beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 157

background image

143

2.

Configure the ACL.
# Configure IP addresses of the interfaces. (Details not shown.)
# Configure ACL 3000 to deny packets destined to 10.0.0.1.

system-view

[AC] acl number 3000

[AC-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0

[AC-acl-adv-3000] quit

3.

Configure RADIUS-based MAC authentication on the AC.
# Configure a RADIUS scheme.

[AC] radius scheme 2000

[AC-radius-2000] primary authentication 10.1.1.1 1812

[AC-radius-2000] primary accounting 10.1.1.2 1813

[AC-radius-2000] key authentication abc

[AC-radius-2000] key accounting abc

[AC-radius-2000] user-name-format without-domain

[AC-radius-2000] quit

# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

[AC] domain 2000

[AC-isp-2000] authentication default radius-scheme 2000

[AC-isp-2000] authorization default radius-scheme 2000

[AC-isp-2000] accounting default radius-scheme 2000

[AC-isp-2000] quit

# Specify the ISP domain for MAC authentication.

[AC] mac-authentication domain 2000

# Configure the AC to use MAC-based user accounts, the MAC addresses are hyphen separated

and in lower case.

[AC] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable port security.

[AC] port-security enable

# Configure the WLAN port security, using MAC and PSK authentication, and specify the domain

2000 as the authentication domain for MAC authentication users on the port.

[AC] interface wlan-ess 0

[AC-WLAN-ESS0] port-security port-mode mac-and-psk

[AC-WLAN-ESS0] port-security tx-key-type 11key

[AC-WLAN-ESS0] port-security preshared-key pass-phrase 12345678

[AC-WLAN-ESS0] mac-authentication domain 2000

[AC-WLAN-ESS0] quit

# Create service template 2 of crypto type, configure its SSID as mac-authention-acl, and bind port

WLAN-ESS 0 to service template 2.

[AC] wlan service-template 2 crypto

[AC-wlan-st-2] ssid mac-authention-acl

[AC-wlan-st-2] bind WLAN-ESS 0

[AC-wlan-st-2] authentication-method open-system

[AC-wlan-st-2] cipher-suite ccmp

[AC-wlan-st-2] security-ie rsn

[AC-wlan-st-2] service-template enable