Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 113
99
Configuration procedure
NOTE:
•
If the host runs the 802.1X client of Windows XP, the network properties of the connection must be
configured as follows: In the Authentication tab, select Enable IEEE 802.1x authentication for this
network and then select the EAP authentication type of the smart card or other certificates.
•
If the host runs the iNode 802.1X client, select the Enable advanced authentication checkbox and the
Certificate authentication option, and then click Settings and select the authentication type EAP-TLS.
1.
Obtain the CA certificate and the local certificate
If the AC has a copy of the CA certificate file and local certificate file, import the certificates in offline
mode. Otherwise, request a certificate for the AC and obtain the CA certificate in online mode. The PKI
domain for the certificate is eappki. (Details not shown. For information about PKI configuration, see
Security Configuration Guide.)
2.
Configure the SSL server side policy
# Configure the SSL server side policy eapsvr, specifying the PKI domain to be used as eappki.
[AC] ssl server-policy eapsvr
[AC-ssl-server-policy-eapsvr] pki-domain eappki
[AC-ssl-server-policy-eapsvr] quit
3.
Configure port security
# Enable port security globally.
[AC] port-security enable
# Set the 802.1X authentication method to EAP.
[AC] dot1x authentication-method eap
# Create a WLAN interface and configure the port security mode.
[AC] interface wlan-ess 1
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
# Disable the multicast trigger function.
[AC-WLAN-ESS1] undo dot1x multicast-trigger
# Disable the online user handshake function.
[AC-WLAN-ESS1] undo dot1x handshake
# Configure the port to use mandatory authentication domain test. With this configuration, the AC will
use the authentication, authorization, and accounting methods of this domain for all 802.1X users
accessing the port. This configuration is optional.
[AC-WLAN-ESS1] dot1x mandatory-domain test
[AC-WLAN-ESS1] quit
4.
Configure AAA methods
# Create an ISP domain and configure the domain to use local authentication and authorization
methods.
[AC] domain test
[AC-isp-test] authentication lan-access local
[AC-isp-test] authorization lan-access local
[AC-isp-test] quit
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000