- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
03-802.11r配置
本章節下載: 03-802.11r配置 (332.58 KB)
1.4.1 FT Over-the-DS方式PSK模式配置舉例
1.4.2 FT Over-the-Air方式PSK模式配置舉例
1.4.3 FT Over-the-DS方式802.1X模式配置舉例
1.4.4 FT Over-the-Air方式802.1X模式配置舉例
802.11r協議中定義的FT(Fast BSS Transition,快速BSS切換)功能用來減少客戶端在漫遊過程中的時間延遲,從而降低連接中斷概率、提高漫遊服務質量。
FT支持兩種實現方式:
· Over-the-Air:客戶端直接與目標AP通信,進行漫遊前的認證。
· Over-the-DS:客戶端通過當前AP與目標AP通信,進行漫遊前的認證。
圖1-1 AC內over-the-air方式漫遊示意圖
如圖1-1所示,客戶端在連接至同一AC的AP間(AP 1到AP 2)漫遊時,信息交互過程如下:
(1) 客戶端已經與AP 1連接並且要漫遊到AP 2;
(2) 客戶端向AP 2發送認證請求;
(3) 客戶端收到AP 2的認證請求回應;
(4) 客戶端向AP 2發送重關聯請求;
(5) 客戶端收到AP 2的重關聯請求回應;
(6) 客戶端完成從AP 1到AP 2的漫遊。
圖1-2 AC間over-the-air方式漫遊示意圖
如圖1-2所示,AP 1和AP 2分別連接AC 1和AC 2,在同一移動域內漫遊的信息交互過程如下:
(1) 客戶端與AP 1建立連接;
(2) AC 1同步客戶端漫遊信息(PMK、VLAN等信息)到AC 2;
(3) 客戶端準備漫遊,發送FT認證請求到AP 2;
(4) 客戶端收到AP 2發送的FT認證回複;
(5) 客戶端向AP 2發送重關聯請求;
(6) 客戶端收到AP 2的重關聯請求回應;
(7) 客戶端完成從AP 1到AP 2的漫遊。
圖1-3 AC內over-the-ds方式漫遊示意圖
如圖1-3所示,客戶端在連接至同一AC的AP間(AP 1到AP 2)漫遊時,信息交互過程如下:
(1) 客戶端與AP 1建立連接;
(2) AC生成、同步、保存客戶端的漫遊表項;
(3) 客戶端準備漫遊,向AP 1發送FT認證請求;
(4) 客戶端收到AP 1的FT認證回複;
(5) 客戶端向AP 2發送重關聯請求;
(6) 客戶端收到AP 2的重關聯請求回應;
(7) 客戶端完成從AP 1到AP 2的漫遊。
圖1-4 AC間over-the-ds方式漫遊示意圖
如圖1-4所示,AP 1和AP 2分別連接AC 1和AC 2,在同一移動域內漫遊的信息交互過程如下
(1) 客戶端與AP 1建立連接;
(2) AC 1同步客戶端漫遊信息(PMK、VLAN等信息)到AC 2;
(3) 客戶端準備漫遊,發送FT認證請求到AP 1;
(4) 客戶端收到AP 1的FT認證回複;
(5) 客戶端向AP 2發送重關聯請求;
(6) 客戶端收到AP 2的重關聯請求回應;
(7) 客戶端完成從AP 1到AP 2的漫遊。
與802.11r相關的協議規範有:
802.11r IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
配置802.11r的FT功能,需要注意的是:
· 如果有客戶端無法關聯使能了FT功能的服務,可能是由於客戶端的型號較早而不支持FT協議。此時可以創建兩個SSID相同的服務,一個使能FT功能,另一個不使能FT功能,而其它配置均相同,以便客戶端可以正常使用網絡服務。
· 不建議在服務模板下同時開啟FT功能和802.1X周期性重認證功能,否則會導致客戶端在每次重認證時間間隔到達時重新上線。關於802.1X周期性重認證功能的介紹和配置請參見“用戶接入與認證配置指導”中的“WLAN用戶接入認證”。
· 快速BSS切換協商成功的客戶端,不支持PTK更新。關於PTK更新的介紹和配置請參見“WLAN安全配置指導”中的“WLAN用戶安全”。
(1) 進入係統視圖。
system-view
(2) 配置WLAN服務模板。
wlan service-template service-template-name
(3) 開啟FT功能。
ft enable
缺省情況下,FT功能處於關閉狀態。
(4) (可選)配置FT方式。
ft method { over-the-air | over-the-ds }
缺省情況下,FT方式為over-the-air。
(5) (可選)配置重關聯超時時間。
ft reassociation-timeout timeout
缺省情況下,重關聯超時時間為20秒。
重關聯超時時間指的是,客戶端在完成認證後,客戶端發起重關聯請求的最大時間間隔。如果在此時間內客戶端沒有發起重關聯,則會終止此次漫遊。
本手冊中的AP型號和序列號僅為舉例,具體支持的AP型號和序列號請以設備的實際情況為準。
如圖1-5所示,客戶端在同一AC內的不同AP間進行漫遊,使用Over-the-DS方式,通過PSK模式對客戶端進行身份認證與密鑰管理。
圖1-5 FT Over-the-DS方式PSK身份認證與密鑰管理模式配置組網圖
# 創建無線服務模板acstname。
<AC> system-view
[AC] wlan service-template acstname
# 配置無線服務的SSID為service。
[AC-wlan-st-acstname] ssid service
# 配置身份認證與密鑰管理的模式是PSK模式,配置使用明文字符串12345678作為PSK密鑰。
[AC-wlan-st-acstname] akm mode psk
[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678
# 配置AES-CCMP加密套件,配置在AP發送信標和探查響應幀時攜帶RSN IE。
[AC-wlan-st-acstname] cipher-suite ccmp
[AC-wlan-st-acstname] security-ie rsn
# 開啟FT功能。
[AC-wlan-st-acstname] ft enable
# 配置重關聯超時時間為50秒。
[AC-wlan-st-acstname] ft reassociation-timeout 50
# 配置FT方式為Over-the-DS。
[AC-wlan-st-acstname] ft method over-the-ds
# 使能無線服務。
[AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# 創建AP,名稱為1,並將無線服務模板acstname綁定到AP 1的Radio1上。
[AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# 創建AP,名稱為2,並將無線服務模板acstname綁定到AP 2的Radio1上。
[AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
# 在AC上通過display wlan service-template命令可以查看服務模板的配置情況。
[AC] display wlan service-template acstname verbose
Service template name : acstname
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless-roam status : Disabled
Seamless-roam RSSI threshold : 50
Seamless-roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0 sec
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Disabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users : 4096
Max MAC-auth users : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT Status : Enable
FT Method : over-the-ds
FT Reassociation Deadline : 50 sec
QoS trust : Port
QoS priority : 0
# 客戶端上線後,在AC上通過display wlan client verbose命令可以查看客戶端的詳細信息。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# 客戶端漫遊成功後,在AC上通過display wlan client verbose命令,可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
如圖1-5所示,客戶端在同一AC內的不同AP間進行漫遊,使用Over-the-Air方式,通過PSK模式對客戶端進行身份認證與密鑰管理。
# 創建無線服務模板acstname。
<AC> system-view
[AC] wlan service-template acstname
# 配置無線服務的SSID為service。
[AC-wlan-st-acstname] ssid service
# 配置身份認證與密鑰管理的模式是PSK模式,配置使用明文字符串12345678作為PSK密鑰。
[AC-wlan-st-acstname] akm mode psk
[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678
# 配置AES-CCMP加密套件,配置在AP發送信標和探查響應幀時攜帶RSN IE。
[AC-wlan-st-acstname] cipher-suite ccmp
[AC-wlan-st-acstname] security-ie rsn
# 開啟FT功能。
[AC-wlan-st-acstname] ft enable
# 配置重關聯超時時間為50秒。
[AC-wlan-st-acstname] ft reassociation-timeout 50
# 使能無線服務模板。
[AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# 創建AP,名稱為1,並將無線服務模板acstname綁定到AP 1的Radio1上。
[AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# 創建AP,名稱為2,並將無線服務模板acstname綁定到AP 2的Radio1上。
[AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
# 客戶端上線後,在AC通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# 客戶端漫遊成功後,在AC上通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
如圖1-5所示,客戶端在同一AC內的不同AP間進行漫遊,使用Over-the-DS方式,通過802.1X模式對客戶端進行身份認證與密鑰管理。
# 創建無線服務模板stname。
<AC> system-view
[AC] wlan service-template stname
# 配置無線服務的SSID為service。
[AC-wlan-st-stname] ssid service
# 配置身份認證與密鑰管理的模式是802.1X模式。
[AC-wlan-st-stname] akm mode dot1x
# 配置AES-CCMP加密套件,配置在AP發送信標和探查響應幀時攜帶RSN IE。
[AC-wlan-st-stname] cipher-suite ccmp
[AC-wlan-st-stname] security-ie rsn
# 配置客戶端安全認證方式為802.1X。
[AC-wlan-st-stname] client-security authentication-mode dot1x
[AC-wlan-st-stname] dot1x domain imc
# 開啟FT功能。
[AC-wlan-st-stname] ft enable
# 配置FT方法為Over-the-DS。
[AC-wlan-st-stname] ft method over-the-ds
# 使能無線服務。
[AC-wlan-st-stname] service-template enable
[AC-wlan-st-stname] quit
# 配置802.1X認證方式為EAP。
[AC] dot1x authentication-method eap
# 創建RADIUS方案imcc。配置主認證服務器的IP地址為10.1.1.3,與認證服務器交互報文時的共享密鑰為明文12345678。配置主計費服務器的IP地址為10.1.1.3,與計費服務器交互報文時的共享密鑰為明文12345678。配置發送給RADIUS服務器的用戶名不帶ISP域名。
[AC] radius scheme imcc
[AC-radius-imcc] primary authentication 10.1.1.3
[AC-radius-imcc] primary accounting 10.1.1.3
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
# 創建認證域並配置使用RADIUS方案進行認證、授權、計費。
[AC] domain imc
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
# 創建AP,名稱為1,並將無線服務模板acstname綁定到AP 1的Radio1上。
[AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# 創建AP,名稱為2,並將無線服務模板acstname綁定到AP 2的Radio1上。
[AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
# 在AC上通過display wlan service-template命令可以查看服務模板的配置情況。
[AC] display wlan service-template stname verbose
Service template name : stname
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless-roam status : Disabled
Seamless-roam RSSI threshold : 50
Seamless-roam RSSI gap : 20
VLAN ID : 1
AKM mode : 802.1X
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0 sec
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Disabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : imc
MAC-auth domain : Not configured
Max 802.1X users : 4096
Max MAC-auth users : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT Status : Enable
FT Method : over-the-ds
FT Reassociation Deadline : 20 sec
QoS trust : Port
QoS priority : 0
# 客戶端上線後,在AC上通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# 客戶端漫遊成功後,在AC上通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
如圖1-5所示,客戶端在同一AC內的不同AP間進行漫遊,使用Over-the-Air方式,通過802.1X模式對客戶端進行身份認證與密鑰管理。
# 創建無線服務模板stname。
<AC> system-view
[AC] wlan service-template stname
# 配置無線服務的SSID為service。
[AC-wlan-st-stname] ssid service
# 配置身份認證與密鑰管理的模式是802.1X模式。
[AC-wlan-st-stname] akm mode dot1x
# 配置AES-CCMP加密套件,配置在AP發送信標和探查響應幀時攜帶RSN IE。
[AC-wlan-st-stname] cipher-suite ccmp
[AC-wlan-st-stname] security-ie rsn
# 配置客戶端安全認證方式為802.1X。
[AC-wlan-st-stname] client-security authentication-mode dot1x
[AC-wlan-st-stname] dot1x domain imc
# 開啟FT功能。
[AC-wlan-st-stname] ft enable
# 使能無線服務。
[AC-wlan-st-stname] service-template enable
[AC-wlan-st-stname] quit
# 配置802.1X認證方式為EAP。
[AC] dot1x authentication-method eap
# 創建RADIUS方案imcc。配置主認證服務器的IP地址為10.1.1.3,與認證服務器交互報文時的共享密鑰為明文12345678。配置主計費服務器的IP地址為10.1.1.3,與計費服務器交互報文時的共享密鑰為明文12345678。配置發送給RADIUS服務器的用戶名不帶ISP域名。
[AC] radius scheme imcc
[AC-radius-imcc] primary authentication 10.1.1.3
[AC-radius-imcc] primary accounting 10.1.1.3
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
# 創建認證域並配置使用RADIUS方案進行認證、授權、計費。
[AC] domain imc
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
# 創建AP,名稱為1,並將無線服務模板acstname綁定到AP 1的Radio1上。
[AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# 創建AP,名稱為2,並將無線服務模板acstname綁定到AP 2的Radio1上。
[AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
# 客戶端上線後,在AC上通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# 客戶端漫遊成功後,在AC上通過display wlan client verbose命令可以看到結果如下。
[AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
