP-7DD0
ssid-profile name webf0BpYGRa8w7E

ssid wlan-net
vap-profile name huawei-leaderap
ssid-profile huawei-leaderap
security-profile huawei-leaderap
traffic-profile huawei-leaderap
type leaderap-management
radio 0 1 2
vap-profile name webf0BpYGRa8w7E
ssid-profile webf0BpYGRa8w7E
security-profile webf0BpYGRa8w7E
traffic-profile webf0BpYGRa8w7E
ap-zone default
radio 0 1 2
dca-channel 5g bandwidth 20mhz
dca-channel 6g bandwidth 20mhz
ap-id 0 type-id 151 ap-mac eca1-d1f7-7dd0
ap-name Leader-AP
ap-id 1 type-id 144 ap-mac 9cb2-e82d-54f0 ap-sn 2102353VUR10N5119370
ap-name AP1
ap-id 2 type-id 144 ap-mac 9cb2-e82d-5410 ap-sn 2102353VUR10N5119363
ap-name AP2
ap-name AP3
provision-ap
#
return
2.5 Quiz
What are the differences between the bridge mode and gateway mode in the leader AP
networking?
Answer:
A leader AP in bridge mode functions as a network bridge and works with an
independent gateway in the uplink direction. The leader AP and Fit APs communicate
with each other on a Layer 2 network. The independent gateway has the DHCP service
enabled to assign IP addresses to STAs and APs. The direct forwarding mode is used,
which reduces the load on the leader AP.
A leader AP in gateway mode functions as a gateway, and no independent gateway is

required. The leader AP and Fit APs communicate with each other on a Layer 2 network.
In the uplink direction, the leader AP has NAT enabled and connects to the Internet. In
the downlink direction, the leader AP connects to a switch and communicates with Fit
APs. The leader AP has the DHCP service enabled and allocates IP addresses to Fit APs
and STAs. The networking is more simplified than that in bridge mode. The tunnel
forwarding is used, and all service traffic is forwarded to the leader AP through a tunnel
for processing.
3 VRRP HSB Lab
3.1 Introduction
This lab provides instructions on configuring and commissioning WLAN reliability
networking so that you can understand how to deploy Huawei WLAN reliability
networking solutions.
3.1.2 Objectives
⚫ Describe WLAN reliability networking modes.
⚫ Understand how to configure VRRP HSB networking.
Figure 3-1 VRRP HSB networking topology

3.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
PVID: 1
SW-Core MultiGE0/0/2 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
PVID: 1
WAC2 GE0/0/1 Trunk

Device Port IP Address Remarks
Used for wireless

WAC1 VLANIF 100 10.23.100.1/24
configuration synchronization
Used for wireless

WAC2 VLANIF 100 10.23.100.2/24
configuration synchronization
Management VLAN, with

VLANIF 100 10.23.100.254/24
DHCP enabled
SW-Core
Service VLAN, with DHCP
VLANIF 101 10.23.101.254/24
enabled
VRRP virtual / 10.23.100.3 Used for establishing

Device Port IP Address Remarks

address CAPWAP tunnels with APs

Management VLAN 100
Service VLAN 101
HSB channel VLAN 100
AP group ap-group1
Password a12345678
SSID wlan-net
PSK for wireless configuration synchronization Huawei@123

1. Configure network connectivity among WAC1, WAC2, APs, SW-Core, and SW-Access.
2. Configure a DHCP server.
3. Configure VRRP HSB.
4. Configure the wireless configuration synchronization function.
5. Configure WLAN services.

Step 1 Configure network connectivity.
# Configure the core switch SW-Core. Create VLANs 100 and 101, configure the modes of
interfaces, and configure the interfaces to allow packets from VLANs 100 and 101 to pass
through.
# Configure the type of the downlink interface on SW-Core and the allowed VLANs for
the interface.

# Configure the types of the interfaces connecting SW-Core to WAC1 and WAC2, and the
allowed VLANs for the interface.

# Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SW-
Access.

interface.



# Configure IP addresses for SW-Core, WAC1, and WAC2.

[SW-Core] interface vlan 100




# Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable
the DHCP service on SW-Core, configure VLANIF 100 to assign IP addresses (excluding
some IP addresses reserved for VRRP) to APs.

[SW-Core-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.9

Step 3 Configure VRRP HSB on WAC1.
# Set the recovery delay of the VRRP group to 60 seconds.
[WAC1] vrrp recover-delay 60
# Create a management VRRP group on WAC 1. Set the priority of WAC 1 in the
management VRRP group to 120 and the preemption delay to 1800 seconds.
[WAC1] interface vlanif 100

[WAC1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[WAC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[WAC1 Vlanif100] vrrp vrid 1 priority 120
[WAC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[WAC1-Vlanif100] admin-vrrp vrid 1
# Create an HSB service on WAC1 and configure the IP addresses and port numbers for
the active and standby channels. Set the retransmission time and interval of the HSB
service.
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip 10.23.100.1 peer-ip 10.23.100.2 local-data-port 10241
peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC1-hsb-service-0] quit
# Create an HSB group on WAC1, and bind the HSB service and the management VRRP
group to the HSB group.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[WAC1-hsb-group-0] quit
# Bind the NAC service to the HSB group.
[WAC1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[WAC1] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.
[WAC1] hsb-service-type dhcp hsb-group 0
# Enable the HSB function.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
Step 4 Configure VRRP HSB on WAC2.
# Set the recovery delay of the VRRP group to 60 seconds.
[WAC2] vrrp recover-delay 60
# Create a management VRRP group on WAC2.

[WAC2-Vlanif100] ip address 10.23.100.2 255.255.255.0
[WAC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[WAC2-Vlanif100] admin-vrrp vrid 1
# Create an HSB service on WAC2 and configure the IP addresses and port numbers for
the active and standby channels. Set the retransmission time and interval of the HSB
service.
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip 10.23.100.2 peer-ip 10.23.100.1 local-data-port 10241
peer-data-port 10241
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC2-hsb-service-0] quit
# Create an HSB group on WAC2, and bind the HSB service and the management VRRP
group to the HSB group.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] bind-service 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
# Bind the NAC service to the HSB group.
[WAC2] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[WAC2] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.
[WAC2] hsb-service-type dhcp hsb-group 0
# Enable the HSB function.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
Step 5 Configure the wireless configuration synchronization function.
# Configure wireless configuration synchronization on WAC1.
[WAC1] wlan
[WAC1-wlan-view] master controller
[WAC1-master-controller] master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address
10.23.100.1 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100
[WAC1-master-controller] quit
# Configure wireless configuration synchronization on WAC2.
[WAC2] wlan
[WAC2-wlan-view] master controller
[WAC2-master-controller] master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address
10.23.100.2 psk Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100
[WAC2-master-controller] quit
Step 6 Configure the CAPWAP source address.
# Configure parameters on WAC1.

mode on WAC1. (V200R021C00 and later versions)

# Configure the CAPWAP source address on WAC1. Ensure that the following parameters
have been configured in advance:
DTLS PSK: a1234567

[WAC1] capwap source ip-address 10.23.100.3
be interrupted.
# Configure parameters on WAC2.


# Configure the CAPWAP source address on WAC2. Ensure that the following parameters
have been configured in advance:
DTLS PSK: a1234567

[WAC2] capwap source ip-address 10.23.100.3

be interrupted.
Step 7 Configure AP onboarding on WAC1.
[WAC1] wlan
[WAC1] wlan
as required.)
[WAC1] wlan
Step 8 Configure WLAN services on WAC1.
[WAC1] wlan



Step 9 Trigger configuration synchronization.
[WAC1] synchronize-configuration
3.3 Verification
3.3.1 Checking the AP Onboarding Status
# Run the display ap all command on WAC1 to verify that the three APs are online and in
normal state.

nor : normal [3]
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------
Total: 3
# Run the display ap all command on WAC2. The three APs are in standby state.

stdby : standby [3]
-------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
ExtraInfo
-------------------------------------------------------------------------------------------------------
0 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.225 AirEngine5761-11 stdby 0 - -
1 9cb2-e82d-5410 AP2 ap-group1 10.23.100.214 AirEngine5761-11 stdby 0 - -
2 9cb2-e82d-5110 AP3 ap-group1 10.23.100.117 AirEngine5761-11 stdby 0 - -
-------------------------------------------------------------------------------------------------------
Total: 3
3.3.2 Checking VAP Information

# Check the VAP status on WAC1.

WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 6
# Check the VAP status on WAC2.

WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 6
3.3.3 Checking the VRRP Status

# Run the display vrrp command on WAC1 and WAC2. The State field displayed on WAC1
is Master and that on WAC2 is Backup.
# The command output on WAC1 is as follows:
[WAC1] display vrrp

Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
[WAC2] display vrrp

Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
3.3.4 Checking the HSB Service Status

# Run the display hsb-service 0 command on WAC1 and WAC2 to check the HSB service
status. The following command output shows that the Service State field displays
Connected, indicating that the HSB channel has been established.
[WAC1] display hsb-service 0

Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.100.1
Peer IP Address : 10.23.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[WAC2] display hsb-service 0

Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.100.2
Peer IP Address : 10.23.100.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
3.3.5 Checking the HSB Group Status

# Run the display hsb-group 0 command on WAC1 and WAC2 to check the running
status of the HSB group. The following command output shows that the Group VRRP
Status field displays Connected and the Group Status field displays Active on WAC1, and
these fields display Backup and Inactive, respectively, on WAC2.
[WAC1] display hsb-group 0

Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Backup Start Time :-
Peer Group Device Name : AirEngine9700-M1
Peer Group Software Version : V200R021C00SPC100B171
Group Backup Modules : Access-user

AP
DHCP
----------------------------------------------------------
[WAC2] display hsb-group 0

Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Backup Start Time : XXX, XX XXX XXXX 16:25:41
Peer Group Device Name : AirEngine9700-M1
Peer Group Software Version : V200R021C00SPC100B171
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
3.3.6 Checking the Wireless Configuration Synchronization Status

# Check the wireless configuration synchronization status on WAC1. The Status field
displays up, indicating that the configurations have been synchronized.
[WAC1] display sync-configuration status

Info: This operation may take a few seconds. Please wait for a moment.done.
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.23.100.2 Backup AirEngine9700-M1 V200R021C00SPC100B171 up XXXX-XX-
XX/17:21:06
----------------------------------------------------------------------------------------------------
Total: 1
# Check the wireless configuration synchronization configuration on WAC1.
[WAC1] display sync-configuration master-redundancy

Master redundancy configuration:
---------------------------------------------------------------------------------------
Peer IP Version : IPV4
Peer IP : 10.23.100.2
VRRP Interface : Vlanif100
VRRP Vrid :1
VRRP Status : Master
VRRP Type : VRRPv4
---------------------------------------------------------------------------------------
# Check the wireless configuration synchronization status on WAC2. The Status field
displays up, indicating that the configurations have been synchronized.
[WAC2] display sync-configuration status

Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.23.100.1 Master AirEngine9700-M1 V200R021C00SPC100B171 up XXXX-XX-XX
/17:21:16
----------------------------------------------------------------------------------------------------
Total: 1
# Check the wireless configuration synchronization configuration on WAC2.
[WAC2] display sync-configuration master-redundancy

Master redundancy configuration:
---------------------------------------------------------------------------------------
Peer IP Version : IPV4
Peer IP : 10.23.100.1
VRRP Interface : Vlanif100
VRRP Vrid :1
VRRP Status : Backup
VRRP Type : VRRPv4
---------------------------------------------------------------------------------------

Connectivity

#
defence engine enable
sysname WAC1
#
http server enable
#
vrrp recover-delay 60
#
#
stp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#

#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap source ip-address 10.23.100.3
capwap dtls psk %^%#EJVsX!hYu4YZ2_G4#DzXA@:RKv34&REZ}|-y_]mY%^%#
capwap dtls inter-controller psk %^%#{9Wo7!%#BFZ<@EQ|:JG>Rp<|47s,v>YPa.#^!]A9%^%#
#
hsb-service 0
service-ip-port local-ip 10.23.100.1 peer-ip 10.23.100.2 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address 10.23.100.1
psk %^%#W;HBAZCAY'c:L6*55/MVqK/#T~/{"O(fuW,7OFI'%^%#
#
return

#
sysname WAC2
#
vrrp recover-delay 60
#
#
stp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap source ip-address 10.23.100.3
capwap dtls inter-controller psk %^%#fn"&!O[*},H,}sO8]j:.7FT*XoFd\E%z`f<D]FcL%^%#
#
hsb-service 0
service-ip-port local-ip 10.23.100.2 peer-ip 10.23.100.1 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address 10.23.100.2
psk %^%#h$UW(fq2a2o7Gl/GL#JE}gjg1:Fn0*Z&]gVje!B>%^%#
#
return

#
sysname SW-Core
#
#
dhcp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
dhcp server excluded-ip-address 10.23.100.1 10.23.100.9
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#

#
#
#
#
return
3.5 Quiz
In this lab, the hsb-service-type dhcp hsb-group 0 command is used to bind the DHCP
service to an HSB group, and wireless configuration synchronization is configured. What
information is synchronized in the preceding configuration?
Answer:
Two WACs function as DHCP servers in active/standby mode. If the active DHCP server
fails, information about user address assignment will be synchronized to the standby
DHCP server before traffic is switched to the standby DHCP server. This mechanism
ensures that the standby DHCP server can assign IP addresses to users without IP address
conflicts.
4 Cloud Management Networking Lab
4.1 Introduction
This lab instructs you to configure the cloud WAC + Fit AP and the cloud AP networking
modes.
4.1.2 Objectives
⚫ Understand the cloud WAC + Fit AP networking architecture and cloud-based WAC
configuration.
⚫ Understand the cloud AP networking architecture and cloud-based AP configuration.
Figure 4-1 Cloud management networking topology

4.1.4 Lab Planning

PVID: 1
MultiGE0/0/3 Trunk
MultiGE0/0/4 Access PVID: 99

SW-Core
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200, and
201
PVID: 100
MultiGE0/0/1 Trunk
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
SW-Access Allow-pass: VLANs 100 and 101
PVID: 1
MultiGE0/0/5 Trunk
Allow-pass: VLAN 200 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200, and
201
PVID: 1
WAC1 GE 0/0/1 Trunk

VLANIF 99 172.21.39.253/17
VLANIF 100 10.23.100.254/24
SW-Core VLANIF 101 10.23.101.254/24
VLANIF 200 10.23.200.254/24
VLANIF 201 10.23.201.254/24
WAC3 VLANIF 100 10.23.100.3/24
AP5 / Automatically obtained through


DHCP
iMaster NCE-Campus (NCE

/ 172.21.39.88/17
for short)
Table 4-3 WAC3 service parameter planning

Management
100
VLAN
Service VLAN 101
AP group ap-group1
Password a12345678
SSID wlan-net
Table 4-4 AP5 service parameter planning

Management
200
VLAN
Service VLAN 201
AP group default
VAP profile ap5
Security profile ap5
Password a12345678
SSID profile ap5
SSID ap5

1. Configure network connectivity of SW-Core, SW-Access, and WAC3.
2. Configure network connectivity between WAC3 and NCE.
3. Configure WAC3 to be managed by NCE. Enable AP1, AP2, and AP3 to go online on
WAC3.
4. Configure WLAN services on WAC3.
5. Configure AP5 to go online on NCE.
6. Configure WLAN services on AP5.
7. Check WLAN service availability.

# Configure the access switch SW-Access.

# Create VLANs 100, 101, 200, and 201 on SW-Access.
[SW-Access] vlan batch 100 101 200 201
Access.

interface.

[SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 200 201
# Configure the core switch SW-Core.

# Create VLANs 100, 101, 200, and 201 on SW-Core.
[SW-Core] vlan batch 100 101 200 201
# Configure the type of the downlink interface on SW-Core and the VLAN to which the
interface belongs.

[SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 200 201

[SW-Core-MultiGE0/0/3] port link-type trunk
[SW-Core-MultiGE0/0/3] port trunk allow-pass vlan 100 101
[SW-Core-MultiGE0/0/3] quit

[WAC3-GigabitEthernet0/0/1] port link-type trunk
[WAC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[WAC3-GigabitEthernet0/0/1] quit
# Configure IP addresses for SW-Core and WAC3.

# Configure IP addresses for SW-Core. VLAN 100 is the management VLAN of WAC3,
VLAN 101 is the service VLAN of WAC3, VLAN 200 is the management VLAN of AP5, and
VLAN 201 is the service VLAN of AP5.

[WAC3] interface Vlanif 100

Step 2 Configure network connectivity between NCE and WAC3.
# The IP address and gateway of NCE have been configured during software installation
and are not described in this lab.
# The IP address of NCE is 172.21.39.88/17, and the gateway address is 172.21.39.253 (on
SW-Core).
# Configure VLAN and IP address information for SW-Core.
[SW-Core] vlan 99
[SW-Core-vlan99] name Manage
[SW-Core-vlan99] quit
[SW-Core-MultiGE0/0/4] port link-type access
[SW-Core-MultiGE0/0/4] port default vlan 99
[SW-Core] interface Vlanif 99
# Configure a default route for WAC3 and set the next hop address to SW-Core.
[WAC3] ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
Step 3 Configure WAC3 to work in cloud mode.
# Configure WAC3 to work in cloud mode and specify the IP address and port number of
NCE.
[WAC3] ac-mode cloud

Warning: This operation will switch the AC mode to cloud, Continue? [Y/N] y
This operation will take several minutes, please wait...
Warning: The authentication mode is switched to SN authentication. Ensure that the APs added
offline have SN information. Otherwise, configurations of these APs may be lost..
[WAC3] cloud-mng controller ip-address 172.21.39.88 port 10020 source-interface Vlanif 100
[WAC3] pnp startup-vlan receive enable
# Test network connectivity between WAC3 and NCE.
[WAC3] ping -a 10.23.100.3 172.21.39.88

PING 172.21.39.88: 56 data bytes, press CTRL_C to break
Reply from 172.21.39.88: bytes=56 Sequence=1 ttl=62 time=1 ms
--- 172.21.39.88 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Step 4 Configure NCE to manage WAC3.
# Log in to NCE and choose Design > Site Management from the main menu. Create a
site named HCIP-WAC, select LSW and WAC in Device type, and click OK in the lower
right corner.
# Query the device ESN on WAC3.
[WAC3] display esn

ESN of device: 102257532207
# Choose Design > Device Management from the main menu. Select the site HCIP-WAC
and choose Add Device > Add.
# On the Manual Add page that is displayed, set Protocol type to NETCONF, Site to
HCIP-WAC, and Mode to Device Model, and click Add.
# On the page that is displayed, set the following parameters and click OK.
# Change the device name to WAC3, enter the ESN, set the description to HCIP, and click
OK.
# On the Device Management page, the status of WAC3 is Normal, indicating that it has
been managed by NCE.
# SW-Core functions as a DHCP server to assign IP addresses to AP1, AP2, AP3, and STAs.
# On SW-Core, enable the DHCP service and configure VLANIF 100 on SW-Core to assign
IP addresses to APs.


# After NCE manages WAC3, APs go online and WLAN services are still configured on
WAC3. The following uses CLI commands as an example.
# Configure AP1, AP2, and AP3 to go online on WAC3. Enable the function of establishing
CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions)

DTLS PSK: a1234567

be interrupted.
# Set the AP authentication mode to SN authentication on WAC3. (The WAC in cloud

mode supports only SN authentication.)
[WAC3] wlan
[WAC3-wlan-view] ap auth-mode sn-auth
# Choose Design > Device Management from the main menu. Select the site HCIP-WAC
and click WAC3. The WAC3 management page is displayed.
# Three devices are not managed. Select them and then click Repair.
# In the dialog box that is displayed, select HCIP-WAC and click OK.
# In the Result dialog box that is displayed, the three devices have been repaired
successfully and are managed by NCE.
# On the WAC3 management page, the status of the three APs is Normal and the
running status is normal.
# Identify and change the AP name based on the AP SN. For example, to change the
name of AP1, click the modify icon in the Operation column corresponding to SN
2102353VUR10N5119370 on the device management page.
# After the names of AP1, AP2, and AP3 are changed, the following information is
displayed.
# Create the AP group ap-group1 on WAC3 and add AP1, AP2, and AP3 to the AP group.
[WAC3] wlan
[WAC3-wlan-view] ap-id 0
state.

nor : normal [3]
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
Total: 3
# Configure WLAN services.

[WAC3] wlan

[WAC3] wlan




WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 6
# Configure SW-Core as a DHCP server to assign IP addresses to AP5 and STAs. Configure
VLANIF 200 on SW-Core to assign an IP address for AP5, change the AP5 mode to cloud
mode through the DHCP Option 148 field, and carry the NCE's IP address and port
number in DHCP messages. (AP5 has only delivery configuration and is not configured.)

[SW-Core-Vlanif200] dhcp server option 148 ascii "agilemode=agile-cloud;agilemanage-
mode=ip;agilemanage-domain=172.21.39.88;agilemanage-port=10020;ap-agilemode=agile-cloud;"
# Configure VLANIF 201 on SW-Core to assign IP addresses to STAs associated with AP5.

# Check the IP address obtained by AP5 on SW-Core.
[SW-Core] display ip pool interface Vlanif200 used

Pool-name : Vlanif200
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Domain-name :-
Option-code : 148
Option-subcode : --
Option-type : ascii
Option-value : "agilemode=agile-cloud;agilemanage-mode=ip;agilemanage-
domain=172.21.39.88;agilemanage-port=10020;ap-agilemode=agile-cloud;"
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 10.23.200.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :1
Idle :253 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
10.23.200.1 10.23.200.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
221 10.23.200.222 9cb2-e82d-5230 DHCP 86400 Used
-------------------------------------------------------------------------------------
Step 8 Configure NCE to manage AP5.
# Obtain the device ESN of AP5. You can view the label on the rear of AP5 or run a
command to obtain the ESN.
<9cb2-e82d-5230> display esn

ESN of device: 2102353VUR10N5119348
# Choose Design > Site Management from the main menu of NCE. Create a site named
HCIP-AP and select AP in Device type. In the Add Device area, click By Model, set Device
Type to AP, Device Model to AirEngine5761-11, Quantity to 1, and Role to AP, and click
OK.
# Change the device name to AP5, enter the ESN, set the description to HCIP-AP5, and
click OK.
# Choose Design > Device Management. AP5 has been managed by NCE.
Step 9 Configure WLAN services for AP5.
# Choose Design > Device Management and click AP5. The AP5 management page is
displayed. Click Command Line in the upper right corner to perform the CLI-based
configuration for AP5.
# Create VLAN information.
<AP5> system-view
[AP5] vlan batch 200 201
# Create the security profile ap5 and configure a security policy in the profile.
[AP5] wlan
[AP5-wlan-view] security-profile name ap5
[AP5-wlan-sec-prof-ap5] security wpa-wpa2 psk pass-phrase a12345678 aes
[AP5-wlan-sec-prof-ap5] quit
# Create the SSID profile ap5 and set the SSID name to ap5.
[AP5-wlan-view] ssid-profile name ap5

[AP5-wlan-ssid-prof-ap5] ssid ap5
[AP5-wlan-ssid-prof-ap5] quit
# Create the VAP profile ap5, set the data forwarding mode and service VLAN, and bind
the security profile and SSID profile to the VAP profile.
[AP5-wlan-view] vap-profile name ap5

[AP5-wlan-vap-prof-ap5] forward-mode direct-forward
[AP5-wlan-vap-prof-ap5] service-vlan vlan-id 201
[AP5-wlan-vap-prof-ap5] security-profile ap5
[AP5-wlan-vap-prof-ap5] ssid-profile ap5
[AP5-wlan-vap-prof-ap5] quit
# Bind the VAP profile to AP5 (ap-id of AP5 is 0).
[AP5-wlan-view] ap-id 0
[AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 0
[AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 1
[AP5-wlan-ap-0] quit
[AP5-wlan-view] quit
# Check AP5 onboarding information.
[AP5] display ap all

nor : normal [1]
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
0* 9cb2-e82d-5230 AP5 default 10.23.200.222 AirEngine5761-11 nor 0 2H:21M:19S -
---------------------------------------------------------------------------------------------------------
Total: 1
# Check the VAP status of AP5.
[AP5] display vap all

WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
0 AP5 0 1 9CB2-E82D-5230 ON WPA/WPA2-PSK 0 ap5
0 AP5 1 1 9CB2-E82D-5240 ON WPA/WPA2-PSK 0 ap5
------------------------------------------------------------------------------
Total: 2
4.3 Verification
4.3.1 Checking Cloud Management Information on WAC3
# Run the display cloud-mng info command on WAC3 to check the cloud management
configuration and status.
[WAC3] display cloud-mng info

------------------------------------------------------------
AC status : Online
Controller URL : -
Controller IP address : 172.21.39.88
Controller port : 10020
Source interface : Vlanif100
Controller address source: configuration
------------------------------------------------------------

Connectivity
# Connect a STA to the SSID wlan-net and test the connectivity.
C:\Users\admin>ipconfig
Wireless LAN adapter WLAN:
Connection-specific DNS Suffix . . . . . . :
Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14
IPv4 Address . . . . . . . . . . . : 10.23.101.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . . . . : 10.23.101.254
C:\Users\admin>ping 10.23.101.254
Pinging 10.23.101.254 with 32 bytes of data:
Reply from 10.23.101.254: bytes=32 time=9ms TTL=254
Ping statistics for 10.23.101.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 9ms, Average = 7ms
# Connect the STA to the SSID ap5 and test the connectivity.
Connection-specific DNS Suffix . . . . . . :
Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14
IPv4 Address . . . . . . . . . . . : 10.23.201.133
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . . . . : 10.23.201.254
C:\Users\admin>ping 10.23.201.254
Pinging 10.23.201.254 with 32 bytes of data:
Ping statistics for 10.23.201.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 8ms, Average = 5ms
4.3.3 Checking the Device Running Status on NCE

# Choose Design > Device Management to check the device running status.
4.3.4 Checking the STA Access Status on NCE

# Choose Monitoring > Terminal to check STA information such as the user online
duration and user list.

#
sysname WAC3
#
http secure-server server-source -i MEth0/0/1
http server enable
#
#
stp enable
#
management-port isolate enable
management-plane isolate enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#

#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap dtls psk %^%#<-{((EfVe"O\.(U8m`1UkQ208k_{B11\RCJi_`+9%^%#
capwap dtls inter-controller psk %^%#,nCH6FI3FFyITcANdQoW0UpB3/zU7Hao]JQS\m_4%^%#
#
cloud-mng controller ip-address 172.21.39.88 port 10020 source-interface Vlanif100
#
wlan
temporary-management psk %^%#NA'y2_qi*04'/tE>zQU-X5ts#{6r]"q5elJpf4GJ%^%#
ap username admin password cipher %^%#5!1~(fh,-PMe.<BSbdHYA&Jq<GIQ]Ln'WB*LG#LO%^%#
security wpa-wpa2 psk pass-phrase %^%#Sf2V!Uqky*mZw&6RPu8VFQ:z'ukl'${BtT:Z&{@/%^%# aes
ssid wlan-net
ap auth-mode sn-auth
radio 0
radio 1

ap-name AP3
ap-group ap-group1
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
provision-ap
#
return
4.4.2 AP5 Configuration

#
http server enable
#
vlan batch 200 to 201 3911
#
dhcp enable
#
acl name nat 2000
rule 5 deny source 169.254.2.0 0.0.0.255
rule 10 permit
#
interface Vlanif1
nat outbound 2000
#
interface Vlanif3911
ip address 10.1.1.1 255.255.255.0
arp-proxy enable
dhcp select global
#
#
ip address 169.254.4.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
port hybrid tagged vlan 2 to 3910 3912 to 4094
#
port hybrid tagged vlan 2 to 3910 3912 to 4094
#
interface NULL0
#
wmi-server
server ip-address 172.21.39.88 port 10032
collect-item device-data interval 300
collect-item radio-data interval 300
collect-item ssid-data interval 300
collect-item interface-data interval 300
collect-item terminal-data interval 300
collect-item log-data disable
collect-item location-data disable
collect-item security-data disable
collect-item application-statistics-data disable
collect-item neighbor-device-data interval 300
collect-item emdi-data disable
collect-item cpcar-data disable
collect-item dns-data enable
collect-item dns-data interval 300
collect-item non-wifi-data enable
collect-item non-wifi-data interval 300
#
wmi-server2
collect-item log-data disable
#
wlan
temporary-management psk %^%#NPjnC\Vs5V}Ov3Y^%kJS*rP[K4iix2Dn`+@0aSGB%^%#
security-profile name ap5
security wpa-wpa2 psk pass-phrase %^%#FzDm;<bTwKdpY@!7Zs(;$]BnEt(sp&U3Z5&MZzjK%^%#
aes
ssid-profile name ap5
ssid ap5
vap-profile name ap5
ssid-profile ap5
security-profile ap5
air-scan-profile name 5G
air-scan-profile name 2.4G
rrm-profile name 5G
calibrate min-tx-power 12
airtime-fair-schedule enable
smart-roam quick-kickoff-threshold disable
sta-load-balance dynamic disable
rrm-profile name 2.4G
calibrate min-tx-power radio-5g 9
airtime-fair-schedule enable
smart-roam quick-kickoff-threshold disable
sta-load-balance dynamic disable

radio-2g-profile name 2.4G
power auto-adjust enable
rrm-profile 2.4G
air-scan-profile 2.4G
radio-5g-profile name 5G
power auto-adjust enable
rrm-profile 5G
a-msdu disable
air-scan-profile 5G
user-interface vty 0 idle-timeout 10 0
traffic-optimize broadcast-suppression other-broadcast rate-threshold 64
traffic-optimize broadcast-suppression other-multicast rate-threshold 64
ble-profile name default
port-link-profile name default-GE-0
wired-port-profile name default-GE-0
port-link-profile default-GE-0
ble-profile default
wired-port-profile default-GE-0 gigabitethernet 0
radio 0
radio-2g-profile 2.4G
radio-5g-profile 5G
antenna-gain 2
radio 1
radio-5g-profile 5G
antenna-gain 2
radio 2
radio-2g-profile 2.4G
radio-5g-profile 5G
ap-name AP5
radio 0
vap-profile ap5 wlan 1
radio 1
vap-profile ap5 wlan 1
provision-ap
#
return

#
sysname SW-Core
#
vlan batch 99 to 101 200 to 201
#
dhcp enable
#
vlan 99
name Manage
#
interface Vlanif1
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.254 255.255.255.0
dhcp server option 148 ascii "agilemode=agile-cloud;agilemanage-mode=ip;agilemanage-
domain=172.21.39.88;agilemanage-port=10020;ap-agilemode=agile-cloud;"
#
interface Vlanif201
ip address 10.23.201.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
shutdown
#
shutdown
#
#
port link-type access
port default vlan 99
#
#
#
#
#
port trunk allow-pass vlan 100 to 101 200 to 201
#
interface NULL0
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
shutdown
#
#
shutdown
#
shutdown
#
shutdown
#
#
interface NULL0
#
return
4.5 Quiz
In the preceding lab, AP5 is switched to the cloud mode through DHCP. In addition to the
DHCP mode, what methods can be used to switch a Fit AP to the cloud mode?
Answer:
A cloud AP can switch the working mode and obtain the iMaster NCE-Campus address in
the following ways:
Using a DHCP server: This method has the highest priority and is preferred if the AP can
use multiple methods to obtain the IP address of the iMaster NCE-Campus.
Obtaining through the registration query center: Low priority.
Through manual configuration on the CLI or web platform: The priority of this method is
lower than that using a DHCP server but higher than that using the registration query
center.
5 802.1X Authentication Lab
5.1 Introduction
This lab instructs you to master the basic implementation and configuration methods of
802.1X access authentication.
5.1.2 Objectives
⚫ Understand the basic implementation and configuration methods of 802.1X access
authentication.
Figure 5-1 802.1X authentication lab topology

5.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
SW-Core PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk

VLANIF 100 10.23.100.254/24
SW-Core VLANIF 101 10.23.101.254/24
VLANIF 99 172.21.39.253/17
WAC1 VLANIF 100 10.23.100.1/24
iMaster NCE-Campus / 172.21.39.88/17

Forwarding mode Tunnel forwarding
Management
100
VLAN
Service VLAN 101
AP group ap-group1
Security policy WPA2+802.1X+AES
SSID wlan-net
Name of the RADIUS authentication scheme: radius_huawei

Name of the RADIUS accounting scheme: scheme1
Name of a RADIUS server template: radius_huawei
RADIUS The RADIUS server information is as follows:
authentication
parameters IP address: 172.21.39.88
Authentication port number: 1812
Accounting port number: 1813
Shared key: Huawei@123
802.1X access Name: d1

profile Authentication mode: EAP
Name: p1
Bound profiles and schemes:
Authentication 802.1X access profile: d1
profile RADIUS server template: radius_huawei
RADIUS authentication scheme: radius_huawei
RADIUS accounting scheme: scheme1

1. Configure the basic network to ensure network connectivity.
2. Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs.
3. Configure network connectivity between NCE and WAC1.
4. Configure AP onboarding.
5. Configure 802.1X authentication on WAC1.
6. Configure basic WLAN services.

7. Configure 802.1X authentication on NCE.
8. Verify 802.1X access authentication.

Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the
downlink port to allow packets from VLANs 100 and 101 to pass through, and set the
PVID to 100. Configure the uplink port to allow packets from VLANs 100 and 101 to pass
through and set the PVID to 1.
Access.

interface.

Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink
interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and
101 to pass through.

# Configure the type of the downlink interface on SW-Core and configure the interface to
allow packets from VLANs 100 and 101 to pass through.


Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and

Configure IP addresses for SW-Core and WAC1.




# Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable
the DHCP service on SW-Core and configure VLANIF 100 on SW-Core to assign IP
addresses to APs.


The IP address and gateway of NCE have been configured during software installation
and are not described in this lab. The IP address of NCE is 172.21.39.88/17, and the
gateway address is 172.21.39.253 (on SW-Core).
[SW-Core] vlan 99

mode. (V200R021C00 and later versions)

DTLS PSK: a1234567


be interrupted.
[WAC1] wlan
[WAC1] wlan
as required.)
[WAC1] wlan
state.
<WAC1> display ap all

nor : normal [3]
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
0 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.225 AirEngine5761-11 nor 0 3D:16H:14M:57S -
1 9cb2-e82d-5410 AP2 ap-group1 10.23.100.214 AirEngine5761-11 nor 0 3D:16H:13M:31S -
---------------------------------------------------------------------------------------------------------------
Total: 3
Step 5 Configure 802.1X authentication on WAC1.
# Configure a RADIUS server template.
[WAC1] radius-server template radius_huawei

[WAC1-radius-radius_huawei] radius-server authentication 172.21.39.88 1812 source vlanif 100
[WAC1-radius-radius_huawei] radius-server accounting 172.21.39.88 1813 source vlanif 100
[WAC1-radius-radius_huawei] radius-server shared-key cipher Huawei@123
[WAC1-radius-radius_huawei] quit
[WAC1] radius-server authorization 172.21.39.88 shared-key cipher Huawei@123 server-group
radius_huawei
[WAC1] radius-server authorization server-source all-interface
Warning: All interface listening has security risks.
If configured, the configuration of the specified listening IP address will be removed. Continue?[Y/N]
y
Info: This operation may take some time, please wait for a moment .....
# Configure a RADIUS authentication scheme.
[WAC1] aaa
[WAC1-aaa] authentication-scheme radius_huawei
[WAC1-aaa-authen-radius_huawei] authentication-mode radius
[WAC1-aaa-authen-radius_huawei] quit
# Configure a RADIUS accounting scheme.
[WAC1-aaa] accounting-scheme scheme1

[WAC1-aaa-accounting-scheme1] accounting-mode radius
[WAC1-aaa-accounting-scheme1] accounting realtime 3
[WAC1-aaa-accounting-scheme1] quit
[WAC1-aaa] quit
# The accounting realtime command sets the real-time accounting interval, in minutes.
# Configure the 802.1X access profile d1.
[WAC1] dot1x-access-profile name d1

[WAC1-dot1x-access-profile-d1] dot1x authentication-method eap
[WAC1-dot1x-access-profile-d1] quit
# Configure the authentication profile p1. Create the authentication profile p1, and bind
the 802.1X access profile d1, RADIUS server template radius_huawei, authentication
scheme radius_huawei, and accounting scheme scheme1 to the authentication profile.
[WAC1] authentication-profile name p1

[WAC1-authentication-profile-p1] dot1x-access-profile d1
[WAC1-authentication-profile-p1] radius-server radius_huawei
[WAC1-authentication-profile-p1] authentication-scheme radius_huawei
[WAC1-authentication-profile-p1] accounting-scheme scheme1
[WAC1-authentication-profile-p1] quit
Step 6 Configuring WLAN Services
[WAC1] wlan
[WAC1-wlan-sec-prof-wlan-net] security wpa2 dot1x aes


[WAC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[WAC1-wlan-vap-prof-wlan-net] authentication-profile p1
# Bind the VAP profile to the AP group.

Step 7 Configure 802.1X authentication on NCE.
Before configuring access authentication on NCE, you need to create a tenant account
and password, which is not described here.
Create the user name and password for 802.1X authentication on NCE.
# Choose Admission > Admission Resources > User Management from the main menu.
# Choose User Management > User, click +, and create a user group named HCIP-WLAN.
# Select the HCIP-WLAN user group and click Create. On the page that is displayed, set
User name to dot1x-user, Password to Huawei@123, and Available login mode to 802.1X
& Portal 2.0 for 802.1X authentication, and click OK.
Add an admission device (WAC1) to NCE.

# Choose Admission > Admission Resources > Admission Device and configure an
admission device.
# Click Third-party Admission Device and click Create to create a third-party admission
device.
# Set parameters according to the following figure. Set Accounting key and Authorization
key both to Huawei@123, and Accounting interval (min) to 3, which are the same as
those configured on WAC1.
Create authentication and authorization, authorization rules, and authorization results on

NCE.
# Choose Admission > Admission Policy > Authentication and Authorization from the
main menu.
# Click Authentication Rules, click Create, and configure an authentication rule according
to the following figure.
# Click Authorization Rules, click Create, and configure an authorization rule according to
the following figure.
5.3 Verification

WID : WLAN ID
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON WPA2+802.1X 0 wlan-net
0 AP1 1 1 9CB2-E82D-5500 ON WPA2+802.1X 1 wlan-net
-----------------------------------------------------------------------------
Total: 6


WID : WLAN ID
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON WPA2+802.1X 0 wlan-net
-----------------------------------------------------------------------------
Total: 6
5.3.3 Associating a STA with the WLAN and Verifying

Authentication
# Before associating a STA with the WLAN, you need to set 802.1X parameters. This lab
describes how to set 802.1X parameters on Windows 10.
# Choose Control Panel > Network and Internet > Network and Sharing Center. (Network
and Internet is displayed when the view mode of Control Panel is set to Category.) Click
Set up a new connection or network.
# In the dialog box that is displayed, select Manually connect to a wireless network and
click Next.
# Enter a network name, set Security type and Encryption type, select Start this
connection automatically, and click Next.
# Successfully added wlan-net is displayed. Click Change connection settings.

# Click the Security tab. Select Microsoft: Protected EAP (PEAP) from the drop-down list
below Choose a network authentication method, and click Settings.
# Deselect Verify the server's identity by validating the certificate, select Secure password
(EAP-MSCHAP v2) from the drop-down list box below Select Authentication Method, and
click Configure. In the dialog box that is displayed, deselect Automatically use my
Windows logon name and password and click OK.
# On the Security tab page, click Advanced settings.
# On the 802.1X settings tab page, select User authentication from the drop-down list
below Specify authentication mode, and click OK.
# Click OK. The 802.1X parameters in the Windows 10 operating system are set.
# After all settings are complete, select the SSID wlan-net and click Connect.
# Enter the correct user name and password (dot1x-user and Huawei@123, respectively,
in this example).
# After the connection is set up, run the ipconfig command to verify that the IP address
obtained by the wireless network adapter is on the network segment 10.23.101.0/24. Run
the ping command to test the network connectivity.
5.3.4 Checking Terminal Authentication Logs on NCE

# On NCE, choose Monitoring > Event Logs > Terminal Authentication Logs to check
terminal authentication logs.
# Choose RADIUS Login and Logout logs > RADIUS Authentication Logs to check
terminal authentication records. The authentication rule is 802.1X, the authorization rule
is 802.1X, and the authentication result is Success.
5.3.5 Checking Terminal Authentication on WAC1

# Check detailed information about NAC access users on WAC1. Success indicates
successful access of a user.
[WAC1] display access-user detail

Basic:
User ID : 65613
User name : dot1x-user
User MAC : 081f-7153-90b4
User IP address : 10.23.101.196
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/101
User vlan source : user request
User access time : XXXX
User accounting session ID : WAC1000000000001011d****010004d
User accounting mult session ID : 9CB2E82D54F0081F715390B46321B****F061063
User access type : 802.1x
AP name : AP1
Radio ID :1
AP MAC : 9cb2-e82d-54f0
SSID : wlan-net
Online time : 788(s)
User Group Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1

#
sysname WAC1
#
http timeout 10080
http server enable
#
#
authentication-profile name p1
dot1x-access-profile d1
authentication-scheme radius_huawei
accounting-scheme scheme1
radius-server radius_huawei
#
#
radius-server template default
radius-server template radius_huawei
radius-server shared-key cipher %^%#3:KT&'SI#Fg;Rz~2dA9R2hU/&4Z8L/T{VQ4Ry(sC%^%#

radius-server authentication 172.21.39.88 1812 source Vlanif 100 weight 80
radius-server accounting 172.21.39.88 1813 source Vlanif 100 weight 80
radius-server ip-address 172.21.39.88 shared-key cipher %^%#uz^0YJYF@Dub8K)sS9/;2k=v87NT-
Wn(lBS6A0]Q%^%#
radius-server authorization 172.21.39.88 shared-key cipher %^%#</OAY!//D0%Mn>>GL,#SJt|>3-
nx>!g58f@09>iJ%^%# server-group radius_huawei
radius-server authorization server-source all-interface
#
aaa
authorization-scheme default
authorization-mode local
accounting-mode radius
accounting realtime 3
$1a$Z#*{";)Ik6$LUMXJS;VWR$p7mWZtx|EN3q#M`}27Bg+[8<)ELp.$
local-user admin service-type telnet ssh http
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wlan
calibrate enable manual
security wpa2 dot1x aes

ssid wlan-net
forward-mode tunnel
authentication-profile p1
radio 0
radio 1
radio 2
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1 provision-ap
#
dot1x-access-profile name d1
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

#
sysname SW-Core
#
#
dhcp enable
#
vlan 99
name Manage
#
interface Vlanif1
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
return
5.5 Quiz
In this lab, the authentication mode for 802.1X users is set to EAP. What other
authentication modes can be configured for 802.1X users?
Answer:
Run the dot1x authentication-method command to configure the authentication mode
for 802.1X users. The authentication mode for 802.1X users can be set to EAP, CHAP, or
PAP.
EAP: indicates relay authentication using the Extensible Authentication Protocol (EAP).
CHAP: indicates EAP termination authentication using the Challenge Handshake
Authentication Protocol (CHAP).
PAP: EAP termination authentication using the Password Authentication Protocol (PAP)
6 Portal Authentication Lab
6.1 Introduction
This lab instructs you to master the basic implementation and configuration methods of
Portal access authentication.
6.1.2 Objectives
⚫ Understand the basic implementation and configuration methods of Portal access
authentication.
Figure 6-1 Portal authentication lab topology

6.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
SW-Core PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk

VLANIF 100 10.23.100.254/24
SW-Core VLANIF 101 10.23.101.254/24
VLANIF 99 172.21.39.253/17
WAC1 VLANIF 100 10.23.100.1/24

Management VLAN 100
Service VLAN 101

AP group ap-group1
Security policy OPEN
SSID wlan-net
Name of the RADIUS authentication scheme:

radius_huawei
Name of the RADIUS server template:
RADIUS authentication radius_huawei
parameters
IP address: 172.21.39.88
Authentication port number: 1812
Name: abc
IP address: 172.21.39.88
URL: https://172.21.39.88:19008/portal
Portal server template
Destination port number in the packets sent by
WAC1 to the Portal server: 50200
Portal shared key: Huawei@123
Name: portal1
Portal access profile
Bound profile: Portal server template abc
Authentication-free rule profile Name: free1
Name: p1
Portal access profile portal1
Authentication profile RADIUS server template radius_huawei
RADIUS authentication scheme radius_huawei
RADIUS accounting scheme scheme1
Authentication-free rule profile free1

1. Configure the basic network to ensure network connectivity.
2. Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs.
3. Configure network connectivity between NCE and WAC1.
5. Configure Portal authentication on WAC1.
6. Configure basic WLAN services.
7. Configure Portal authentication on NCE.
8. Verify Portal authentication.

# For details, see Step 1 in section 5.2.2 "Configuration Procedure."
Step 5 Configure Portal authentication on WAC1.
# Configure a RADIUS server template.
[WAC1] radius-server template radius_huawei

[WAC1-radius-radius_huawei] radius-server authentication 172.21.39.88 1812 source vlanif 100
[WAC1-radius-radius_huawei] radius-server accounting 172.21.39.88 1813 source vlanif 100
[WAC1-radius-radius_huawei] radius-server shared-key cipher Huawei@123
[WAC1-radius-radius_huawei] quit
[WAC1] radius-server authorization 172.21.39.88 shared-key cipher Huawei@123 server-group
radius_huawei
[WAC1] radius-server authorization server-source all-interface
y
Info: This operation may take some time, please wait for a moment .....
# Configure an authentication scheme that uses RADIUS authentication.
[WAC1] aaa
[WAC1-aaa] authentication-scheme radius_huawei

[WAC1-aaa-authen-radius_huawei] authentication-mode radius
[WAC1-aaa-authen-radius_huawei] quit
# Configure a RADIUS accounting scheme.
[WAC1-aaa] accounting-scheme scheme1

[WAC1-aaa-accounting-scheme1] accounting-mode radius
[WAC1-aaa-accounting-scheme1] accounting realtime 3
[WAC1-aaa-accounting-scheme1] quit
[WAC1-aaa] quit
# Configure a URL template. When NCE functions as a Portal server, the default port
number of the Portal page is 19008.
[WAC1] url-template name url1

[WAC1-url-template-url1] url https://172.21.39.88:19008/portal
[WAC1-url-template-url1] url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-
mac usermac device-ip ac-ip
[WAC1-url-template-url1] quit
# Configure a Portal server template. When NCE functions as a Portal server, the default
listening port is 50200.
[WAC1] web-auth-server server-source all-interface

y
[WAC1] web-auth-server abc
[WAC1-web-auth-server-abc] server-ip 172.21.39.88
[WAC1-web-auth-server-abc] source-ip 10.23.100.1
[WAC1-web-auth-server-abc] shared-key cipher Huawei@123
[WAC1-web-auth-server-abc] port 50200
[WAC1-web-auth-server-abc] url-template url1
[WAC1-web-auth-server-abc] quit
# Create the Portal access profile portal1 and configure Layer 2 Portal authentication.
[WAC1] portal-access-profile name portal1

[WAC1-portal-access-profile-portal1] web-auth-server abc direct
[WAC1-portal-access-profile-portal1] quit
# An authentication-free rule profile is used to permit basic network access rights, such
as accessing the DNS server, downloading patches, and updating the antivirus signature
database. Only the IP address of the NCE server is permitted in this lab.
[WAC1] free-rule-template name free1

[WAC1-free-rule-free1] free-rule 1 destination ip 172.21.39.88 mask 32
[WAC1-free-rule-free1] quit
# Create the authentication profile p1, and bind the Portal access profile portal1,
authentication-free rule profile free1, RADIUS server template radius_huawei,
authentication scheme radius_huawei, and accounting scheme scheme1 to the

authentication profile.

[WAC1-authentication-profile-p1] portal-access-profile portal1
[WAC1-authentication-profile-p1] free-rule-template free1
[WAC1-authentication-profile-p1] radius-server radius_huawei
[WAC1-authentication-profile-p1] authentication-scheme radius_huawei
[WAC1-authentication-profile-p1] accounting-scheme scheme1
Step 6 Configuring WLAN Services
[WAC1] wlan
[WAC1-wlan-sec-prof-wlan-net] security open


[WAC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[WAC1-wlan-vap-prof-wlan-net] authentication-profile p1

Step 7 Configure Portal authentication on NCE.
Create the user name and password for Portal authentication on NCE.
# Choose Admission > Admission Resources > User Management from the main menu.
# Choose User Management > User, click +, and create a user group named HCIP-WLAN.
# Select the HCIP-WLAN user group and click Create. On the page that is displayed, set
User name to portal-user, Password to Huawei@123, and Available login mode to Portal
and 802.1X & Portal 2.0 for Portal authentication, and click OK.
Add an admission device (WAC1) to NCE.

# Choose Admission > Admission Resources > Admission Device and configure an
admission device.
# Click Third-party Admission Device and click Create to create a third-party admission
device.
# Set parameters according to the following figure. Set Accounting key and Authorization
key both to Huawei@123, and Accounting interval (min) to 3, which are the same as
those configured on WAC1.
# Configure Portal authentication parameters. Set Portal protocol to Huawei

Portal(Portal2.0), Portal key to Huawei@123 (same as the shared-key configured on
WAC1), and Portal Authentication port to 2000 (default), and click OK. The Portal
authentication port is the default listening port of WAC1 and is used to listen to Portal
packets.
Create authentication and authorization, authorization rules, and authorization results on

NCE.
# Choose Admission > Admission Policy > Authentication and Authorization from the
main menu.
# Click Authentication Rules, click Create, and configure an authentication rule as

follows:
# Click Authorization Rules, click Create, and configure an authorization rule according to
the following figure.
Configure the Portal page push policy on NCE. (If there is no special requirement, use the
default page.)
# Choose Admission > Admission Resources > Page Management to manage Portal
pages.
# Click the Portal Page Push Policy tab, click Create, set the parameters
according to the following figures, and click OK.
# Check the Portal page push policy.

6.3 Verification
# Run the display ap all command on WAC1 to check the AP onboarding status. If the
State field of an AP displayed as nor, the AP goes online successfully. The IP address of
the AP is dynamically obtained through DHCP. The actual IP address is subject to the lab
result.

nor : normal [3]
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
0 9cb2-e82d-54f0 AP1 ap-group1 10.23.100.225 AirEngine5761-11 nor 0 6D:18H:42M:59S -
---------------------------------------------------------------------------------------------------------------
Total: 3


WID : WLAN ID
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON Open+Portal 0 wlan-net
0 AP1 1 1 9CB2-E82D-5500 ON Open+Portal 0 wlan-net
-----------------------------------------------------------------------------
Total: 6
6.3.3 Verifying STA Access to a WLAN in Portal Authentication

Mode
# Open a browser on a STA and enter any IP address. The Portal authentication page is
displayed.
# You are redirected to the Portal authentication page, where you can enter the user
name portal-user and password Huawei@123, and select User notice to log in.
# Verification succeeded is displayed, indicating that you can access network resources.
6.3.4 Checking Terminal Authentication Logs on NCE

# On NCE, choose Monitoring > Event Logs > Terminal Authentication Logs to check
terminal authentication logs.
# Click the Portal Login and Logout Logs tab to check Portal terminal authentication
records.
6.3.5 Checking Terminal Authentication on WAC1

# Check detailed information about NAC access users on WAC1. Success indicates
successful access of a user.
[WAC1] display access-user detail

Basic:
User ID : 65623
User name : portal-user
User MAC : 081f-7153-90b4
User IP address : 10.23.101.196
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss17499
User vlan event : Success
QinQVlan/UserVlan : 0/101
User vlan source : user request
User access time : XXXX 09:21:06
User accounting session ID : WAC10000000000010194****0100057
User accounting mult session ID : 9CB2E82D5410081F715390B463283****8D7D1C1
User access type : WEB

AP name : AP2
Radio ID :1
AP MAC : 9cb2-e82d-5410
SSID : wlan-net
Online time : 1166(s)
Web-server IP address : 172.21.39.88
User Group Priority :0
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1

#
sysname WAC1
#
http timeout 10080
http server enable
#
#
portal-access-profile portal1
free-rule-template free1
#
web-auth-server server-source all-interface
#
#
radius-server shared-key cipher %^%#]gR#5-y9p=z#}}Pk4-L;WGPdIm[,VBkhjz&Wf<G%%^%#
radius-server authorization 172.21.39.88 shared-key cipher %^%#5jF1YZq(*OsX-2U&P}A<]`!XH,|-

r15kUd$G}=]"%^%# server-group radius_huawei
#
free-rule-template name default_free_rule
#
free-rule-template name free1
free-rule 1 destination ip 172.21.39.88 mask 255.255.255.255
#
url-template name url1
url https://172.21.39.88:19008/portal
url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip ac-
ip
#
web-auth-server abc
server-ip 172.21.39.88
port 50200
shared-key cipher %^%#/H+oJc*rtC_]{(WRUDt4un;&<1:g~NP{q(SD$ux#%^%#
url-template url1
source-ip 10.23.100.1
#
portal-access-profile name portal1
web-auth-server abc direct
#
portal-access-profile name portal_access_profile
#
aaa
domain default
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#

#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wlan
calibrate flexible-radio auto-switch
security open
ssid wlan-net
forward-mode tunnel
radio 0
radio 1

ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
#
return

#
sysname SW-Core
#
#
dhcp enable
#
vlan 99
name Manage
#
interface Vlanif1
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
return
6.5 Quiz
The DNS server is not configured in the preceding lab. What is the function of a DNS
server in Portal authentication?
Answer:
The DNS server parses the domain name sent by a terminal so that the AP can redirect
the terminal to the Portal authentication page. That is, the terminal can be redirected to
the Portal authentication page when accessing any domain name.
7 WLAN Roaming Lab
7.1 Introduction
This lab activity provides instructions on configuring and commissioning intra-WAC Layer
2 and inter-WAC Layer 3 roaming so that you can understand how to deploy Huawei
WLAN roaming.
7.1.2 Objectives
⚫ Understand the intra-WAC Layer 2 roaming network configuration.
⚫ Understand the inter-WAC Layer 3 roaming network configuration.
Figure 7-1 WLAN roaming networking topology

7.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
PVID: 1
MultiGE0/0/2 Trunk
SW-Core Allow-pass: VLANs 200 and 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200,
and 201
PVID: 1
MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200,
and 201
PVID: 100
MultiGE0/0/1 Trunk
SW-Access Allow-pass: VLANs 100 and 101
PVID: 100
MultiGE0/0/2 Trunk
PVID: 200
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
PVID: 1
WAC2 GE0/0/1 Trunk

VLANIF 100 10.23.100.1/24

WAC1
VLANIF 101 10.23.101.254/24
VLANIF 200 10.23.200.1/24

WAC2
VLANIF 201 10.23.201.254/24
VLANIF 100 10.23.100.254/24

SW-Core
VLANIF 200 10.23.200.254/24

Management
100
VLAN
Service VLAN 101
AP group ap-group1
VAP profile wlan-net1
Password a12345678
SSID wlan-net

Management
200
VLAN
Service VLAN 201
AP group ap-group2
VAP profile wlan-net2
Password a12345678
SSID wlan-net

1. Configure network connectivity among WAC1, WAC2, SW-Access, and SW-Core.
2. Configure WAC1 and WAC2 as DHCP servers to assign IP addresses to APs and STAs.
3. Configure AP1 and AP2 to go online on WAC1.
4. Configure AP3 to go online on WAC2.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure inter-WAC roaming.
7. Verify the roaming result.

Configure the access switch SW-Access.

# Create VLANs 100, 101, 200, and 201 on SW-Access.
[SW-Access] vlan batch 100 101 200 201
Access.

interface.

[SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 200 201
Configure the core switch SW-Core.

# Create VLANs 100, 101, 200, and 201 on SW-Core.
[SW-Core] vlan batch 100 101 200 201
# Configure the type of the downlink interface on SW-Core and configure the interface to
allow packets from VLANs 100, 101, 200, and 201 to pass through.

[SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 200 201


Configure WAC1.

Configure WAC2.


# Configure IP addresses for WAC1.

# Configure IP addresses for WAC2.

# Configure WLAN service routes on SW-Core.
[SW-Core] ip route-static 10.23.101.0 255.255.255.0 10.23.100.1

[SW-Core] ip route-static 10.23.201.0 255.255.255.0 10.23.200.1
# Configure a default route on WAC1.
# Configure a default route on WAC2.
Step 2 Configure DHCP servers.
# Configure WAC1 as a DHCP server to assign IP addresses to AP1, AP2, and STAs.
[WAC1] dhcp enable


[WAC1-Vlanif100] dhcp select interface
# Configure WAC2 as a DHCP server to assign IP addresses to AP3 and STAs.
[WAC2] dhcp enable

Step 3 Configure AP1 and AP2 to go online.


DTLS PSK: a1234567

[WAC1] wlan
[WAC1-wlan-view] temporary-management psk a1234567
[WAC1-wlan-view] ap username admin password cipher
Enter the password (plain-text password of 8-128 characters or cipher-text password of 48-188
characters that must be a combination of at least three of the following: lowercase letters a to z,
uppercase letters A to Z, digits, and special characters): Huawei@123
Confirm password: Huawei@123
be interrupted.
# Create the AP group ap-group1 to which AP1 and AP2 will be added.
[WAC1] wlan
[WAC1] wlan
as required.)
[WAC1] wlan
Step 4 Configure AP3 to go online.


to prevent security risks. Continue?[Y/N]: y
DTLS PSK: a1234567

[WAC2] wlan
[WAC2-wlan-view] temporary-management psk a1234567
[WAC2-wlan-view] ap username admin password cipher
Enter the password (plain-text password of 8-128 characters or cipher-text password of 48-188
characters that must be a combination of at least three of the following: lowercase letters a to z,
uppercase letters A to Z, digits, and special characters): Huawei@123
be interrupted.
# Create the AP group ap-group2.
[WAC2] wlan
[WAC2] wlan
as required.)
[WAC2] wlan
[WAC1] wlan

[WAC1] wlan


# Create the VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
[WAC1-wlan-view] vap-profile name wlan-net1

[WAC1-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[WAC1-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[WAC1-wlan-vap-prof-wlan-net1] security-profile wlan-net
[WAC1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[WAC1-wlan-vap-prof-wlan-net1] quit

[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0
[WAC2] wlan

[WAC2] wlan

# Create the VAP profile wlan-net2, set the data forwarding mode and service VLAN, and
[WAC2-wlan-view] vap-profile name wlan-net2

[WAC2-wlan-vap-prof-wlan-net2] forward-mode direct-forward
[WAC2-wlan-vap-prof-wlan-net2] service-vlan vlan-id 201
[WAC2-wlan-vap-prof-wlan-net2] security-profile wlan-net
[WAC2-wlan-vap-prof-wlan-net2] ssid-profile wlan-net
[WAC2-wlan-vap-prof-wlan-net2] quit

Step 7 Configure inter-WAC roaming.
# Create a mobility group on WAC1, and add WAC1 and WAC2 to the mobility group.
[WAC1] wlan
[WAC1-wlan-view] mobility-group name mob1
[WAC1-mc-mg-mob1] member ip-address 10.23.100.1
[WAC1-mc-mg-mob1] quit
# Create a mobility group on WAC2, and add WAC1 and WAC2 to the mobility group.
[WAC2] wlan
[WAC2-wlan-view] mobility-group name mob1
[WAC2-mc-mg-mob1] quit
Step 8 Configure DTLS encryption for an inter-WAC tunnel.
The pre-shared key for DTLS encryption between WACs has been configured in the
previous steps. Therefore, you do not need to configure it again.
# Enable DTLS encryption for inter-WAC tunnels on WAC1.
[WAC1] capwap dtls inter-controller control-link encrypt on

Warning: This operation may cause devices using CAPWAP connections to reset or go offline.
Continue? [Y/N]: y
# Enable DTLS encryption for inter-WAC tunnels on WAC2.

[WAC2] capwap dtls inter-controller control-link encrypt on

Warning: This operation may cause devices using CAPWAP connections to reset or go offline.
Continue? [Y/N]: y
7.3 Verification
# Run the display ap all command on WAC1 to check the onboarding status of AP1 and
AP2.

nor : normal [2]
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 2
# Run the display ap all command on WAC2 to check the onboarding status of AP3.

nor : normal [1]
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Total: 1
7.3.2 Checking the VAP Status


WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 4

WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total: 2
7.3.3 Checking the Mobility Group Status

# Run the display mobility-group name mob1 command on WAC1 and WAC2 to check
the mobility group status. If the State field displays as normal, the mobility group status
is normal. The following uses WAC1 as an example.
[WAC1] display mobility-group name mob1

--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.200.1 -
--------------------------------------------------------------------------------
Total: 2
7.3.4 Observing the STA Roaming Status

# In the coverage area of AP1, enable a STA to search for the WLAN wlan-net, and enter
the shared key a12345678 to connect to the WLAN.
# Check STA access on WAC1. The command output shows that the STA is connected to
AP1.
[WAC1] display station all

Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
081f-7153-90b4 0 AP1 1/1 5G 11ac 156/144 -31 101 10.23.101.83 wlan-net
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# As the STA gradually moves to the coverage area of AP2, it is found that the STA
roams to AP2.

----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
081f-7153-90b4 1 AP2 1/1 5G 11ac 156/115 -17 101 10.23.101.83 wlan-net
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# Check the roaming track on WAC1 (intra-WAC Layer 2 roaming).
[WAC1] display station roam-track sta-mac 081f-7153-90b4

Access SSID:wlan-net
s:Same Frequency Network c:PMK Cache Roam
r:802.11r Roam d:802.11r over ds Roam p:proprietary 802.11r Roam
--------------------------------------------------------------------------------------
L2/L3 AP-AC IP AC-AC IP Ap name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
--------------------------------------------------------------------------------------
-- 10.23.100.1 - AP1 1
9cb2-e82d-5500 XXXX-XX-XX/19:58:10 -22/-23 156/130
L2 10.23.100.1 - AP2 1
9cb2-e82d-5420 XXXX-XX-XX /20:00:02 -31/- -/-
--------------------------------------------------------------------------------------
Number: 1
# As the STA moves to the coverage area of AP3, it is found that the STA roams to AP3.

----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
081f-7153-90b4 0 AP3 1/1 5G - -/- - 101 10.23.101.83 wlan-net
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# Check the roaming track on WAC2 (inter-WAC Layer 3 roaming).
[WAC2] display station roam-track sta-mac 081f-7153-90b4

Access SSID:wlan-net
s:Same Frequency Network c:PMK Cache Roam
r:802.11r Roam d:802.11r over ds Roam p:proprietary 802.11r Roam

--------------------------------------------------------------------------------------
L2/L3 AP-AC IP AC-AC IP Ap name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
--------------------------------------------------------------------------------------
-- 10.23.100.1 - AP1 1
9cb2-e82d-5500 XXXX-XX-XX /19:58:10 -22/-23 156/130
L2 10.23.100.1 - AP2 1
9cb2-e82d-5420 XXXX-XX-XX /20:00:02 -31/-27 156/115
L3 10.23.200.1 10.23.200.1 AP3 1
9cb2-e82d-5120 XXXX-XX-XX /20:01:58 -26/- -/-
--------------------------------------------------------------------------------------
Number: 2

#
sysname WAC1
#
http timeout 2880
http server enable
#
#
stp enable
#
dhcp enable
#
#
pki realm default
certificate-check none
#
aaa
local-user admin password irreversible-cipher $1a$a9AWCs-
q5.$n|ec5XhLvJw,(]KNf[B%K[0I1J[:\T2~Fl/&R&(T$
local-user admin service-type ssh http
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
capwap dtls inter-controller control-link encrypt on
capwap dtls psk %^%#GE$'=NySIMd>$B62GoO'Mkw:TmVsCChcg,Ni(--%%^%#
capwap dtls inter-controller psk %^%#ntHh31}TQ:k#NH4i%We/,E>xRRT}{Dnduu,AM,^E%^%#
#
wlan
temporary-management psk %^%#peYt1<1l-Bs8Jm-DJ)}*/_jF1LDN!+ILS/"\s"wL%^%#
ap username admin password cipher %^%#O/dj$>]yQ$1V=ZTXMsa'FHcAAV!ApO5S$-;RB8D$%^%#
security wpa-wpa2 psk pass-phrase %^%#N.vo7TDv>20UvyQiZvqNw<IMUJnR!0%4#{JPK;sG%^%#
aes
ssid wlan-net
vap-profile name wlan-net1
mobility-group name mob1
member ip-address 10.23.100.1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
provision-ap
#
return

#
sysname WAC2
#
http timeout 2880
http server enable
#
#
stp enable
#
dhcp enable
#
#
aaa
$1a$6]9"ZyZND7$<a0>2`*V(IaTNN+gWg:01O1Q)ewt6V[@y>HXMJP@$
local-user admin service-type ssh http
#
interface Vlanif1
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0

#
interface Vlanif201
ip address 10.23.201.254 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.254
#
capwap dtls inter-controller control-link encrypt on
capwap dtls psk %^%#vn\1=HRVL@N"+C-7e:b#I1%`PR@S60sh\SOH2r69%^%#
capwap dtls inter-controller psk %^%#ia.O&Gj]lXF|RqJut_t)$l05E-|%MH!}Y-(c.3@D%^%#
#
wlan
temporary-management psk %^%#6E3B'v&//<O[IYOiY(x#RGRYEhAB|SdwLO",AIZT%^%#
ap username admin password cipher %^%#:Te88XR+1A]0tUUB1R6(lnY3=wqkm>_jFW9Oq;BV%^%#
security wpa-wpa2 psk pass-phrase %^%#Xf(jQiRAq>Y4|lB`xG<W6-FyP(p'Z'iw_+W8"6zQ%^%# aes
ssid wlan-net
vap-profile name wlan-net2

mobility-group name mob1
radio 0
radio 1
ap-name AP3
ap-group ap-group2
provision-ap
#
return

#
sysname SW-Core
#
#
http server-source -i MEth0/0/1
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#

#
interface NULL0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.100.1
ip route-static 10.23.201.0 255.255.255.0 10.23.200.1
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
shutdown
#
shutdown
#
shutdown
#
shutdown
#
shutdown
#

#
interface NULL0
#
return
7.5 Quiz
The same security policy is configured during roaming verification. If different security
policies are configured before and after roaming, can STAs roam successfully?
Answer:
If two roaming APs are configured with different security policies, STAs do not trigger
roaming.
8 RRM Lab
8.1 Introduction
This lab provides instructions on the radio resource management (RRM) configuration,
helping you master the deployment and configuration of RRM technologies.
8.1.2 Objectives
⚫ Understand how to configure WLAN radio calibration.
⚫ Understand how to configure WLAN band steering.
⚫ Understand how to configure WLAN load balancing.
⚫ Understand how to configure CAC for WLAN users.
Figure 8-1 RRM networking topology

8.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
SW-Core
PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk

Vlanif100 10.23.100.254/24
SW-Core
Vlanif101 10.23.101.254/24
WAC1 Vlanif100 10.23.100.1/24

Management
100
VLAN
Service VLAN 101
AP group ap-group1

Password a12345678
SSID wlan-net

1. Configure basic network connectivity to ensure Layer 2 and Layer 3 communication
between devices.
3. Configure WLAN services.
4. Configure the automatic calibration range for channels and frequencies.
5. Configure the band steering function.
6. Configure the load balancing function.
7. Configure the user CAC function.

Step 1 Configure the basic network, AP onboarding, and WLAN services.
# For details, see Step 1 to Step 5 in section 1.2.2 "Configuration Procedure."
Step 2 Configure radio calibration.
# Set the radio calibration mode to auto and the default calibration interval to 1440
minutes.
[WAC1-wlan-view] calibrate enable auto
# Enable global Dynamic Frequency Assignment (DFA) function and set the redundant
radio processing mode to auto-switch.
[WAC1-wlan-view] calibrate flexible-radio auto-switch
# Enable the Dynamic Channel Assignment (DCA) and Transmit Power Control (TPC)
functions on the 2.4 GHz frequency band.

[WAC1-wlan-ap-group-ap-group1] radio 0
[WAC1-wlan-group-radio-ap-group1/0] calibrate auto-channel-select enable

[WAC1-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select enable
[WAC1-wlan-group-radio-ap-group1/0] quit
# Enable the DCA, TPC, and Dynamic Bandwidth Selection (DBS) functions on the 5 GHz
frequency band. (The DBS function takes effect only on 5 GHz radios.)

[WAC1-wlan-group-radio-ap-group1/1] calibrate auto-channel-select enable
[WAC1-wlan-group-radio-ap-group1/1] calibrate auto-txpower-select enable
[WAC1-wlan-group-radio-ap-group1/1] calibrate auto-bandwidth-select enable
# Manually trigger radio calibration.
[WAC1-wlan-view] calibrate manual startup

Warning: The operation may cause business interruption, continue? [y/n]: y
Step 3 Configure band steering.
# Enable band steering for a VAP. (By default, this function is enabled.)

[WAC1-wlan-vap-prof-wlan-net] undo band-steer disable
# Create an RRM profile and configure band steering parameters. Set the start threshold
for the number of access STAs to 90, the percentage threshold for access STAs on 5 GHz
radios to 80%, and the start SNR threshold for 5G-prior access to 18 dB.
[WAC1-wlan-view] rrm-profile name wlan-rrm

[WAC1-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 90
[WAC1-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 80
[WAC1-wlan-rrm-prof-wlan-rrm] band-steer snr-threshold 18
# Create radio profiles and bind the RRM profile to the radio profiles.
[WAC1-wlan-view] radio-2g-profile name wlan-2g

[WAC1-wlan-radio-2g-prof-wlan-2g] rrm-profile wlan-rrm
[WAC1-wlan-radio-2g-prof-wlan-2g] quit
[WAC1-wlan-view] radio-5g-profile name wlan-5g
[WAC1-wlan-radio-5g-prof-wlan-5g] rrm-profile wlan-rrm
[WAC1-wlan-radio-5g-prof-wlan-5g] quit
# Bind the 2.4 GHz radio profile wlan-2g to radio 0 in the AP group and bind the 5 GHz
radio profile wlan-5g to radio 1 in the AP group.

[WAC1-wlan-ap-group-ap-group1] radio-2g-profile wlan-2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N] y
[WAC1-wlan-ap-group-ap-group1] radio-5g-profile wlan-5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N] y
Step 4 Configure load balancing.
# Configure dynamic load balancing based on the number of STAs. Set the start
threshold for the number of access STAs to 12, the RSSI difference threshold to 5, and the
RSSI threshold of members in a dynamic load balancing group to –63 dBm.

[WAC1-wlan-rrm-prof-wlan-rrm] undo sta-load-balance dynamic disable
[WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic sta-number start-threshold 12
[WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic sta-number gap-threshold number 5
[WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic rssi-threshold -63
[WAC1-wlan-rrm-prof-wlan-rrm] quit
Step 5 Configure the user CAC function.
# Configure the user CAC function. Enable CAC based on the number of users and set the
access and roaming thresholds to 40. Enable the function of forbidding access from
weak-signal STAs and set the SNR threshold to 13 dB.
# Enable automatic SSID hiding when the number of access STAs reaches the threshold.

[WAC1-wlan-rrm-prof-wlan-rrm] uac client-number enable
[WAC1-wlan-rrm-prof-wlan-rrm] uac client-number threshold access 40 roam 40
[WAC1-wlan-rrm-prof-wlan-rrm] uac client-snr enable
[WAC1-wlan-rrm-prof-wlan-rrm] uac client-snr threshold 13
[WAC1-wlan-rrm-prof-wlan-rrm] uac reach-access-threshold hide-ssid
[WAC1-wlan-rrm-prof-wlan-rrm] quit
8.3 Verification
8.3.1 Checking RRM Profile Information
# Check the RRM profile configuration on WAC1.
[WAC1] display rrm-profile name wlan-rrm

--------------------------------------------------------------------
Retransmission rate threshold for trigger channel/power select(%) : 60
Noise-floor threshold for trigger channel/power select(dBm) : -75
Calibrate tpc threshold(dBm): : -60
Maximum 2.4G calibration TX power(dBm) : 127
Maximum 5G calibration TX power(dBm) : 127
Minimum 2.4G calibration TX power(dBm) :9
Minimum 5G calibration TX power(dBm) : 12
Calibrate retransmission rate check interval(min) :1
Calibrate retransmission rate check traffic threshold(kbps) : 1250
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : disable
Dynamic EDCA be-service threshold :6
UAC check client's SNR : enable
UAC client's SNR threshold(dB) : 13

UAC check client number : enable
UAC client number access threshold : 40
UAC client number roam threshold : 40
Action upon reaching the UAC threshold : SSID hide
Band steer deny threshold :0
Band steer SNR threshold(dB) : 18
Band balance start threshold : 90
Band balance gap threshold(%) : 80
Client's band expire based on continuous probe counts : 35
Station load balance : enable
Station load balance mode : sta-number
Station load balance RSSI threshold(dBm) : -63
Station load balance RSSI-diff-gap threshold(dBm) :5
Station load balance sta-number start threshold : 12
Station load balance sta-number gap threshold(percentage) :-
Station load balance sta-number gap threshold(number) :5
Station load balance deauth fail times :0
Station load balance BTM fail times :5
Station load balance steer-restrict restrict time(s) :5
Station load balance steer-restrict probe threshold :5
Station load balance steer-restrict auth threshold :0
Station load balance probe-report interval(s) : 120
BSS color switch : enable
Spatial reuse switch : enable
Smart-roam : enable
Smart-roam AI mode : enable
Smart-roam quick kickoff : enable
Smart-roam check SNR : enable
Smart-roam quick kickoff check SNR : enable
Smart-roam check rate : disable
Smart-roam quick kickoff check rate : disable
Smart-roam standing SNR threshold(dB) : 20
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) :6
Smart-roam SNR check interval(s) :3
Smart-roam unable roam client expire time(min) : 120
Smart-roam quick-kickoff SNR check interval(ms) : 500
Smart-roam quick-kickoff SNR P-N observe time :6
Smart-roam quick-kickoff SNR P-N qualify time :4
Smart-roam advanced scan : enable
Smart-roam quick-kickoff back off time : 60
AMC policy : auto-balance
High density AMC optimize : disable
Antenna-mode : omnidirection
SFN roam check high threshold(dBm) : -55
SFN roam check low threshold(dBm) : -60
SFN roam check interval(ms) : 700
SFN roam report interval(ms) : 400
SFN roam check rssi-accumulate threshold(dB) :8
SFN roam check sta-holding times :3
SFN roam check gap-rssi(dB) :6
SFN roam check better-times :2

DFS smart select : enable
DFS recover delay time(min) :0
Multimedia air optimize
Switch : disable
Voice threshold : 30
Video threshold : 100
Voice downlink-slice-ratio : medium
Video downlink-slice-ratio : medium
Voice downlink-delay-guarantee : medium
Video downlink-delay-guarantee : medium
Congestion-control tcp-window-tuning switch : enable
Rate limit dynamic interval :5
Rate limit dynamic threshold : 80
--------------------------------------------------------------------
8.3.2 Checking the 2.4 GHz Radio Profile Configuration

# Check the 2.4 GHz radio profile configuration on WAC1.
[WAC1] display radio-2g-profile name wlan-2g

--------------------------------------------------------------------
Radio type : 802.11ax
Power auto adjust : disable
Beacon interval(TUs) : 100
Beamforming switch : disable
Support short preamble : support
Fragmentation threshold(Byte) : 2346
Channel switch announcement : enable
Channel switch mode : continue
Guard interval mode : short
802.11ax Guard interval mode : dot8
A-MPDU switch : enable
HT A-MPDU length limit :3
A-MSDU switch : auto
RTS-CTS-mode : rts-cts
RTS-CTS-threshold : 1400
802.11bg basic rate :12
802.11bg support rate : 1 2 5 6 9 11 12 18 24 36 48 54
Multicast rate 2.4G : auto adapt
Interference detect switch : enable
Co-channel frequency interference threshold(%) : 60
Adjacent-channel frequency interference threshold(%) : 60
Station interference threshold : 25
WMM switch : enable
Mandatory switch : disable
Auto-off start time :-
Auto-off end time :-
Auto-off time-range :-
Wifi-light mode : signal-strength
Utmost power switch : auto
Rrm-profile : wlan-rrm
Air-scan-profile : default
Smart-antenna : default
Agile-antenna-polarization : disable
CCA threshold(dBm) :-
High PER threshold(%) : 80
Low PER threshold(%) : 20
Training interval(s) : auto
Training mpdu num : 640
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval(TUs): 60
VIP user bandwidth reservation ratio (%) : 20
--------------------------------------------------------------------
AP EDCA parameters:
------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
------------------------------------------------------------
8.3.3 Checking the 5 GHz Radio Profile Configuration

# Check the 5 GHz radio profile configuration on WAC1.
[WAC1] display radio-5g-profile name wlan-5g

--------------------------------------------------------------------
Radio type : 802.11ax
Power auto adjust : disable
Beacon interval(TUs) : 100
Beamforming switch : disable
Fragmentation threshold(Byte) : 2346
Channel switch announcement : enable
Channel switch mode : continue
Guard interval mode : short
802.11ax guard interval mode : dot8
A-MPDU switch : enable
HT A-MPDU length limit :3
VHT A-MPDU length limit :7
A-MSDU switch : auto
VHT A-MSDU Max frame number :2
RTS-CTS-mode : RTS-CTS
RTS-CTS-threshold : 1400
802.11a basic rate : 6 12 24
802.11a support rate : 6 9 12 18 24 36 48 54
Multicast rate 5G : auto adapt
VHT mcs :99999999
Interference detect switch : enable
Co-channel frequency interference threshold(%) : 60
Adjacent-channel frequency interference threshold(%) : 60
Station interference threshold : 25
WMM switch : enable
Mandatory switch : disable
Auto-off start time :-
Auto-off end time :-
Auto-off time-range :-
WiFi-light mode : signal-strength
Utmost power switch : auto
Rrm-profile : wlan-rrm
Air-scan-profile : default
Smart-antenna : default
Agile-antenna-polarization : disable
CCA threshold(dBm) :-
High PER threshold(%) : 80
Low PER threshold(%) : 20
Training interval(s) : auto
Training mpdu num : 640
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval(TUs): 60
VIP user bandwidth reservation ratio (%) : 20
--------------------------------------------------------------------
AP EDCA parameters:
------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
------------------------------------------------------------
8.3.4 Checking the Radio Status

# Check the current radio status on WAC1, especially the channel utilization.
[WAC1] display radio all

CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
WM:Working mode (normal/monitor/monitor dual-band-scan/monitor proxy dual-band-scan)
----------------------------------------------------------------------------------------------
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU WM
----------------------------------------------------------------------------------------------
0 AP1 0 2.4G 11ax on 1/20M 9/29 0 15% normal
0 AP1 1 5G 11ax on 56/20M 12/30 0 5% normal
1 AP2 0 2.4G 11ax on 6/20M 9/29 0 20% normal
1 AP2 1 5G 11ax on 44/20M 12/30 0 5% normal
2 AP3 0 2.4G 11ax on 11/20M 9/29 0 33% normal
2 AP3 1 5G 11ax on 161/20M 12/30 1 6% normal
----------------------------------------------------------------------------------------------
Total:6

#

sysname WAC1
#
http timeout 10080
http server enable
#
#
stp enable
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name macportal_authen_profile
authentication-profile name portal_authen_profile
#
#
diffserv domain default
#
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wlan

security wpa-wpa2 psk pass-
phrase %^%#+POS/J(&<Mm==dL=vxXYhhlfU|YWjQH})Q<WoUTU%^%# aes
ssid wlan-net
rrm-profile name wlan-rrm
uac reach-access-threshold hide-ssid
band-steer balance gap-threshold 80
uac client-snr enable
uac client-snr threshold 13
uac client-number enable
uac client-number threshold access 40 roam 40
band-steer balance start-threshold 90
sta-load-balance dynamic rssi-threshold -63
sta-load-balance dynamic sta-number start-threshold 12
sta-load-balance dynamic sta-number gap-threshold number 5
band-steer snr-threshold 18
radio-2g-profile name wlan-2g
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile wlan-rrm
interference station threshold 25
radio-5g-profile name wlan-5g
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile wlan-rrm
interference station threshold 25

radio 0
radio-2g-profile wlan-2g
radio 1
radio-5g-profile wlan-5g
calibrate auto-bandwidth-select enable
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

#
sysname SW-Core
#
#
dhcp enable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
return
8.5 Quiz
In a radio calibration solution, the 2.4 GHz calibration channel set contains channels 1, 6,
and 11 by default. Why are these channels selected in the 2.4 GHz calibration channel
set?
Answer:
Channels 1, 6, and 11 are non-overlapping channels on the 2.4 GHz frequency band,
which can avoid signal interference.
9 Indoor WLAN Planning Lab
9.1 Introduction
This lab uses the WLAN Planner to plan and design WLANs for indoor scenarios to meet
customers' wireless requirements.
9.1.2 Objectives
⚫ Understand the indoor WLAN planning process.
⚫ Master the basic operations of the WLAN Planner.
9.1.3 Lab Scenarios

A company plans to build a WLAN in the indoor office area. Figure 9-1 shows the floor
plan of the area in this project. You need to design and plan an indoor WLAN for the
company to ensure that the WLAN covers all areas required by the customer and meets
the mobile office requirements of employees and Internet access requirements of guests.
Figure 9-1 Building floor plan for indoor WLAN planning
9.1.4 Preparations
Preparation for WLAN planning consists of requirements collection and site survey.
9.1.4.1 Requirement Collection

Requirements collection is the first step for WLAN planning. Communicate with the
customer to collect complete and comprehensive project and requirement information to
prevent redesign work due to insufficient information collected.
The information to be obtained during this phase includes basic requirements, service
requirements, and installation requirements. The information collection result is listed in
the following table.
Table 9-1 Basic requirements collection checklist

Requirement Type Collection Result
Laws and regulations Country code: CN
Floor plan JPG drawing with scale information (building length: 45 m)
Coverage mode Indoor settled

Table 9-2 Service requirements collection checklist

Key coverage areas: Open office areas, offices, meeting

rooms, and manager's office
Coverage area Common coverage area: Corridor
Areas that do not need to be covered: staircases, restrooms,
ELV room, and storage room
Key coverage areas: ≥ –65 dBm

Field strength
Common coverage areas: ≥ –70 dBm
Open office area: 40 cubicles in each open office area, with

two STAs per cubicle
Conference room: 30 persons at most, each with 1 STA
Number of access STAs Meeting room: 8 persons at most, each with 1 STA
Reception room: 12 persons at most, each with 2 STAs
Office and manager's office: 1 person, with no more than 5
STAs
Terminal type Laptop, mobile phone, and tablet
Open office area: 4 Mbps, with a concurrency rate of 100%

Meeting room: 8 Mbps, with a concurrency rate of 100%
Bandwidth Reception room: 16 Mbps, with a concurrency rate of 80%
Office and manager's office: 16 Mbps, with a concurrency
rate of 100%
Table 9-3 Installation requirements collection checklist

Power supply mode Power supply by a PoE switch
Switch location ELV room in the lower left corner of the floor plan
Special requirements No special requirements
9.1.4.2 Site Survey

A site survey is conducted to obtain site environment information, such as interference
sources, signal attenuation caused by obstacles, floor height, new obstacles, and ELV
room locations. Determine AP models, installation positions and modes, and power
supply and cabling design based on the construction drawings.
Table 9-4 Survey result

Site Survey Item Survey Result
The onsite building information is consistent with that on the

floor plan provided by the customer.
Determining drawing
The floor height is 2.6 m.
information
Internal buildings: Tables and chairs are at normal heights
and have little interference to signals, which can be ignored.
Outer wall: 240 mm concrete

Building materials Interior walls of conference rooms, offices, and reception
and signal room: 240 mm thickened brick walls
attenuation Walls of the break room, printing room, and reception desk:
12 mm thickened glass
Determining
There is no interference source in the WLAN coverage area.
interference sources
Network cables between switches and APs are routed above

Cabling rules the ceiling. Hidden cabling is required, and hole drilling is
allowed.
Switch location ELV room or storage room
Installation admission Approved

1. Analyze requirements based on the existing information.
2. Select devices based on requirements and calculate the number of APs.
3. Log in to the WLAN Planner and import the building floor plan.
4. Set the environment and draw obstacles.
5. Deploy APs.
6. Adjust AP parameters and antenna angles.
7. Lay out switches and cables.
8. Perform signal simulation.
9. Adjust the AP positions and repeatedly perform signal simulation until the signal
coverage is complete.
10. Export the WLAN planning report.

Step 1 Analyze requirements.
Based on the requirements collection and site survey, the following parameters are
obtained.
Table 9-5 WLAN planning requirements analysis

Requirement Type Analysis Result
Country Code CN
Coverage mode Indoor settled
Open office area: 160 STAs, 4 Mbps per-STA bandwidth

requirement, and concurrency rate of 100%
Conference room: 30 STAs, 8 Mbps per-STA bandwidth,
concurrency rate of 100%
Meeting room: 8 STAs, 8 Mbps per-STA bandwidth, concurrency
Bandwidth
rate of 100%
Meeting room: 24 STAs, 16 Mbps per-STA bandwidth, concurrency
rate of 80%
Office and manager's office: 5 STAs;16 Mbps per-STA bandwidth,
Only one floor needs to be covered by the WLAN.

Key coverage areas: One reception room, two open office areas,
Coverage area
three meeting rooms, and three offices
Common coverage area: Corridor

Field strength Common coverage areas: ≥ –70 dBm
Leakage field strength: no requirement
Laptop, mobile phone, and tablet that support 2x2 MIMO and 40
Terminal type
MHz frequency bandwidth @ 5 GHz
Power supply
Power supply by a PoE switch
mode
Installation mode Ceiling mounting
Switch location ELV room, meeting the PoE power supply distance requirement
Acceptance items
No special requirements
and criteria
Step 2 Select devices and calculate the number of APs.
Calculate the number of APs required in each area based on the proportions of services in
indoor scenarios and single-AP concurrency specifications.
Table 9-6 Proportions of services in indoor scenarios

Single-Service
Baseline Rate Proportion of Services in Indoor Scenarios
Service Type (Mbps)
Open Office Meeting Single-Person Reception

Excellent Good
Area Room Office Room
4K video 50 30 0% 2% 15% 10%
1080p video 16 12 0% 8% 15% 10%
720p video 8 4 0% 7% 15% 10%
E-whiteboard
(wireless 32 16 0% 0% 0% 10%
projection)
Email 32 16 6% 8% 10% 10%
Web browsing 8 4 21% 30% 20% 30%
Gaming 2 1 8% 5% 10% 0%
Instant
0.512 0.256 35% 20% 10% 10%
messaging
VoIP (voice) 0.256 0.128 30% 30% 5% 10%
Average Single-User Bandwidth

4 8 16 16
(Mbps) — Excellent
Table 9-7 Single-AP concurrency specifications

Maximum Number of Concurrent STAs Supported by a Wi-Fi 6 AP at Different
Bandwidths
(20 MHz @ 2.4 GHz, 40 MHz @ 5 GHz, Wi-Fi 6 and Dual Spatial Streams Supported by
All STAs)
Dual Radios (5
Single Radio (5
GHz) Three Radios (2.4 GHz + 5
GHz)
Access Maximum GHz-1 + 5 GHz-2)
No. Maximum
Bandwidth Number of Maximum Number of
Number of
Concurrent Concurrent STAs
Concurrent STAs
STAs
1 2 Mbps 56 85 141
2 4 Mbps 39 56 95
3 6 Mbps 27 38 65
4 8 Mbps 21 30 51
5 16 Mbps 12 18 30
Calculate the maximum number of concurrent STAs in each coverage area based on the
collected information. The calculation process is as follows:
There are 40 cubicles in each open office area, with two STAs at each cubicle and a
concurrency rate of 100%. Therefore, the total number of STAs in the open office area is:
160 = 40 x 2 x 2 x 100%.
There are a total of 30 seats in a conference room, with one STA at each seat and a
concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the
conference room is: 30 = 30 x 1 x 100%.
There are a total of 8 seats in each meeting room, with one STA at each seat and a
meeting room is: 8 = 8 x 1 x 100%.
There are a total of 12 seats in the reception room, with two STAs at each seat and a
reception room is around: 19 = 12 x 2 x 80%.
Each user in an office has five STAs, with a concurrency rate of 100%. Therefore, the
maximum number of concurrent STAs in the office is: 5 = 1 x 5 x 100%.
Calculate the number of APs required in each coverage area based on the single-AP
concurrency specifications. The calculation formula is as follows: Maximum number of
concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the
user access bandwidth. The calculation process is as follows:
In the open office area, the bandwidth requirement is 4 Mbps, and the maximum number
of concurrent dual-radio APs is 56. In this case, the number of required APs is 2 (160/56 ≈
2).
In a conference room, the bandwidth requirement is 8 Mbps, and the maximum number
of concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (30/30 =
1).
In a meeting room, the bandwidth requirement is 8 Mbps, and the maximum number of
concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (8/30 ≈ 1).
In the reception room, the bandwidth requirement is 16 Mbps, and the maximum
number of concurrent dual-radio APs is 18. In this case, the number of required APs is 1
(19/18 ≈ 1).
In the single-person office room, the bandwidth requirement is 16 Mbps, and the
maximum number of concurrent dual-radio APs is 18. In this case, the number of
required APs is 1 (5/18 ≈ 1).
Step 3 Log in to the WLAN Planner platform and create a project.
The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can
apply for the tool. The link is as follows:
https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdc-
eff3d0346b42
# Click Running.
# Read the security management regulations on customer network data and click
Confirm.
# Enter project information based on the site requirements, select I have read and agree
to the Terms of Use, and click OK.
Step 4 Create a floor and import a floor plan.
# Create a floor and import the floor plan. In the Create dialog box that is displayed, set
Type to Indoor, enter the name, and click Select File to import the corresponding floor
plan.
# Select a WLAN scenario. For this project, select Office and click Next.
# You can specify a built-in network construction standard as required. For this project,
select Other and click OK.
# Select the floor plan file and click OK.
Step 5 Set the environment parameters.

Set the environment and regions based on the customer requirements collection
checklists and site survey information.
# Set the scale.
# The floor plan width is 45 m. Select any position on the floor plan and set the scale
length to 45 m from left to right.
# Draw obstacles. Draw frames using insulation boundaries to draw frames, indoor walls
using 240 mm thickened brick walls, and the break room, reception desk, and print room
using 12 mm thickened glass. The following figure shows the final effect.
Step 6 Set regions.

Select key coverage areas and common coverage areas based on customer requirements,
as shown in the following figure.
Set key coverage areas.

# Set the same parameters for the two open office areas.
# Set region parameters for the conference room (assuming 30 STAs) and meeting
rooms (each assuming 8 STAs).
# Set region parameters for the reception room.

# Set region parameters for the single-person office.

Set common coverage areas.

# Set region parameters for the corridor.
Check the regions after the basic properties are set.

Step 7 Deploy APs and adjust AP parameters.
# You can manually deploy APs one by one or configure automatic deployment and then
manually adjust the number and positions of APs.
# Because only one floor is involved in this project, select Current Floor and click Next.
# Select the required AP model. This project uses the AirEngine 5760-51.
# Set channel parameters.
# Set power parameters.

# The following figure shows the automatic deployment effect.
# After the number and positions of APs are manually adjusted, the final effect is as
shows.
Adjust AP parameters.
# Right-click an AP in the activity area and choose Property from the shortcut menu.
(You can drag-select all APs and right-click them for the setting). The AP Attributes page
is displayed.
# Because the customer requires APs to be mounted on the ceiling, retain the default
installation mode of T-rail, height of 2.6 m, working mode of dual-radio mode, and other
parameters. Set the attributes of APs in other areas in the same way.
Step 8 Deploy switches.
# Select a switch model. This project uses the S5731-S24P4X switch.
# Deploy a switch in the ELV room in the lower left corner on the floor plan.
Step 9 Route cables.
Cables can be routed above the ceilings to directly connect APs and switches.
Step 10 Simulate signals.

Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered,
the RSSI is lower than –65 dBm.
# Set the signal strength in the simulation diagram to –65 dBm and click Open
simulation.
# In this project, you only need to pay attention to the signal coverage in open office
areas, offices, meeting rooms, and reception room.
Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color
covered, the RSSI is lower than –70 dBm.
# Adjust the signal strength in the simulation diagram to –70 dBm.
# In this project, you only need to pay attention to the signal coverage in the corridor.
If the signal coverage is poor, adjust the number and positions of APs repeatedly to
ensure normal signal simulation.
Check the coverage satisfaction degree to determine whether there are areas with poor
signal coverage.
The signal coverage in most areas is good.
Step 11 Export the WLAN planning report.

Before exporting the report, you can check the WLAN planning.
# Check whether there is any problem. If there is any warning item, confirm it. If there is
no problem, export the WLAN planning report.
# Export the report and save it to the local PC.
# Display the saved WLAN planning report.
9.3 Quiz
1. What information needs to be confirmed during requirements collection during the
early phase of WLAN planning and design?
Answer:
1. Laws and regulations: EIRP restrictions and available channels
2. Drawing information: drawing completeness

3. Coverage areas: key coverage areas, common coverage areas, and areas that do not
need to be covered
4. Field strength: signal strength requirements
5. Number of access STAs: total number of access STAs in a coverage area
6. Terminal types
7. Bandwidth requirements
8. Wall types: Estimate the signal attenuation values of walls and determine whether
signals can penetrate the walls.
9. Power supply mode
10. Switch location
11. Special requirements such as positioning and IoT
2. An open office area has 120 cubicles, each of which involves two STAs with a
concurrency rate of 70%. In this case, how many APs need to be deployed to meet the 4
Mbps bandwidth and requirement for each STA?
Answer:
Number of access STAs: 120 x 2 = 240
Number of concurrent STAs: 240 x 70% = 168
Based on the single-AP concurrency specifications in this lab, the number of required APs
is calculated as follows: 168/56 = 3.
10 Outdoor WLAN Planning Lab
10.1 Introduction
This lab uses the WLAN Planner to plan and design WLANs for outdoor scenarios to meet
customers' wireless requirements.
10.1.2 Objectives
⚫ Understand the outdoor WLAN planning process.
⚫ Master the basic operations of the WLAN Planner.
10.1.3 Lab Scenarios

A pedestrian street has an open square and plans to increase customer flows by
deploying a free outdoor WLAN.
Figure 10-1 Plan of the pedestrian square
10.1.4 Preparations
Preparation for WLAN planning consists of requirements collection and site survey.
10.1.4.1 Requirements Collection

Requirements collection is the first step for WLAN planning. Communicate with the
customer to collect complete and comprehensive project and requirement information to
prevent redesign work due to insufficient information collected.
The information to be obtained during this phase includes basic requirements, service
requirements, and installation requirements. The information collection result is listed in
the following table.
Table 10-1 Basic requirements collection checklist

Laws and regulations Country code: CN
Coverage mode Outdoor installation

Table 10-2 Service requirements collection checklist

Key coverage areas: pedestrian street and rest areas

Coverage area Common coverage area: parking lot
Areas that do not need to be covered: store areas

Field strength
Number of access STAs 300 persons during peak hours, one STA for each person
Terminal type Mobile phone and tablet
Bandwidth required by each user: 4 Mbps, with a

Bandwidth
Table 10-3 Installation requirements collection checklist

Power supply mode Power supply by a PoE switch
Switch location ELV room in the store area on the left
Special requirements No special requirement
10.1.4.2 Site Survey

A site survey is conducted to obtain site environment information, such as interference
sources, signal attenuation caused by obstacles, floor height, new obstacles, and ELV
room locations. Determine AP models, installation positions and modes, and power
supply and cabling design based on the construction drawings.
Table 10-4 Survey result

Site Survey Item Survey result
The onsite building information is consistent with that on the

Determining drawing floor plan provided by the customer.
information
The store height is 5 m.
Outer walls of stores: 240 mm thickened brick walls

Building materials
Partition walls of dining areas: 8 mm gypsum boards
and signal
attenuation The onsite green belts have a height of half a person, which
have little interference to signals and can be ignored.
Determining
There is no interference source in the WLAN coverage area.
interference sources
AP installation mode Wall mounting for APs near stores; pole mounting for APs in
Site Survey Item Survey result

the parking lots
Installation admission Approved

1. Analyze requirements based on the existing information.
2. Select devices based on requirements and calculate the number of APs.
3. Log in to WLAN Planner and import the building floor plan.
4. Set the environment and draw obstacles.
5. Deploy APs.
6. Adjust AP parameters and antenna angles.
7. Simulate signals.
8. Adjust the AP positions and repeatedly perform signal simulation until the signal
coverage is complete.
9. Export the WLAN planning report.

Step 1 requirements analysis
Based on the requirements collection and site survey, the following parameters are
obtained.
Table 10-5 WLAN planning requirements analysis

Country Code CN
Coverage mode Outdoor installation
Pedestrian street and rest areas (in peak hours): 300 STAs, 4
Bandwidth
Mbps, 60% concurrency rate
Key coverage areas: pedestrian street and rest areas

Coverage area Common coverage area: parking lot
Areas that do not need to be covered: store areas
Field strength Key coverage areas: ≥ –65 dBm


Leakage field strength: no requirement
Mobile phone and tablet that support 2x2 MIMO and 40 MHz
Terminal type
frequency bandwidth @ 5 GHz
Power supply Wall-mounted APs can be powered by PoE switches, and pole-
mode mounted APs can be powered by PoE adapters.
Installation mode Wall mounting or pole mounting
Determine the installation position with the property

Switch location
management company based on the actual situation.
Acceptance items
No special requirements
and criteria
Step 2 Select device models and calculate the number of APs.
Calculate the number of APs required in each area based on the proportions of services in
outdoor scenarios and single-AP concurrency specifications.
Table 10-6 Proportions of services in outdoor scenarios

Single-Service Baseline Proportion of Services in Outdoor
Rate (Mbps) Scenarios
Service Type
Outdoor
Excellent Good Square Street
Parking Lot
Web browsing 8 4 50% 60% 35%
Streaming
16 12 10% 10% 20%
media (1080p)
VoIP 0.25 0.125 10% 10% 0%
Gaming 2 1 10% 0% 30%
Instant
0.5 0.25 20% 20% 15%
messaging
Average Single-User Bandwidth (Mbps)

6 8 8
— Excellent
Table 10-7 Single-AP concurrency specifications

Maximum Number of Concurrent STAs Supported by a Wi-Fi 6 AP at Different
Bandwidths
(20 MHz @ 2.4 GHz, 40 MHz @ 5 GHz, Wi-Fi 6 and Dual Spatial Streams Supported by
All STAs)
Dual Radios (5
Single Radio (5
GHz) Three Radios (2.4 GHz + 5
GHz)
Maximum GHz-1 + 5 GHz-2)
Access Maximum
No. Number of Maximum Number of
Bandwidth Number of
Concurrent Concurrent STAs (Single-
Concurrent STAs
STAs (Single- Radio)
(Single-Radio)
Radio)
1 2 Mbps 56 85 141
2 4 Mbps 39 56 95
3 6 Mbps 27 38 65
4 8 Mbps 21 30 51
5 16 Mbps 12 18 30
Calculate the maximum number of concurrent STAs in each coverage area based on the
collected information. The calculation process is as follows:
During peak hours in the pedestrian street, there are 300 people, with one STA per user
and a concurrency rate of 60%. Therefore, the total number of terminals in the
pedestrian street scenario is 180 (300 x 1 x 60%).
Calculate the number of APs required in each coverage area based on the single-AP
concurrency specifications. The calculation formula is as follows: Maximum number of
concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the
user access bandwidth. The calculation process is as follows:
In the pedestrian street, the bandwidth requirement is 4 Mbps, and the maximum
number of concurrent dual-radio APs is 56. In this case, the number of required APs is 5
(300/18 ≈ 5).
Step 3 Log in to the WLAN Planner platform and create a project.
The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can
apply for the tool. The link is as follows:
https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdc-
eff3d0346b42
# Click Running.
# Read the security management regulations on customer network data and click
Confirm.
# Enter project information based on the site requirements, select I have read and agree
to the Terms of Use, and click OK.
Step 4 Add a region and import a floor plan.
# Add a region, import a floor plan. In the Create dialog box that is displayed, set Type to
Outdoor, enter the area name, and click Select to select a scenario.
# Select a WLAN scenario. For this project, select Road/Walking Street and click Next.
# Select the floor plan file and click OK.
Step 5 Set up the environment.

Set the environment and regions based on the customer requirements collection
checklists and site survey information.
# Set the scale.
# The floor plan width is 95 m. Select any position on the floor plan and set the scale
length to 95 m from left to right.
# Drag-select a building area and set the obstacle height.
# After the environment is set, the effect is as follows.

Step 6 Deploy APs and adjust AP parameters.
In outdoor scenarios, skip the region setting step and directly go to the device
deployment step. In outdoor scenarios, only manual AP deployment is supported.
# Select a proper AP model on the toolbar and manually deploy APs.
# In this project, the AirEngine 5761R-11 is used as the wall-mounted AP, and the
AirEngine 5761R-11E is used as the pole-mounted AP. The following figure shows the
manual deployment effect.
Adjust AP parameters.
# Right-click an AP in a store area and choose Property from the shortcut menu. (You
can drag-select all APs and right-click them for the setting). The AP Attributes page is
displayed.
# Because the customer requires APs in these areas to be mounted on the walls, set the
installation mode to Hanging and the height to 3 m, and retain default settings of other
parameters. Set the downtilt of both 2.4 GHz and 5 GHz radios to 15 degrees. Set the
attributes of APs in other areas in the same way.
# The APs in the parking lots are installed on poles. The AirEngine 5761R-11E model is
used. Set the parameters as follows.
Step 7 Simulate signals.
Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered,
the RSSI is lower than –65 dBm.
# Set the signal strength in the simulation diagram to –65 dBm and click Open
simulation.
# In this project, you only need to pay attention to the signal coverage of the pedestrian
street and rest areas.
Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color
covered, the RSSI is lower than –70 dBm.
# Adjust the signal strength in the simulation diagram to –70 dBm.
# In this project, you only need to pay attention to the signal coverage in the parking
lots.
If the signal coverage is poor, adjust the number and positions of repeatedly to ensure
normal signal simulation.
Check the coverage satisfaction degree to determine whether there are areas with poor
signal coverage.
The signal coverage in most areas is good.
Step 8 Export the WLAN planning report.
Before exporting the report, you can check the network planning.
# Check whether there is any problem. If there is any warning item, confirm it. If there is
no problem, export the network planning report.
# Export the report and save it to the local PC.
# Display the saved WLAN planning report.
10.3 Quiz
1. Which of the following information needs to be determined during requirements
collection in outdoor WLAN planning and design?
Answer:
1. Laws and regulations: EIRP restrictions and available channels
2. Drawing information: floor plan or map

3. Coverage areas: key coverage areas, common coverage areas, and areas that do not
need to be covered
4. Field strength: signal strength requirements
5. Number of access STAs: total number of access STAs in a coverage area
6. Terminal types
7. Bandwidth requirements
8. Surrounding environment: Check whether there are buildings and trees around the
site.
9. AP installation position and power supply mode: APs are typically mounted on lamp
poles or external walls of buildings. If necessary, new poles are built for installing
APs.
10. Switch location
11. Interference source: Check whether interference sources such as city surveillance
based on wireless backhaul and microwave stations exist.
2. What are the differences between the application scenarios of outdoor APs with
omnidirectional and directional antennas? What are their coverage ranges in a scenario
in China?
Answer:
It is recommended that omnidirectional antennas be used in open outdoor areas with a
coverage radius of 60 m to 80 m.
It is recommended that directional antennas be used in outdoor street scenarios with a
coverage length of 120 m to 150 m and a coverage width of 20 m to 35 m.
11 CampusInsight O&M Lab
11.1 Introduction
This lab instructs you to deploy the CampusInsight intelligent O&M platform, helping you
understand how to perform WLAN inspection using the intelligent O&M platform.
11.1.2 Objectives
⚫ Understand how to configure the interconnection between the WAC and
CampusInsight.
⚫ Understand basic O&M functions of CampusInsight.
Figure 11-1 CampusInsight O&M networking topology

In this lab, AP1, AP2, and AP3 are managed and configured by WAC1. The CampusInsight
server is connected to the core switch SW-Core, and the network segment is
172.21.0.0/17. WAC1 interworks with the CampusInsight server to report service run logs
and data to the CampusInsight server. The administrator can perform unified and
intelligent O&M on the WLAN through CampusInsight.
11.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
SW-Core PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk

Vlanif100 10.23.100.254/24
SW-Core Vlanif101 10.23.101.254/24
Vlanif99 172.21.39.253/17
WAC1 Vlanif100 10.23.100.1/24
CampusInsight server / 172.21.39.99/17


Management VLAN 100
Service VLAN 101
AP group ap-group1
Password a12345678
SSID wlan-net

1. Configure VLAN information for SW-Core, SW-Access, and WAC1.
2. Configure IP addresses for network devices to ensure network connectivity.
3. Configure the DHCP server on SW-Core to ensure that APs can obtain IP addresses.
4. Configure the basic network of CampusInsight to ensure network connectivity.
6. Configure the interworking between the WAC1 and the CampusInsight server.
7. Log in to the CampusInsight server through the web to implement intelligent O&M.

Step 1 Configure the basic network connectivity, AP onboarding, and WLAN services.
# For details, see Step 1 to Step 5 in section 1.2.2 "Configuration Procedure."
Step 2 Configure network connectivity between CampusInsight and WAC1.
The IP address and gateway of CampusInsight have been configured during software
installation and are not described in this lab. The IP address of CampusInsight is
172.21.39.99/17, and the gateway address is 172.21.39.253 (on SW-Core).
[SW-Core] vlan 99
Step 3 Configure SNMP.
WAC1 can be added to CampusInsight for management only after the SNMP protocol is
configured on the device.
# SNMPv2c is an insecure protocol. You are advised to configure SNMPv3, which is more
secure.
[WAC1] mgmt isolate disable

Warnning: Disabling management plane isolation may bring security risks. Are you sure you want to
continue ? [y/n]: y
[WAC1] snmp-agent sys-info version v3
[WAC1] snmp-agent mib-view HCIP-test include iso
[WAC1] snmp-agent group v3 test-group privacy write-view HCIP-test notify-view HCIP-test
[WAC1] snmp-agent usm-user version v3 test-user group test-group
[WAC1] snmp-agent usm-user version v3 test-user authentication-mode sha2-256
Please configure the authentication password (<8-64>)
Enter Password: Huawei@123
[WAC1] snmp-agent usm-user version v3 test-user privacy-mode aes256
Please configure the privacy password (<8-64>)
Enter Password: Huawei@456
# This lab assumes that the SNMP user name is test-user, authentication password is
Huawei@123, and encryption password is Huawei@456. These parameters must be the
same as those configured on CampusInsight.
Step 4 Configure SFTP.
# The SFTP protocol is configured to enable CampusInsight to synchronize basic

information, interface and link information, and other information about APs from
devices through SFTP.
[WAC1] ssh client first-time enable
Step 5 Configure LLDP.

# LLDP enables CampusInsight to discover LLDP links of the device.
[WAC1] lldp enable

[WAC1] wlan
[WAC1-wlan-view] ap-system-profile name default
[WAC1-wlan-ap-system-prof-default] lldp report enable
[WAC1-wlan-ap-system-prof-default] quit
Step 6 Configure log data reporting.
By default, the device log reporting function supports HTTP/2 and UDP channels. HTTP/2
is recommended.
# Configure the HTTP/2 channel for WAC1.
[WAC1] undo access-user syslog-restrain enable

[WAC1] wmi-server
[WAC1-wmi-server] server ip-address 172.21.39.99 port 27371
[WAC1-wmi-server] collect-item log-data interval 60
[WAC1-wmi-server] log module mid ff760000
[WAC1-wmi-server] log module mid ff5f0000
[WAC1-wmi-server] log module mid fff30000
[WAC1-wmi-server] log module mid d0410000
[WAC1-wmi-server] log module mid ff5a0000
[WAC1-wmi-server] log module mid ff8c0000
[WAC1-wmi-server] log module mid ff5d0000
[WAC1-wmi-server] quit
# Configure the HTTP/2 channel for APs.
[WAC1] wlan
[WAC1-wlan-view] wmi-server name test
[WAC1-wlan-wmi-server-prof-test] server ip-address 172.21.39.99 port 27371
[WAC1-wlan-wmi-server-prof-test] collect-item log-data interval 60
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF600000
[WAC1-wlan-wmi-server-prof-test] ap log module mid D0410000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF620000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFED0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFEF0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FFF30000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FF2B0000
[WAC1-wlan-wmi-server-prof-test] ap log module mid FE011004
[WAC1-wlan-wmi-server-prof-test] quit
[WAC1-wlan-view] ap-system-profile name default
[WAC1-wlan-ap-system-prof-default] wmi-server test index 2
[WAC1-wlan-ap-system-prof-default] quit
[WAC1-wlan-ap-group-ap-group1] ap-system-profile default
Step 7 Configure the function of reporting WLAN service performance metric data.
# This configuration enables the device to proactively report WLAN service performance
metric data to CampusInsight for analysis.
[WAC1] pki realm default

[WAC1-pki-realm-default] certificate-check none
[WAC1-pki-realm-default] quit
[WAC1] wmi-server
[WAC1-wmi-server] collect-item device-data interval 60
[WAC1-wmi-server] collect-item interface-data interval 60
[WAC1-wmi-server] collect-item cpcar-data interval 60
[WAC1-wmi-server] collect-item security-data interval 60
[WAC1-wmi-server] quit
[WAC1] wlan
[WAC1-wlan-view] wmi-server name test
[WAC1-wlan-wmi-server-prof-test] report-interval 60
[WAC1-wlan-wmi-server-prof-test] collect-item device-data interval 60
[WAC1-wlan-wmi-server-prof-test] collect-item radio-data interval 60
[WAC1-wlan-wmi-server-prof-test] collect-item ssid-data interval 60
[WAC1-wlan-wmi-server-prof-test] collect-item terminal-data interval 60
[WAC1-wlan-wmi-server-prof-test] collect-item non-wifi-data interval 60
[WAC1-wlan-wmi-server-prof-test] quit
[WAC1-wlan-group-radio-ap-group1/0] wids device detect enable
[WAC1-wlan-group-radio-ap-group1/0] spectrum-analysis enable
[WAC1-wlan-group-radio-ap-group1/0] channel-monitor enable
[WAC1-wlan-group-radio-ap-group1/1] wids device detect enable
[WAC1-wlan-group-radio-ap-group1/1] spectrum-analysis enable
[WAC1-wlan-group-radio-ap-group1/1] channel-monitor enable
[WAC1-wlan-ap-group-ap-group1] ap-system-profile default
Step 8 Configure the CampusInsight server.
# Log in to CampusInsight, choose Inventory > Site-Region, and click Add.

# Add a site. Set the site name to HCIP-test and Parent node to Global, and click OK.
# Choose Inventory > Wired Device, click Add Device, and add a single device.
# Set IP address to 10.23.100.1 (IP address of WAC1), Site-Region to HCIP-test, and

Device role to WAC.
# In the SNMP area, select Edit SNMP parameters, set Version to v3, Security name to
test-user, Authentication protocol to HMAC_SHA2_256, Privacy protocol to AES_256, Port
to 161, Authentication password to Huawei@123, and Encryption password to
Huawei@456. Then click Confirm.
# The security name must be the same as the SNMP user name configured on WAC1.
Other parameters must also be the same.
# Check the onboarding status of wired devices. WAC1 is online.
# After WAC1 is added to CampusInsight, the APs managed by WAC1 are automatically
added to the AP list of CampusInsight. Click Wireless Device. The three APs are online.
# Add a building to the HCIP-test site. Choose Inventory > Site-Region, select HCIP-test,
and click Add.
# Set Type to Building and Name to Building_01, and click Confirm.
# Add a floor to Building_01. Choose Inventory > Site-Region, select Building_01, and
click Add.
# Set Type to Floor and Name to First floor, and click Confirm.
# Choose Inventory > Wireless Device, select three APs, and click Move to move the three
APs to First floor.
# The Site-Region values of the three APs are changed to /HCIP-test/Building_01/First

floor.
Step 9 Configure CampusInsight O&M functions.
Check the status of the entire network.

# Choose Dashboard > General to view key information about the HCIP-test site, such as
the resource status, health status, number of clients, traffic, and AP rate/traffic, so that
the administrator can learn about the overall running status of the network.
Check the wireless network health.

# Choose Network > Health to view the running status of the wireless network.
# Detailed metrics include the access success rate, access time consumption, roaming
fulfillment rate, signal and interference, capacity, and throughput.
Check the client journey.

# Choose Clients > Client Journey. On the Normal view tab page, you can view basic
information about access clients.
# Click a client MAC address (for example, 08-1f-71-53-90-b4) to view detailed

indicators.
11.3 Verification
11.3.1 Checking the SNMP Configuration on WAC1
# Run the display snmp-agent mib-view command on WAC1 to view SNMP MIB
information.
[WAC1] display snmp-agent mib-view HCIP-test

View name: HCIP-test
MIB subtree: iso
Subtree mask:
Storage type: nonVolatile
View type: included
View status: active
# Run the display snmp-agent group command on WAC1 to view SNMP group
information.
[WAC1] display snmp-agent group

Group name: test-group
Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: HCIP-test
Notifyview: HCIP-test
Total number is 1
# Run the display snmp-agent usm-user command on WAC1 to view SNMP user
information.
[WAC1] display snmp-agent usm-user

User name: test-user
Engine ID: 800007DB039CB2E8B5A224
Group name: test-group
Authentication mode: sha2-256, Privacy mode: aes256
User status: active
Total number is 1
11.3.2 Checking VAP information on WAC1


WID : WLAN ID
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
Total: 6

#
sysname WAC1
#
http timeout 10080
http server enable
#
#
stp enable
#
#
mgmt isolate disable
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
snmp-agent local-engineid 800007DB039CB2E8B5A224
snmp-agent group v3 test-group privacy write-view HCIP-test notify-view HCIP-test
snmp-agent mib-view HCIP-test include iso
snmp-agent usm-user version v3 test-user

snmp-agent usm-user version v3 test-user group test-group
snmp-agent usm-user version v3 test-user authentication-mode sha2-
256 %^%#D~DQT_u@3&)9hQ=w|Y)IqQC6U0b-A,$Qj{:_f<eH%^%#
snmp-agent usm-user version v3 test-user privacy-mode
aes256 %^%#]W!A6{&Y1Tx4&s,{ex:0Be2EE{_Pw(V$%"&zwwQC%^%#
snmp-agent
#
ssh server-source -i Vlanif100
ssh client first-time enable
sftp server enable
stelnet server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wmi-server
collect-item log-data interval 60
collect-item security-data interval 60
collect-item cpcar-data interval 60
log module mid ff760000 name WEB
log module mid ff5f0000 name DOT1X
log module mid ff630000 name CM
log module mid fff30000 name WLAN
log module mid ff620000 name DHCP
log module mid ff050000 name IFPDT
log module mid d0410000 name SHELL
log module mid ff5a0000 name AAA
log module mid ff8c0000 name ENTITYTRAP
log module mid ff5d0000 name AM
#
wmi-server2
#
wlan
security wpa-wpa2 psk pass-phrase %^%#914c;d4z)+#$JD3kxgr@w>*(.lMo~Sf}H8U2\c[E%^%# aes
ssid wlan-net
wmi-server name test
collect-item radio-data interval 60
collect-item terminal-data interval 60
collect-item log-data interval 60
collect-item non-wifi-data enable
ap log module mid FF2B0000
ap log module mid FE011004
ap log module mid FF600000 name PORTAL
ap log module mid D0410000 name SHELL
ap log module mid FF620000 name DHCP
ap log module mid FFED0000 name SEA
ap log module mid FFEF0000 name WSRV
ap log module mid FFF30000 name WLAN
lldp report enable
wmi-server test index 2
radio 0
wids device detect enable
spectrum-analysis enable
channel-monitor enable
radio 1
wids device detect enable
spectrum-analysis enable
channel-monitor enable
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
ap-group ap-group1
provision-ap
#
return

#
sysname SW-Core
#
#
dhcp enable
#
vlan 99
name Manage
#
interface Vlanif1
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
return

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
return
11.5 Quiz
In this lab, CampusInsight is used to perform intelligent O&M on a WLAN. What are the
advantages of intelligent O&M compared with traditional O&M on the WAC's web page?
Answer:
Visualized experience: Telemetry-based second-level data collection is supported,
visualizing experience of any user in any application at any moment.
Minute-level proactive identification and root cause locating for potential faults: Identify
potential faults based on dynamic baselines and big data association. Accurately locate
root causes based on KPI association analysis and protocol playback.
Predictive network optimization: AI technologies are used to intelligently analyze the load
trend of APs to complete predictive optimization of wireless networks.
12 WLAN Troubleshooting Lab
12.1 Introduction
This lab instructs you to troubleshoot common faults.
12.1.2 Objectives
⚫ Describe the fault symptoms and related configurations.
⚫ Understand troubleshooting methods.
Figure 12-1 WLAN troubleshooting networking topology

12.1.4 Lab Planning

PVID: 1
MultiGE0/0/1 Trunk
SW-Core PVID: 1
MultiGE0/0/9 Trunk
PVID: 1
MultiGE0/0/9 Trunk
PVID: 100
MultiGE0/0/1 Trunk
SW-Access
PVID: 100
MultiGE0/0/2 Trunk
PVID: 100
MultiGE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk

Vlanif100 10.23.100.254/24
SW-Core Vlanif101 10.23.101.254/24
Vlanif99 172.21.39.253/17
WAC1 Vlanif100 10.23.100.1/24

Management
100
VLAN
Service VLAN 101
AP group ap-group1
Security policy OPEN
SSID wlan-net
Name of the RADIUS authentication scheme: radius_huawei

RADIUS Name of the RADIUS server template: radius_huawei

authentication IP address: 172.21.39.88
parameters Authentication port number: 1812
Name: abc
Portal server
IP address: 172.21.39.88
template
Portal shared key: Huawei@123
Portal access Name: portal1

profile Bound profile: Portal server template abc
Authentication-
Name: default_free_rule
free rule profile
Name: p1
Portal access profile portal1
Authentication
RADIUS server template radius_huawei
profile
RADIUS authentication scheme radius_huawei
RADIUS accounting scheme scheme1
Authentication-free rule profile default_free_rule

1. Import the pre-configuration.
2. Rectify the fault based on the fault symptom.

Step 1 Import the pre-configuration.
# Import the pre-configuration of WAC1.

#
sysname WAC1
#
vlan batch 100
#
#
#
#
#
url https://172.21.39.88:8445/portal
ip
#
web-auth-server abc
server-ip 172.21.39.89
port 50100
shared-key cipher %^%#N[ePT/1o_2@zKz/>v:dTE_H%#s@Cy<{-|g:s'&\8%^%#
url-template url1
source-ip 10.23.100.1
#
#
#
aaa
domain default
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wlan
security open

ssid wlan-net
forward-mode tunnel
radio 1
radio disable
ap-name AP1
ap-group ap-group1
ap-name AP2
ap-group ap-group1
ap-name AP3
#
return
# Import the pre-configuration of SW-Core.

#
sysname SW-Core
#
#
dhcp enable
#
vlan 99
name Manage
#
interface Vlanif1
#
interface Vlanif99
ip address 172.21.39.253 255.255.128.0
#
interface Vlanif100
ip address 10.23.100.254 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.254 255.255.255.0
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
#
#
#
return
# Import the pre-configuration of SW-Access.

#
sysname SW-Access
#
#
interface Vlanif1
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#

#
#
#
return
# Pre-configure the authentication server. For details, see Step 7 in section 6.2.2
"Configuration Procedure."
Step 2 Troubleshoot STAs' failures to detect radio signals.
# Search for SSIDs on a STA. The STA fails to detect the radio signal wlan-net. In this
case, check whether the AP is online on WAC1.

nor : normal [3]
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
2 9cb2-e82d-5110 AP3 default 10.23.100.117 AirEngine5761-11 nor 0 10M:16S -
--------------------------------------------------------------------------------------------------------
Total: 3
# The three APs are online, but AP3 is not in the AP group ap-group1. To ensure that
WAC1 delivers unified policies to APs, add AP3 to the correct AP group.
[WAC1] wlan
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, Whether to continue? [Y/N]: y
Info: This operation may take a few seconds. Please wait for a moment.. done.
# Check AP information on WAC1 again. The command output shows that the three APs
are all online and belong to ap-group1.

nor : normal [3]
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
2 9cb2-e82d-5110 AP3 ap-group1 10.23.100.117 AirEngine5761-11 nor 0 10S -
--------------------------------------------------------------------------------------------------------
Total: 3

WID : WLAN ID
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total: 0
# The command output shows that no AP is associated with any VAP. Check the
configuration of WAC1. The command output shows that the VAP profile is not bound to
any AP group. In this case, modify the configuration as follows.
[WAC1] wlan
# Check VAP information again. It is found that the three APs have released the SSID
wlan-net, but the status of radio 1 on the APs is OFF, indicating that the 5 GHz radios are
disabled and need to be manually enabled.

WID : WLAN ID
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON Open 0 wlan-net
0 AP1 1 1 9CB2-E82D-5500 OFF Open 0 wlan-net
1 AP2 0 1 9CB2-E82D-5410 ON Open 0 wlan-net
---------------------------------------------------------------------------
Total: 6
# Manually enable the 5 GHz radio.
[WAC1] wlan
[WAC1-wlan-group-radio-ap-group1/1] undo radio disable
# Check the VAP status. The VAP status is normal.

WID : WLAN ID
---------------------------------------------------------------------------
---------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON Open 1 wlan-net
---------------------------------------------------------------------------
Total: 6
Step 3 Troubleshoot STAs' failures to obtain IP addresses after associating with radio
signals.
# After a STA connects to wlan-net, it cannot obtain an IP address. The check result
shows that the data forwarding mode of the VAP is tunnel forwarding, but WAC1 does
not have service VLAN information. In this case, manually create VLAN 101 on WAC1.
[WAC1] vlan 101

[WAC1-vlan101] quit
# Disconnect the STA from wlan-net and then reconnect the STA to wlan-net. The STA
can obtain an IP address. Run the ipconfig command to verify this.
Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::2d38:d0da:819f:238e%4
IPv4 Address. . . . . . . . . . . : 10.23.101.194
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.23.101.254
Step 4 Troubleshoot failures to automatically display Portal authentication pages in Portal

authentication mode.
# After a STA connects to the SSID wlan-net, open the browser and enter any IP address
in the address box. The Portal authentication page is not displayed.
# There are many reasons for a failure to display the Portal authentication
page. Check whether the authentication profile is correctly bound to the VAP
profile. The VAP configuration is correct.

forward-mode tunnel
# Check whether the authentication profile is correctly configured. It is found that no

Portal access profile is configured in the authentication profile.
# Check the authentication profile configuration. The command output shows that the
Portal access profile portal1 has been configured in WAC1 and bound to the
authentication profile.

[WAC1-authentication-profile-p1] portal-access-profile portal1
Info: This operation may take a few minutes, please wait....
Warning: Changing the authentication profile will cause online users to go offline. Continue? [Y/N] y
Authentication profile p1 : done.
# The Portal authentication page still cannot be displayed on the STA. Check the
configuration of the Portal server template. The IP address and port number of the Portal
server are incorrect. The correct IP address is 172.21.39.88, and the correct port number is
50200.
#
web-auth-server abc
server-ip 172.21.39.89
port 50100
shared-key cipher %^%#N[ePT/1o_2@zKz/>v:dTE_H%#s@Cy<{-|g:s'&\8%^%#
url-template url1
source-ip 10.23.100.1
server-detect
#
# Configure a correct server address and set the shared key to Huawei@123 to ensure
that the shared key is the same as that on NCE.

[WAC1-web-auth-server-abc] undo server-ip 172.21.39.89
Warning: Server-ip access-users will be offline, sure to continue?[Y/N] y
[WAC1-web-auth-server-abc] server-ip 172.21.39.88
[WAC1-web-auth-server-abc] port 50200
[WAC1-web-auth-server-abc] shared-key cipher Huawei@123
# Check the Portal service status. The Portal server is in DOWN state.
[WAC1] display portal-server state

Web-auth-server : abc
Total-servers : 1
Live-servers : 0
Critical-num : 0
Status : Abnormal
Ip-address Status
172.21.39.88 DOWN
# Check the configuration. It is found that the Portal server detection function is enabled
on the device, but the authentication server is not configured. Therefore, you need to
manually disable the Portal server detection function.

[WAC1-web-auth-server-abc] undo server-detect
[WAC1-web-auth-server-abc] quit
# Check the status of the Portal server again. The status is UP, as shown in the following
figure.
[WAC1] display portal-server state

Web-auth-server : abc
Total-servers : 1
Live-servers : 1
Critical-num : 0
Status : Normal
Ip-address Status
172.21.39.88 UP
# Use the STA to perform the test again. It is found that the Portal authentication page
still cannot be displayed. The port number of the redirected page is 8445, but the default
port number of NCE that functions as the Portal server is 19008. Check the URL template
on WAC1. It is found that the port number in the URL is incorrect, as shown in the
following figure.
#
url https://172.21.39.88:8445/portal
ip
#
# Change the URL port number to 19008.
[WAC1] url-template name url1

[WAC1-url-template-url1] url https://172.21.39.88:19008/portal
[WAC1-url-template-url1] quit
# Disconnect the STA from wlan-net and reconnect the STA to wlan-net. The Portal
authentication page is displayed. After the user name and password are entered, Portal
authentication succeeds.
12.3 Verification

WID : WLAN ID
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0 AP1 0 1 9CB2-E82D-54F0 ON Open+Portal 0 wlan-net
-----------------------------------------------------------------------------
Total: 6
12.3.2 Associating a STA with the WLAN and Verifying

Authentication

#
sysname WAC1
#
http timeout 10080

http server enable
#
#
portal-access-profile portal1
free-rule-template free1
#
#
#
#
free-rule-template name default_free_rule
#
free-rule-template name free1
free-rule 1 destination ip 172.21.39.88 mask 255.255.255.255
#
url https://172.21.39.88:19008/portal
ip
#
web-auth-server abc
server-ip 172.21.39.88
port 50200
shared-key cipher %^%#/H+oJc*rtC_]{(WRUDt4un;&<1:g~NP{q(SD$ux#%^%#
url-template url1
source-ip 10.23.100.1
#
#
#
aaa

domain default
#
interface Vlanif1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface MEth0/0/1
ip address 169.254.1.1 255.255.255.0
#
ip address 169.254.3.1 255.255.255.0
#
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.254
#
#
wlan
security open
ssid wlan-net
forward-mode tunnel

Hcip-Wlan Lab Guide: Huawei WLAN Certification Training

Uploaded by

Copyright:

Available Formats

Hcip-Wlan Lab Guide: Huawei WLAN Certification Training

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hcip-Wlan Lab Guide: Huawei WLAN Certification Training

Uploaded by

Copyright:

Available Formats

Huawei WLAN Certification Training

HUAWEI TECHNOLOGIES CO., LTD

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential

Huawei Certification System

About This Document

Background Knowledge Required

Lab Environment Description

Device Name Device Model Software Version

Core switch CloudEngine S5732-H24UM2CC V200R021C00SPC100

Access switch CloudEngine S5732-H24UM2CC V200R021C00SPC100

WAC AirEngine 9700-M1 V200R021C00SPC100

AirEngine 5761-11 V200R021C00SPC200

iMaster NCE-Campus V300R021C00SPC110

Lab Environment Preparation

Device Name Quantity Remarks

iMaster NCE-Campus 1 Shared by all groups

iMaster NCE-CampusInsight 1 Shared by all groups

Core switch One for each group

Access switch One for each group PoE power supply

AirEngine 9700-M1 Three for each group

AirEngine 5761-11 Four for each group

This AP serves as the

Laptop Two for each group Used to test the WLAN.

The lab topology is described as follows:

1 WAC + Fit AP Networking Lab ..................................................................................................... 13

2.4.3 Leader AP Configuration ..................................................................................................................................................39

4.4 Reference Configuration ......................................................................................................................................................86

6.3.4 Checking Terminal Authentication Logs on NCE ................................................................................................. 134

8.3.3 Checking the 5 GHz Radio Profile Configuration ................................................................................................. 170

11.3.2 Checking VAP information on WAC1 ..................................................................................................................... 242

1 WAC + Fit AP Networking Lab

1.1.3 Networking Topology

Figure 1-1 WAC + Fit AP networking topology

1.1.4 Lab Planning

Table 1-2 IP address planning

VLANIF 100 10.23.100.254/24

WAC1 VLANIF 100 10.23.100.1/24

Table 1-3 WLAN service parameter planning

Forwarding mode Direct forwarding

Management VLAN 100

Service VLAN 101

VAP profile wlan-net

Security profile wlan-net

WLAN Service Parameter

Security policy WPA/WPA2+PSK+AES

SSID profile wlan-net

1.2 Lab Configuration

1.2.2 Configuration Procedure

[SW-Access] interface MultiGE 0/0/1

[SW-Access] interface MultiGE 0/0/9

[SW-Core] interface MultiGE 0/0/9

[SW-Core] interface MultiGE 0/0/1

[WAC1] interface GigabitEthernet 0/0/1

[WAC1-GigabitEthernet /0/1] port link-type trunk

Step 2 Configure IP addresses for devices.

# Configure IP addresses for SW-Core.

[SW-Core] interface vlanif 100