H3C WA2612-AGN Web-Based Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Wireless Access Point
  5. WA2612-AGN
  6. Web-based configuration manual

H3C WA2612-AGN Web-Based Configuration Manual

Wa2600 series; wa2600 series; wa2600 series; wa2600 series; wa3600 series; wa3600 series
Hide thumbs Also See for WA2612-AGN:
1
2
3
4
5
Table Of Contents
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , User Manual
H3C WA Series Access Points
Web-Based Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document version: 6W106-20130802

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the WA2612-AGN and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C WA2612-AGN

Summary of Contents for H3C WA2612-AGN

  • Page 1 H3C WA Series Access Points Web-Based Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6W106-20130802...
  • Page 2 Copyright © 2003-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
  • Page 3 Preface The H3C WA Series Access Points Web-based Configuration Guide describes the web functions of the WA series, such as quick start, Web overview, wireless service configuration, security and authentication related configurations, QoS configuration, and advanced settings. NOTE: The grayed out functions or parameters on the web interface indicate that they are not supported or •...

  • Page 4: Documentation Set

    Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access point. Represents omnidirectional signals. About the H3C WA series access points documentation set The H3C WA series access points documentation set includes: Category Documents Purposes Product description and Marketing brochures Describe product specifications and benefits.

  • Page 5: Obtaining Documentation

    Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support &...

  • Page 6: Table Of Contents

    Contents About the WA series access points Web-based configuration guide ····································································· 1   Applicable models and software versions ······················································································································ 1   Feature matrix ···································································································································································· 1   Quick Start ···································································································································································· 3   Quick Start wizard home page ······································································································································· 3   Basic configuration ··························································································································································· 3  ...
  • Page 7 Log management configuration ································································································································ 43   Displaying syslog ·················································································································································· 43   Setting the log host························································································································································· 44   Setting buffer capacity and refresh interval ················································································································ 45   Configuration management ······································································································································· 47   Backing up configuration ·············································································································································· 47   Restoring configuration ·················································································································································· 47  ...
  • Page 8 VLAN configuration ··················································································································································· 94   Overview ········································································································································································· 94   Recommended configuration procedure······················································································································ 94   Creating a VLAN···························································································································································· 95   Modifying a VLAN ························································································································································· 95   Modifying a port ···························································································································································· 96   VLAN configuration example ········································································································································ 98   Configuration guidelines ··············································································································································· 99  ...
  • Page 9 Adding a domain name suffix ···································································································································· 136   Clearing dynamic DNS cache ···································································································································· 136   DNS configuration example ······································································································································· 136   PPPoE ······································································································································································· 141   Overview ······································································································································································· 141   Configuring PPPoE client ············································································································································· 141   Displaying PPPoE client session statistics ··················································································································· 143  ...
  • Page 10 Recommended configuration procedure ··········································································································· 194   Configuring an ISP domain ································································································································ 194   Configuring authentication methods for the domain ······················································································· 195   Configuring authorization methods for the domain ························································································ 197   Configuring accounting methods for the domain ···························································································· 199   AAA configuration example ·······································································································································...
  • Page 11 Workgroup bridge mode overview ··························································································································· 264   Configuring wireless service ·································································································································· 266   Configuring access service ········································································································································· 266   Recommended configuration procedure ··········································································································· 266   Creating a wireless service ································································································································ 266   Configuring clear type wireless service ············································································································ 267   Configuring crypto type wireless service ··········································································································...
  • Page 12 Configuration procedure ···································································································································· 365   Configuring a QoS policy ··········································································································································· 367   Recommended QoS policy configuration procedure ······················································································ 367   Adding a class ····················································································································································· 368   Configuring classification rules ·························································································································· 369   Adding a traffic behavior ··································································································································· 372   Configuring actions for a traffic behavior ········································································································ 373  ...
  • Page 13 Configuring band navigation ····························································································································· 417   Configuring multicast optimization ···················································································································· 419   Advanced settings configuration examples ··············································································································· 421   Band navigation configuration example ··········································································································· 421   Multicast optimization configuration example ································································································· 423   WLAN security configuration ································································································································· 425   WLAN security overview ············································································································································· 425  ...

  • Page 14: About The Wa Series Access Points Web-Based Configuration Guide

    About the WA series access points Web-based configuration guide The H3C WA series access points Web-based configuration guide describes the software features for the H3C WA series access points and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 15 Ethernet interface is 1536 The maximum Ethernet bytes for the frame length allowed by WA2610-AGN, an Ethernet interface is WA2612-AGN, and 1600 bytes. WA2620-AGN and 1600 bytes for the other models. Supported on the APs Supported on the APs Wireless service Fast association supporting both 2.4 GHz...

  • Page 16: Quick Start

    Quick Start The Quick Start wizard leads you through basic configuration procedures to quickly make your device available for use. Quick Start wizard home page From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard. Figure 1 Home page of the Quick Start wizard Basic configuration On the home page of the Quick Start wizard, click start.

  • Page 17: Admin Configuration

    Figure 2 Basic configuration page Configure the parameters as described in Table Table 3 Configuration items Item Description Specify the name of the current device. System Name By default, the system name of the device is the device model. Select the code of the country where you are. This field defines the radio frequency characteristics such as the power and the total number of channels for frame Country/Region Code transmission.

  • Page 18: Ip Configuration

    Figure 3 Admin configuration page Configure the parameters as described in Table Table 4 Configuration items Item Description Password Specify the password for user Admin to use to log into the device, in cipher text. Confirm Password Enter the password again to confirm the password. Select the attribute for the password encryption method: •...

  • Page 19: Wireless Configuration

    Figure 4 IP configuration page Configure the parameters as described in Table Table 5 Configuration items Item Description Specify the IP address of VLAN-interface 1. This IP address is used for logging in to the device. IP Address By default, the IP address of VLAN-interface 1 is 192.168.0.50 . Specify the IP address mask of VLAN-interface 1.

  • Page 20: Radius Configuration

    Figure 5 Wireless configuration page Configure the parameters as described in Table Table 6 Configuration items Item Description Select the authentication type for the wireless service, which can be: • None—Performs no authentication. Primary Service • User authentication (802.1X)—Performs 802.1X authentication. Authentication type The default authentication type is None.
  • Page 21 Figure 6 RADIUS configuration page Configure the parameters as described in Table Table 7 Configuration items Item Description Select the type of the RADIUS server. Two types are available: standard and enhanced: • extended—Specifies extended RADIUS server, which is usually an iMC server. In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of a private Service Type...

  • Page 22: Encryption Configuration

    Encryption configuration Select the Encrypt box on the wireless configuration page to enter the encryption configuration page shown in Figure Figure 7 Encryption configuration page Table 8 Configuration items Item Description Specify whether to use WEP keys provided automatically or use static WEP keys. •...
  • Page 23 Item Description Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one of the four static keys of WEP. The selected key index is used for frame encryption and decryption. Key ID IMPORTANT: If you enable Provide Key Automatically, the available Key ID ranges from 1 to 3.

  • Page 24: Radio Configuration

    Item Description • pass-phrase—Enter a PSK in the form of a character string. You should enter a string that can be displayed and is of 8 to 63 characters. Preshared Key Type • raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number.

  • Page 25: Configuration Summary

    Configuration summary On the radio configuration page, click Next. The configuration summary page appears, displaying all configurations you have made. Click finish to complete your configurations. Figure 10 Configuration summary page Quick Start configuration examples The wireless access methods that can be configured through the Quick Start wizard include simple text authentication, WEP (Open-System) encryption, and WPA-PSK and WPA2-PSK authentication.
  • Page 26 The AP provides a plain-text wireless service with SSID service. • • 802.1 1n (2.4 GHz) is adopted to inter-work with the existing 802.1 1g network and meet the high bandwidth requirement. Figure 11 Network diagram Configuring the AP Perform basic configurations: From the navigation tree, select Quick Start.

  • Page 27: Wep (Open-System) Encryption Configuration Example

    Figure 13 Radio configuration page Check and apply the configurations: Click Next to enter the configuration summary page. If you want to modify certain configurations, click Back to return to the previous pages; if the configurations are correct, click finish to apply the configurations. Verifying the configuration Launch the wireless client, and refresh the network list.
  • Page 28 Figure 14 Network diagram Configuring the AP Perform basic configurations: From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard. Configure time parameters, login password, and login IP address as needed. Configure wireless service: On the IP configuration page, click Next to enter the wireless configuration page.
  • Page 29 Figure 16 Encryption configuration page Click Next to enter the radio configuration page. To perform radio configuration: Select the 802.1 1n(2.4GHz) box, and bind wireless service wep to the 802.1 1n (2.4 GHz) radio. Use default settings for other parameters. Click Next.

  • Page 30: Wpa2-Psk Authentication Configuration Example

    Click Next to enter the configuration summary page. If you want to modify certain configurations, click Back to return to the previous pages; if the configurations are correct, click finish to apply the configurations. Verifying the configuration Launch the wireless client, and refresh the network list. Select the configured service in Choose a •...
  • Page 31 Figure 19 Wireless configuration page Click Next to enter the encryption configuration page. To perform encryption configuration: Select AES-CCMP for Encryption Mode. Select WPA2 for Security IE. Select pass-phrase from the Preshared Key Type list. Enter the preshared key 12345678. Figure 20 Encryption configuration page Click Next to enter the radio configuration page.
  • Page 32 Use default settings for other parameters. Click Next. Figure 21 Radio configuration page Check and apply the configurations: Click Next to enter the configuration summary page. If you want to modify certain configurations, click Back to return to the previous pages; if the configurations are correct, click finish to apply the configurations.

  • Page 33: Summary

    Summary Device information You can view the following information on the Device Info menu: • Device information System resource state • Device interface information • Recent system logs (at most five) • After logging in to the web interface, you enter the Summary > Device page. Figure 22 Device info page NOTE: The information displayed on the device info page varies with devices.

  • Page 34: Device Info

    Select a refresh mode in the Refresh Period list. • If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the Device Info page according to the selected refresh period; If you select Manual, click Refresh to refresh the page. •...

  • Page 35: Recent System Logs

    Item Description Display interface status. • —The interface is up and is connected. Status • —The interface is up, but not connected. • —The interface is down. To know more information about device interfaces, click the More hyperlink under the Device Interface Information area to enter the Device >...
  • Page 36 Figure 23 Displaying detailed information about WLAN service (clear type) Table 15 Field description Field Description Service Template Number Service template number. SSID Service set identifier (SSID) for the ESS. Service Template Type Service template type. Type of authentication used. Authentication Method WLAN service of the clear type only uses open system authentication.
  • Page 37 Figure 24 Displaying detailed information about WLAN service (crypto type) Table 16 Field description Field Description Service Template Number Service template number. SSID SSID provided by the AP. Service Template Type Service template type. Security IE Security IE: WPA or WPA2 (RSN) Authentication Method Authentication method: open system or shared key.

  • Page 38: Displaying Statistics Of Wlan Service

    Field Description Maximum clients per BSS Maximum number of associated clients per BSS. Displaying statistics of WLAN service Figure 25 Displaying WLAN service statistics Displaying connection history information of WLAN service Figure 26 Displaying the connection history information of WLAN service...

  • Page 39: Displaying Radio

    Displaying radio Displaying WLAN services bound to a radio Select Summary > Radio from the navigation tree, click the specified radio unit, and select the Wireless Service tab to view the WLAN services bound to the radio. Figure 27 Displaying WLAN services bound to the radio The Noise Floor item in the figure indicates various random electromagnetic waves during the wireless communication.
  • Page 40 Figure 28 Displaying detailed radio information Table 17 Field description Field Description WLAN-Radio1/0/1 current state Link state of WLAN-Radio1/0/1. IP Packet Frame Type Output frame encapsulation type. Hardware Address MAC address of the radio interface. Radio-type Interface radio type, which depends on the AP model. Operating channel used by the interface.
  • Page 41 Field Description 802.11n protection modes: • no protection mode(0)—The clients associated with the AP, and the wireless devices within the coverage of the AP operate in 802.1 1n mode, and all the clients associated with the AP operate in either 40 MHz or 20 MHz mode. •...

  • Page 42: Displaying Wds

    Field Description Output packet statistics of the interface: • Number of packets (unicasts + multicasts/broadcasts + Output: 3436 packets, 492500 bytes others), number of bytes. : 3016 unicasts, 424408 bytes • Number of unicast packets, number of bytes of unicast : 320 multicasts/broadcasts, 42994 packets.

  • Page 43: Displaying Client

    Field Description —If the signal strength indicator is represented by no signal bar, it indicates that RSSI=0. —If the signal strength indicator is represented by one signal bar at the leftmost, it indicates that 0<RSSI<=15. —If the signal strength indicator is represented by two signal bars from the left, it indicates that 15<RSSI<=25.
  • Page 44 Table 19 Field description Field Description MAC Address MAC address of the client. Association ID of the client. Username of the client: • The field is displayed as -NA- if the client adopts plain-text authentication or cipher-text authentication with no username. User Name •...

  • Page 45: Displaying Client Statistics

    Field Description Client Type Client type such as WPA2 (RSN), WPA, or Pre-RSN. Authentication Method Authentication method such as open system or shared key. AKM Method AKM suite used such as Dot1X or PSK. Display the 4-way handshake state: • IDLE—Displayed in initial state.
  • Page 46 Figure 31 Displaying client statistics NOTE: To view the IP address of the client, enable the ARP snooping function in system view through command lines. By default, the ARP snooping function is disabled, and NA is displayed in the IP Address column. Table 21 Field description Field Description...

  • Page 47: Displaying Rf Ping Information

    Displaying RF ping information Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you to get the connection information between the AP and its associated clients, such as signal strength, packet re-transmission attempts, and round trip time (RTT). Select Summary >...

  • Page 48: Device Basic Information Configuration

    Device basic information configuration The device basic information feature provides you the following functions: Set the system name of the device. The configured system name will be displayed on the top of the • navigation bar. Set the idle timeout period for a logged-in user. The system logs an idle user off the web for security •...
  • Page 49 Figure 34 Configuring web idle timeout period Set the web idle timeout period for a logged-in user. Click Apply.

  • Page 50: Device Maintenance Configuration

    Device maintenance configuration Software upgrade A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file to be used at the next reboot.

  • Page 51: Reboot

    Item Description Specify the type of the boot file for the next boot: • Main—Boots the device. • Backup—Boots the device when the main boot file is unavailable. File Type IMPORTANT: Support for this option depends on your device model. For more information, see "Feature matrix."...

  • Page 52: Diagnostic Information

    If you have selected the box before "Check configuration with next startup configuration file", the system checks the configuration before rebooting the device. If the check succeeds, the system reboots the device; if the check fails, the system displays a dialog box to inform you that the current configuration and the saved configuration are inconsistent, and does not reboot the device.
  • Page 53 NOTE: The generation of the diagnostic file will take a period of time. During this process, do not perform any • operation on the web page. To view this file after the diagnostic file is generated successfully, select Device > File Management, or •...

  • Page 54: System Time Configuration

    System time configuration You must configure a correct system time so that the device can work with other devices properly. The device supports setting system time through manual configuration and automatic synchronization of NTP server time. An administrator cannot keep time synchronized among all the devices within a network by changing the system clock on each device, because this is a huge amount of workload and cannot guarantee clock precision.

  • Page 55: Configuring The System Time

    Configuring the system time Select Device > System Time from the navigation tree. The calendar page appears. Figure 40 Calendar page Configure the system time as described in Table Click Apply. Table 24 Configuration items Item Description NTP Server Enable clock automatic synchronization with an NTP server. You can specify two NTP servers by entering their IP addresses.

  • Page 56: Log Management Configuration

    Log management configuration System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device status. With system log information, administrators can take corresponding actions against network problems and security problems.

  • Page 57: Setting The Log Host

    TIP: You can click Reset to clear all system logs saved in the log buffer on the web interface. • You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup •...

  • Page 58: Setting Buffer Capacity And Refresh Interval

    Figure 42 Set loghost Configure the log host as described in Table Click Apply. Table 26 Configuration item Item Description Set the IPv4 address, domain name or IPv6 address of the loghost. Loghost IP/Domain You can specify up to four loghosts. Setting buffer capacity and refresh interval Select Device >...
  • Page 59 Figure 43 Syslog configuration page Configure buffer capacity and refresh interval as described in Table Click Apply. Table 27 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer. Set the refresh period on the log information displayed on the web interface. You can select manual refresh or automatic refresh: Refresh Interval •...

  • Page 60: Configuration Management

    Configuration management Backing up configuration NOTE: When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise some configuration information may not be restored in some cases (for example, when the configuration is removed). Configuration backup provides the following functions: •...

  • Page 61: Saving Configuration

    The page for restoring configuration appears. Figure 45 Configuration restore page Click the upper Browse button. The file upload dialog box appears. You can select the .cfg file to be uploaded. After you click the lower Browse button. The file upload dialog box appears. You can select the .xml file to be uploaded. Click Apply.

  • Page 62: Initializing Configuration

    Figure 46 Save configuration confirmation Common Select Device > Configuration from the navigation tree. Click the Save tab. The page in Figure 46 appears. Click Save Current Settings to save the current configuration to the configuration file. Initializing configuration This operation restores the system to factory defaults, delete the current configuration file, and reboot the device.

  • Page 63: File Management Configuration

    File management configuration The device saves useful files (such as host software, configuration file) into the storage device, and the system provides the file management function for the users to manage those files conveniently and effectively. Displaying file list Select Device > File Management from the navigation tree The file management page appears.

  • Page 64: Uploading A File

    Uploading a file NOTE: Uploading a file takes some time. H3C recommends you to not perform any operation on the web interface during the upgrading procedure. Select Device > File Management from the navigation tree. The page in Figure 48 appears.

  • Page 65: Interface Management Configuration

    Interface management configuration NOTE: Support for interface types varies with device models. An interface is the point of interaction or communication used for exchanging data between entities. There are two types of interfaces: physical and logical. A physical interface refers to an interface that physically exists as a hardware component.
  • Page 66 Figure 49 Interface management page Click an interface name in the Name column to display the statistics of that interface. The page for displaying interface statistics appears. Figure 50 Statistics on an interface...

  • Page 67: Creating An Interface

    Creating an interface Select Device > Interface from the navigation tree The page in Figure 49 appears. Click Add. The page for creating an interface appears. Figure 51 Create an interface Configure the interface as described in Table Click Apply. Table 28 Configuration items Item Description...
  • Page 68 Item Description This parameter is available only for Layer 3 Ethernet subinterfaces. If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with the subinterface. IMPORTANT: This configuration item is not configurable because the device does not support Layer 3 Ethernet subinterfaces.

  • Page 69: Modifying A Layer 2 Interface

    Item Description Set the way for the interface to obtain an IPv6 link-local address, including: • None: Select this option if you do not want to assign an IPv6 link-local address to the interface. • Auto: Select this option for the system to automatically assign an IPv6 link-local IPv6 Config address to the interface.
  • Page 70 Table 29 Configuration items Item Description Enables or disables the interface. In some cases, modification to the interface parameters does not take effect Port State immediately. You need to shut down and then bring up the interface to make the modification work.
  • Page 71 Item Description Set the Medium Dependent Interface (MDI) mode for the interface. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet interface on the device can operate in one of the following three MDI modes: •...

  • Page 72: Modifying A Layer 3 Interface

    Item Description Set multicast suppression. You can suppress multicast traffic by percentage or by PPS as follows: • ratio: Sets the maximum percentage of multicast traffic to the total transmission capability of an Ethernet interface. When this option is selected, you need to Multicast Suppression enter a percentage in the box below.
  • Page 73 Figure 53 Modify a Layer 3 physical interface Modify the information about the Layer 3 interface. The configuration items of modifying the Layer 3 interface are similar to those of creating an interface. Table 31 describes configuration items proper to modifying a Layer 3 interface. Click Apply.

  • Page 74: Interface Management Configuration Example

    Item Description Display and set the interface status. • The display of Connected indicates that the current status of the interface is up and connected. You can click Disable to shut down the interface. • The display of Not connected indicates that the current status of the interface is up but not connected.
  • Page 75 Figure 55 Create VLAN-interface 100 Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24 (255.255.255.0) from the Mask list. Click Apply.

  • Page 76: Tr-069 Configuration

    CPE, and uses the options filed in the DHCP packet to provide configuration parameters to the CPE. The H3C device is a CPE and uses TR-069 to communicate with an ACS. NOTE: Network Management and Monitoring Configuration Guide...
  • Page 77 Select Device > TR-069 from the navigation tree. The TR-069 configuration page appears. Figure 57 TR-069 configuration page Configure TR-069 parameters described in Table Click Apply. Table 32 Configuration items Item Description Enable or disable TR-069. TR-069 TR-069 configurations can take effect only after you enable TR-069. URL.

  • Page 78: Configuration Guidelines

    Configuration guidelines When you configure TR-069, follow these guidelines: • TR-069 configuration through ACS is of higher priority than that through the web interface. You cannot use a configuration mode to modify parameters configured through a configuration mode with a higher priority. To remove parameter configuration, you need to select the box in front of a parameter, clear its •...

  • Page 79: User Management Configuration

    User management configuration In the user management part, you can perform the following configuration: Create a local user, and set the password, access level, and service type for the user. • Set the super password for switching the current web user level to the management level. •...

  • Page 80: Setting The Super Password

    Item Description Set the access level for a user. Users of different levels can perform different operations. Web user levels, from low to high, are visitor, monitor, configure, and management. • Visitor: Users of visitor level can perform the ping and traceroute operations, but they can neither access the device data nor configure the device.

  • Page 81: Switching The User Access Level To The Management Level

    Table 34 Configuration items Item Description Set the operation type: • Create/Remove Create: Configure or modify the super password. • Remove: Remove the current super password. Password Set the password for a user to switch to the management level. Enter the same password again. Otherwise, the system prompts that the two passwords Confirm Password enter are not consistent when you apply the configuration.

  • Page 82: Snmp Configuration

    NMS and agents, preventing the packets from being intercepted. USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy. NOTE: H3C WA Series WLAN Access Points Network Management and For more information about SNMP, see Monitoring Configuration Guide Configuration task list...
  • Page 83 Table 35 SNMPv1 or SNMPv2c configuration task list Task Remarks Required The SNMP agent function is disabled by default. Enabling SNMP IMPORTANT: If SNMP is disabled, all SNMP-related configurations are removed. Optional After creating SNMP views, you can specify an SNMP view for an Configuring an SNMP view SNMP group to limit the MIB objects that can be accessed by the SNMP group.

  • Page 84: Enabling Snmp

    Enabling SNMP Select Device > SNMP from the navigation tree. The SNMP configuration page appears. Figure 61 Setup page Configure SNMP settings on the upper part of the page as described in Table Click Apply.

  • Page 85: Configuring An Snmp View

    Table 37 Configuration items Item Description SNMP Enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
  • Page 86 Figure 63 Create an SNMP view (1) Enter the view name. Click Apply. The page in Figure 64 appears. Figure 64 Create an SNMP view (2) Configure the parameters as described in Table Click Add. Repeat steps 6 and 7 to add more rules for the SNMP view. Click Apply.

  • Page 87: Adding Rules To An Snmp View

    Adding rules to an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The page in Figure 62 appears. Click the icon of the target view. The Add rule for the view ViewDefault window appears. Figure 65 Add rules to an SNMP view Configure the parameters as described in Table...

  • Page 88: Configuring An Snmp Group

    Figure 67 Create an SNMP Community Configure SNMP community settings as described in Table Click Apply. Table 39 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right. • Read only: The NMS can perform read-only operations to the MIB objects when it Access Right uses this community name to access the agent,.
  • Page 89 Figure 68 SNMP group Click Add. The Add SNMP Group page appears. Figure 69 Create an SNMP group Configure SNMP group settings as described in Table Click Apply. Table 40 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group.

  • Page 90: Configuring An Snmp User

    Item Description Select the notify view of the SNMP group, that is, the view that can send trap messages. Notify View If no notify view is configured, the agent does not send traps to the NMS. Associate a basic ACL with the group to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit SNMP packets with a specific source IP address, so as to restrict the intercommunication between the NMS and the agent.
  • Page 91 Figure 71 Create an SNMP user Configure SNMP user settings as described in Table Click Apply. Table 41 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. The available security levels are: •...

  • Page 92: Configuring Snmp Trap Function

    Item Description Authentication Password Set the authentication password when the security level is Auth/NoPriv or Auth/Priv. The confirm authentication password must be the same with the Confirm Authentication Password authentication password.. Select a privacy mode (including DES56, AES128, and 3DES) when the Privacy Mode security level is Auth/Priv.
  • Page 93 Figure 73 Add a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 42 Configuration items Item Description Set the destination IP address or domain name. Select the IP address type: IPv4/Domain or IPv6, and then type the Destination IP Address corresponding IP address or domain name in the field according to the IP address type.

  • Page 94: Displaying Snmp Packet Statistics

    Displaying SNMP packet statistics Select Device > SNMP from the navigation tree. The page for displaying SNMP packet statistics appears. Figure 74 SNMP packet statistics SNMP configuration example Network requirements The NMS connects to the agent, an AP, through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on the AP is 1.1.1.1/24.
  • Page 95 Select Device > SNMP from the navigation tree. The Setup page appears. Figure 76 Enable SNMP Select the Enable option. Select the v3 box. Click Apply. Configure an SNMP view. Click the View tab. Click Add. The page for creating an SNMP view appears. Figure 77 Create an SNMP view (1) Enter view1 in the field.
  • Page 96 Figure 78 Create an SNMP view (2) Select the Included radio box, enter the MIB subtree OID interfaces, and click Add. Click Apply. A configuration progress dialog box appears. Figure 79 Configuration progress dialog box Click Close after the configuration process is complete. Configure an SNMP group.
  • Page 97 Figure 80 Create an SNMP group Enter group1 in the field of Group Name, select view1 from the Read View box, and select view1 from the Write View box. Click Apply. Configure an SNMP user Click the User tab. Click Add. The page in Figure 81 appears.
  • Page 98 Figure 81 Create an SNMP user Enable the agent to send SNMP traps. Click the Trap tab The page in Figure 82 appears. Select the Enable SNMP Trap box. Click Apply. Figure 82 Enable the agent to send SNMP traps Add target hosts of SNMP traps.
  • Page 99 The page in Figure 83 appears. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2, enter the user name user1, and select v3 from the Security Model list. Click Apply. Figure 83 Add target hosts of SNMP traps Configuring the NMS CAUTION: The NMS must have the same configuration as the agent.

  • Page 100: Loopback Configuration

    Loopback configuration You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be an internal loopback test or an external loopback test. In an internal loopback test, self loop is established in the switching chip to check whether there is •...

  • Page 101: Configuration Guidelines

    Table 43 Configuration items Item Description External. Testing Sets the loopback test type, which can be selected between External and Internal. type Internal. Click Test to start the loopback test. The Result box displays the test results. Figure 85 Loopback test result Configuration guidelines When you perform a loopback test, follow these guidelines: You can perform an internal loopback test but not an external loopback test on a port that is...

  • Page 102: Mac Address Configuration

    MAC address configuration NOTE: MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces. • This chapter covers only the management of static and dynamic MAC address entries, not multicast • MAC address entries. A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected device, to which interface this device is connected and to which VLAN the interface belongs.

  • Page 103: Configuring A Mac Address Entry

    Figure 86 MAC address table of the device Configuring a MAC address entry Select Network > MAC from the navigation tree. The system automatically displays the MAC tab, which shows all the MAC address entries on the device, as shown in Figure Figure 87 The MAC tab Click Add in the bottom to enter the page for creating MAC address entries, as shown in...

  • Page 104: Setting The Aging Time Of Mac Address Entries

    Figure 88 Create a MAC address entry Configure the MAC address entry as described in Table Click Apply. Table 44 Configuration items Item Description Set the MAC address to be added. Set the type of the MAC address entry: • static: Static MAC address entries that never age out.

  • Page 105: Mac Address Configuration Example

    Figure 89 Set the aging time for MAC address entries Set the aging time as described in Table Click Apply. Table 45 Configuration items Item Description No-aging Specify that the MAC address entry never ages out. Aging time Set the aging time for the MAC address entry. MAC address configuration example Network requirements Use the MAC address table management function of the Web-based NMS.
  • Page 106 Figure 90 Create a static MAC address entry...

  • Page 107: Vlan Configuration

    VLANs. Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. NOTE: H3C WA Series Access Points Layer 2 Configuration Guide For more information about VLAN, see Recommended configuration procedure...

  • Page 108: Creating A Vlan

    Creating a VLAN Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab and enters the page as shown in Figure Figure 92 VLAN configuration page TIP: To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the VLAN Range field and click Select, and all undesired VLANs will be filtered out.

  • Page 109: Modifying A Port

    Figure 94 Modify a VLAN Configure the description and port members for the VLAN as described in Table Click Apply. Table 46 Configuration items Item Description Display the ID of the VLAN to be modified. Set the description string of the VLAN. Description By default, the description string of a VLAN is its VLAN ID, such as VLAN 0001.
  • Page 110 Click the icon for the port to be modified to enter the page as shown in Figure Figure 96 Modify a port Configure the port as described in Table Click Apply. Table 47 Configuration items Item Description Port Display the port to be modified. Untagged Member Display the VLAN(s) to which the port belongs as an untagged member.

  • Page 111: Vlan Configuration Example

    VLAN configuration example Network requirements As shown in Figure GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 1 as their default VLAN. • Configure GigabitEthernet 1/0/1 to allow packets of VLAN 1, VLAN 2, VLAN 6 through VLAN 50, •...

  • Page 112: Configuration Guidelines

    Figure 99 Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2 and VLANs 6 through 50 Click Apply. A dialog box appears asking you to confirm the operation. Click OK in the dialog box. Configure GigabitEthernet 1/0/1 as an untagged member of VLAN 100: Click the icon of GigabitEthernet 1/0/1.
  • Page 113 VLAN 1 is the default VLAN, which cannot be manually created or removed. • • Some VLANs are reserved for special purposes. You cannot manually create or remove them. Dynamic VLANs cannot be manually removed. •...

  • Page 114: Arp Configuration

    In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. NOTE: H3C WA Series Access Points Layer 3 Configuration Guide For more information about ARP, see Introduction to gratuitous ARP...

  • Page 115: Creating A Static Arp Entry

    Figure 101 ARP Table configuration page Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 101. Click Add to enter the New Static ARP Entry page, as shown in Figure 102.

  • Page 116: Removing Arp Entries

    Item Description Enter a VLAN ID and specify a port for the static ARP entry. VLAN ID. Advanced IMPORTANT: Options The VLAN ID must be the ID of the VLAN that has already been created, and the port Port. must belong to the VLAN. The corresponding VLAN interface must have been created. Removing ARP entries Select Network >...

  • Page 117: Static Arp Configuration Example

    Static ARP configuration example Network requirements To enhance communication security between the AP and the router, configure static ARP entries on the Figure 104 Network diagram Configuration procedure NOTE: Before performing the following configuration, configure interface VLAN-interface 1 and log in to the web configuration page of the AP through VLAN-interface 1.

  • Page 118: Igmp Snooping Configuration

    Reducing Layer 2 broadcast packets and saving network bandwidth • Enhancing the security of multicast packets • • Facilitating the implementation of accounting for each host NOTE: H3C WA Series Access Points IP Multicast Configuration For more information about IGMP snooping, see Guide...

  • Page 119: Recommended Configuration Procedure

    Recommended configuration procedure Step Remarks Required Enabling IGMP snooping globally By default, IGMP snooping is disabled. Required Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature. By default, IGMP snooping is disabled in a VLAN. IMPORTANT: Configuring IGMP snooping on a VLAN...

  • Page 120: Configuring Igmp Snooping On A Vlan

    Figure 107 Basic IGMP snooping configurations Configuring IGMP snooping on a VLAN Select Network > IGMP snooping from the navigation tree to enter the basic configuration page shown in Figure 107. Click the icon corresponding to the VLAN to enter the page you can configure IGMP snooping in the VLAN, as shown in Figure 108.

  • Page 121: Configuring Igmp Snooping On A Port

    Click Apply. Table 50 Configuration items Item Description VLAN ID This field displays the ID of the VLAN to be configured. Enable or disable IGMP snooping on the VLAN. IGMP snooping You can proceed with the subsequent configurations only if Enable is selected here. By configuring an IGMP snooping version, you actually configure the versions of IGMP messages that IGMP snooping can process.
  • Page 122 Figure 109 Advanced configuration Configure IGMP snooping on a port as described in Table Click Apply. Table 51 Configuration items Item Description Select the port on which advanced IGMP snooping features are to be configured. Port After a port is selected, advanced features configured on this port are displayed at the lower part of this page.

  • Page 123: Displaying Igmp Snooping Multicast Entry Information

    Displaying IGMP snooping multicast entry information Select Network > IGMP snooping from the navigation tree to enter the basic configuration page shown in Figure 107. Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown Figure 110.

  • Page 124: Igmp Snooping Configuration Example

    IGMP snooping configuration example Network requirements As shown in Figure 1 12, Router A connects to a multicast source (Source) through Ethernet 1/2, and • to the AP through Ethernet 1/1. The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast •...
  • Page 125 Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1 (where GigabitEthernet 1/0/1 and WLAN-BSS 1 reside by default): Click the icon corresponding to VLAN 1. To enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1: Select the Enable option for IGMP Snooping.
  • Page 126 Figure 116 Information about an IGMP snooping multicast entry...

  • Page 127: Ipv4 And Ipv6 Routing Configuration

    NOTE: H3C WA Series Access Points Layer 3 For more information about routing table and static routing, see Configuration Guide Displaying the IPv4 active route table Select Network >...

  • Page 128: Creating An Ipv4 Static Route

    Figure 117 IPv4 active route table Table 53 Field description Field Description Destination IP Address Destination IP address and subnet mask of the IPv4 route. Mask Protocol Protocol that discovered the IPv4 route. Preference value for the IPv4 route. Preference The smaller the number, the higher the preference.
  • Page 129 Figure 118 Create an IPv4 static route Specify relevant information as described in Table Click Apply. Table 54 Configuration items Item Description Enter the destination host or network IP address, in dotted decimal Destination IP Address notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation.

  • Page 130: Displaying The Ipv6 Active Route Table

    Item Description Select the outgoing interface. You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IP address is Interface unreachable. If you select this option, do not enter any IP address in the Next Hop field. Otherwise, the configuration does not take effect.

  • Page 131: Creating An Ipv6 Static Route

    Creating an IPv6 static route Select Network > IPv6 Routing from the navigation tree. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 120. Figure 120 Create an IPv6 static route Specify relevant information as described in Table Click Apply.

  • Page 132: Ipv4 Static Route Configuration Example

    Item Description Select the outgoing interface. You can select any available Layer 3 interface, for example, a virtual Interface interface, of the device. If you select NULL 0, the destination IPv6 address is unreachable. IPv4 static route configuration example Network requirements The IP addresses of devices are shown in Figure 121.
  • Page 133 Figure 122 Configure a default route Verifying the configuration Display the route table: Enter the IPv4 route page of Switch A, Switch B, and AP respectively to verify that the newly configured static routes are displayed as active routes on the page. Ping Host B from Host A (assuming both hosts run Windows XP): C:\Documents and Settings\Administrator>ping 1.1.3.2 Pinging 1.1.3.2 with 32 bytes of data:...

  • Page 134: Ipv6 Static Route Configuration Example

    IPv6 static route configuration example Network requirements The IP addresses of devices are shown in Figure 123. IPv6 static routes must be configured on Switch A, Switch B and AP for Host A and Host B to communicate with each other. Figure 123 Network diagram Configuration outlines On Switch A, configure a default route with Switch B as the next hop.
  • Page 135 Figure 124 Configure a default route Verifying the configuration Display the route table: Enter the IPv6 route page of Switch A, Switch B, and AP respectively to verify that the newly configured static routes are displayed as active routes on the page. Ping Host B from Switch A: <SwitchA>...

  • Page 136: Configuration Guidelines

    0.00% packet loss round-trip min/avg/max = 62/62/63 ms Configuration guidelines When you configure a static route, follow these guidelines: If you do not specify the preference when you configure a static route, the default preference is used. Reconfiguration of the default preference applies only to newly created static routes. The web interface does not support configuration of the default preference.

  • Page 137: Dhcp Overview

    DHCP overview NOTE: After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Interface management." The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

  • Page 138: Enabling Dhcp

    Step Remarks Optional With the DHCP server enabled on an interface, upon receiving a client's request, the DHCP server assigns an IP address from its address pool to the DHCP client. Enabling the DHCP server on an interface With DHCP enabled, interfaces work in the DHCP server mode.
  • Page 139 Select the Static option in the Address Pool field to view all static address pools. Click Add to enter the page shown in Figure 127. Figure 127 Create a static address pool Configure the static address pool as described in Table Click Apply.

  • Page 140: Creating A Dynamic Address Pool For The Dhcp Server

    Item Description Enter the gateway addresses for the client. A DHCP client that wants to access an external host needs to send requests to a gateway. You can specify gateways in each address pool and the DHCP server will Gateway Address assign gateway addresses while assigning an IP address to the client.
  • Page 141 Figure 128 Create a dynamic address pool Configure the dynamic address pool as described in Table Click Apply. Table 58 Configuration items Item Description IP Pool Name Enter the name of a dynamic address pool. Enter an IP address segment for dynamic allocation. IP Address To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic...

  • Page 142: Enabling The Dhcp Server On An Interface

    Item Description Enter the gateway addresses for the client. DHCP clients that want to access hosts outside the local subnet request gateways to forward data. You can specify gateways in Gateway Address each address pool for clients and the DHCP server assigns gateway addresses while assigning an IP address to the client.

  • Page 143: Dhcp Server Configuration Example

    Table 59 Field description Item Description IP Address Assigned IP address. Client MAC Address/Client ID Client MAC address or client ID bound to the IP address. Pool Name Name of the DHCP address pool where the IP address belongs. Lease Expiration Lease time of the IP address.
  • Page 144 Figure 131 Enable DHCP Enable the DHCP server on VLAN-interface 1: (This operation can be omitted because the DHCP server is enabled on the interface by default.) Click the icon of VLAN-interface 1 in the Interface Configuration field. Select the Enable option for DHCP Server as shown in Figure 132.
  • Page 145 Enter 10.1.1.2 for Gateway Address. − Click Apply. Figure 133 Configure a dynamic address pool for the DHCP server...

  • Page 146: Dns Configuration

    Dynamic domain name resolution Dynamic domain name resolution is implemented by querying the DNS server. NOTE: H3C WA Series Access Points Layer 3 Configuration Guide For more information about DNS, see Recommended configuration procedure Configuring static name resolution table...

  • Page 147: Configuring Dynamic Domain Name Resolution

    Configuring dynamic domain name resolution Step Remarks Required Configuring dynamic domain name resolution Enable dynamic domain name resolution. This function is disabled by default. Required Adding a DNS server address Not configured by default. Optional Adding a domain name suffix Not configured by default.

  • Page 148: Configuring Dynamic Domain Name Resolution

    Table 60 Configuration items Item Description Host Name Configure the mapping between a host name and an IP address in the static domain mane table. Each host name corresponds to only one IP address. If you configure multiple IP Host IP Address addresses for a host name, the last configured one takes effect..

  • Page 149: Adding A Domain Name Suffix

    Figure 137 Add a DNS server address Adding a domain name suffix Select Network > DNS from the navigation tree Click the Dynamic tab to enter the page shown in Figure 136. Click Add Suffix to enter the page shown in Figure 138.
  • Page 150 dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16. Configure dynamic domain name resolution and the domain name suffix com on the AP that serves as a DNS client so that the AP can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/16.
  • Page 151 Figure 141, right click zone com, and then select New Host. Figure 141 Add a host In the dialog box as shown in Figure 142, enter host name host and IP address 3.1.1.1. Click Add Host. Figure 142 Add a mapping between domain name and IP address...
  • Page 152 Configuring the AP Enable dynamic DNS: Select Network > DNS from the navigation tree. Click the Dynamic tab to enter the page shown in Figure 143. Select the Enable option for Dynamic DNS. Click Apply. Figure 143 Enable dynamic DNS Configure the IP address of the DNS server: Figure 143, click Add IP to enter the page for adding a DNS server IP address, as shown...
  • Page 153 Click Apply. Figure 145 Add a domain name suffix Verifying the configuration Use the ping host command on the AP to verify that the communication between the AP and the host is normal and that the corresponding destination IP address is 3.1.1.1. Select Diagnostic Tools >...

  • Page 154: Pppoe

    PPPoE Overview Point-to-Point Protocol over Ethernet (PPPoE) uses the client/server model. It establishes point-to-point links over Ethernet, and encapsulates PPP packets in Ethernet frames. APs configured as PPPoE clients can be connected to the Internet through a remote access device, and access control and accounting can be implemented on a per-AP basis.
  • Page 155 Figure 148 PPPoE client information Click Add to enter the page for creating a PPPoE client, as shown in 2. Figure 149 Create a PPPoE client Configure the parameters for the PPPoE client as described in Table Click Apply. Table 61 Configuration items Task Remarks Dialer Interface...

  • Page 156: Displaying Pppoe Client Session Statistics

    Task Remarks Configure the way the dialer interface obtains its IP address: • None: Not configure IP address • Static Address: Statically configure an IP address and subnet mask for the IP Config interface • PPP Negotiate: Obtain an IP address through PPP negotiation •...

  • Page 157: Displaying Pppoe Client Session Summary Information

    Figure 150 Statistic information Table 62 Field description Field Description Ethernet interface where the PPPoE session belongs. This field is null when the Interface PPPoE session is bundled with a VLAN interface. Session Number PPPoE session ID. Received Packets Number of received packets in the PPPoE session. Received Bytes Number of received bytes in the PPPoE session.

  • Page 158: Pppoe Client Configuration Example

    Figure 151 Summary information Table 63 Field description Field Description Session Number PPPoE session ID. Dialer Interface Number Number of the dialer interface corresponding to the PPPoE session. Ethernet interface where the PPPoE session belongs. This field is null when the Interface PPPoE session is bundled with a VLAN interface.
  • Page 159 Configuring the PPPoE client Create a PPPoE client: Select Network > PPPoE from the navigation tree. The system automatically enters the Client page. Click Add to enter the page shown in Figure 153. To create a PPPoE client: Enter 1 as the dialer interface name. Enter user1 as the username.

  • Page 160: Configuration Guidelines

    Select Network > PPPoE from the navigation tree of the AP and click the Session tab. Select Summary Information from the Information Type list. Figure 154 shows that PPP negotiation is completed. Figure 154 Display the summary information of PPPoE sessions Configuration guidelines The dialer interfaces you create on the page generated after you select Device >...

  • Page 161: Service Management

    Service management Overview The service management module provides the following types of services: Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved. The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.

  • Page 162: Configuring Service Management

    Configuring service management Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 155. Figure 155 Service management Enable or disable various services on the page as described in Table Click Apply. Table 64 Configuration items Item Description...
  • Page 163 Item Description Specifies whether to enable the HTTPS service. Enable HTTPS service. The HTTPS service is disabled by default. Sets the port number for HTTPS service. You can view this configuration item by clicking the expanding button in front of HTTPS. Port Number.

  • Page 164: Diagnostic Tools

    Diagnostic tools Overview Ping You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity. A successful execution of the ping command involves the following steps: The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.

  • Page 165: Ping Operation

    Ping operation IPv4 ping operation Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page. Click the expansion button before Advanced Setup to display the configurations of the advanced parameters of IPv4 ping operation, as shown in Figure 156.

  • Page 166: Ipv6 Ping Operation

    Figure 157 IPv4 ping operation results IPv6 ping operation Select Diagnostic Tools > Ping from the navigation tree. Enter the IPv6 ping configuration page (default setting). Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping operation, as shown in Figure 158.
  • Page 167 Figure 158 IPv6 ping Enter the IPv6 address or host name of the destination device in the Destination IP address or host name field. Set the advanced parameters for the IPv6 ping operation. Click Start to execute the ping command. View the result in the Summary field, as shown in Figure 159.

  • Page 168: Trace Route Operation

    Figure 159 IPv6 ping operation results Trace route operation NOTE: The web interface does not support trace route on IPv6 addresses. • Before performing the trace route operations, execute the ip ttl-expires enable command on the • intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets.
  • Page 169 Figure 160 Trace Route configuration page Enter the destination IP address or host name. Click Start to execute the trace route command. View the result in the Summary field, as shown in Figure 161. Figure 161 Trace route operation results...

  • Page 170: Web Overview

    Web overview The device provides web-based configuration interfaces for visual device management and maintenance. Figure 162 Web-based network management operating environment Logging in to the web interface You can use the following default settings to log in to the web interface: Username—admin •...

  • Page 171: Logging Out Of The Web Interface

    164, click Logout in the upper-right corner of the web interface to quit web-based network management. The system does not save the current configuration before you log out of the web interface. H3C recommends you to save the current configuration before logout.

  • Page 172: Web User Level

    Title area—On the left, displays the path of the current configuration interface in the navigation • area; on the right, provides the Save button to quickly save the current configuration, the Help button to display the web related help information, and the Logout button to log out of the web interface. Web user level Web user levels, ranging from low to high, are visitor, monitor, configure, and management.
  • Page 173 Function menu Description User level Display and configure the idle timeout period Set idle timeout Configure for a logged-in user. Software Upload the file to be upgraded from the local Management Upgrade host to upgrade the system software. Device Maintena Reboot Reboot the device.
  • Page 174 Function menu Description User level Configure SNMP. Configure Perform the loopback test on Ethernet Loopback Test Configure interfaces. Display MAC address information. Monitor Create or remove MAC addresses. Configure Display and configure MAC address aging Setup Configure time. Display all VLANs on the device and Monitor information about their member ports.
  • Page 175 Function menu Description User level Static Domain Display, create, modify, or delete a static Configure Name Resolution host name-to-IP address mapping. Display and configure related parameters for Dynamic Domain dynamic domain name resolution. Display, Configure Name Resolution create, or delete an IP address and the domain name suffix.
  • Page 176 Function menu Description User level Display radio parameters. Monitor Parameter Setting Configure radio parameters. Configure Display channel scanning, including scanning mode, scanning type and scanning interval. Monitor View the AP operating mode (normal, monitor, and hybrid). Channel Scan Configure channel scanning, including scanning mode and scanning type;...
  • Page 177 Function menu Description User level Display guest users' configuration Monitor information. Add, modify, and remove guest users. Management Guest Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, Configure and delete a certificate. Display information about PKI entities. Monitor Entity Add, modify, and delete a PKI entity.
  • Page 178 Function menu Description User level Display Display IPv4 ACL configuration information. Monitor Add an IPv4 ACL. Configure Basic Setup Configure a rule for a basic IPv4 ACL. Configure ACL IPv4 Advanced Setup Configure a rule for an advanced IPv4 ACL. Configure Create a rule for an Ethernet frame header Link Setup...
  • Page 179 Function menu Description User level Add a class. Configure Setup Configure the classification rules for a class. Configure Delete Delete a class or its classification rules. Configure Display traffic behavior configuration Display Monitor information. Add a traffic behavior. Configure Behavior Setup Configure actions for a traffic behavior.

  • Page 180: Common Web Interface Elements

    Common web interface elements Common buttons and icons Table 66 Common buttons and icons Button and icon Description Bring the configuration on the current page into effect. Cancel the configuration on the current page, and go to the corresponding display page or device information page. Refresh the information on the current page.
  • Page 181 Figure 165 Content display by pages Searching function The web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. Basic search: As shown in Figure 165, enter the keyword in the field above the list, select a search •...
  • Page 182 Figure 167 Advanced search Take the ARP table shown in Figure 165 as an example. To search for the ARP entries with 000f at the beginning of the MAC address, and IP address range 192.168.1.50 to 192.168.1.59: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 168, and click Apply.
  • Page 183 Figure 169 Advanced search function example (II) Figure 170 Advanced search function example (III) Sorting function The web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.

  • Page 184: Configuration Guidelines

    The web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0 SP2 • and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher. H3C recommends that you select Display all websites in Compatibility View for Internet Explorer 9.0 and higher.

  • Page 185: Troubleshooting Web Browser

    Troubleshooting web browser Failure to access the device through the web interface Symptom You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the operating system and browser version meet the web interface requirements. However, you cannot access the web interface of the device.
  • Page 186 The dialog box Security Settings appears. Enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting. Figure 173 Internet Explorer Setting (II) Click OK in the Security Settings dialog box. Configuring Firefox web browser settings Open the Firefox web browser, and then select Tools >...
  • Page 187 Figure 174 Firefox web browser setting...

  • Page 188: Radio Configuration

    Radio configuration Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance. 802.1 1b/g in the IEEE 802.1 1 standards operates at the 2.4 GHz band, 802.1 1a operates at the 5 GHz band, and 802.1 1n operates at both the 2.4 GHz and 5 GHz bands.
  • Page 189 Item Description IMPORTANT: 802.11n The option is available only when the AP supports 802.11n and the radio mode is 802.11n. 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel.
  • Page 190 Expand Advanced Setup. Figure 176 Radio setup (advanced setup) Configure the radio as described in Table Click Apply. Table 68 Configuration items Item Description Preamble is a pattern of bits at the beginning of a frame so that the receiver can sync up and be ready for the real data.
  • Page 191 Item Description Specify the maximum length of frames that can be transmitted without fragmentation. When the length of a frame exceeds the specified fragment threshold value, it is fragmented. • In a wireless network where error rate is high, you can decrease the fragment threshold by a rational value.

  • Page 192: Configuring Data Transmit Rates

    Item Description Number of retransmission attempts for unicast frames smaller than the Short Retry Threshold RTS/CTS threshold if no acknowledgment is received for it. Max Receive Duration Interval for which a frame received by an AP can stay in the buffer memory. Configuring data transmit rates NOTE: Support for this feature depends on the device model.

  • Page 193: Configuring 802.11N Mcs

    Table 69 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: • Mandatory rates are 6, 12, and 24. 802.11a • Supported rates are 9, 18, 36, 48, and 54. • Multicast rate: Automatically selected from the mandatory rates. The transmission rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
  • Page 194 Data rate (Mbps) Number of MCS index Modulation spatial streams 800ns GI 400ns GI 16-QAM 39.0 43.3 64-QAM 52.0 57.8 64-QAM 58.5 65.0 64-QAM 65.0 72.2 BPSK 13.0 14.4 QPSK 26.0 28.9 QPSK 39.0 43.3 16-QAM 52.0 57.8 16-QAM 78.0 86.7 64-QAM 104.0...
  • Page 195 Data rate (Mbps) Number of MCS index Modulation spatial streams 800ns GI 400ns GI 16-QAM 108.0 120.0 16-QAM 162.0 180.0 64-QAM 216.0 240.0 64-QAM 243.0 270.0 64-QAM 270.0 300.0 BPSK 40.5 45.0 QPSK 81.0 90.0 QPSK 121.5 135.0 16-QAM 162.0 180.0 16-QAM 243.0...

  • Page 196: Configuring Calibration

    Supported Maximum MCS The supported maximum MCS cannot be smaller than the mandatory maximum MCS. NOTE: H3C WA Series WLAN Access Points WLAN Configuration For more information about MCS, see • Guide When 802.1 1n radios are used for WDS, make sure that they have the MCS configuration.

  • Page 197: Parameter Setting

    Figure 179 Setting channel calibration NOTE: When an AP uses the radio whose working channel is auto to establish a WDS link, the auto Dynamic Channel Select (DFS) function of the radio automatically takes effect. Auto DFS of the radio is automatically performed at a calibration interval when the channel quality becomes poor to reach the channel switching condition, and the radio selects a non-radar channel with the best signal quality as its new working channel from the available channels.
  • Page 198 Figure 180 Setting parameters Configure calibration parameters as described in Table Click Apply. Table 74 Configuration items Item Description Because 802.11b and 802.11g use different modulation modes, 802.11g protection needs to be enabled for a 802.11g device to send RTS/CTS or CTS-to-self packets to 802.11b devices, which defer access to the medium.

  • Page 199: Configuring Channel Scanning

    Item Description • RTS/CTS—Use RTS/CTS mode to implement 802.1 1g protection. Before sending data to a client, an AP sends an RTS packet to the client, ensuring that all the devices within the coverage of the AP do not send data in the specified time after receiving the RTS packet.
  • Page 200 Figure 181 Setting channel scanning Configure channel scanning as described in Table Table 75 Configuration items Item Description Some 802.11h channels, called radar channels, overlap some 802.11a channels. If the device operates on an overlapping channel, its service quality may be affected. With this function enabled, the device selects a working channel from non-802.11h channels belonging to the configured country code Scan 802.11h Channel to avoid channel collision.

  • Page 201: Configuring Ap Operating Mode

    Item Description To avoid selecting improper channels, you can exclude specific channels from automatic channel selection. The excluded channels will not be available for initial automatic channel selection, DFS, and mesh DFS. This feature does not affect rogue detection and WIDS. Select a channel and add it to the 5GHz Excluded Channel or 2.4GHz Excluded Channel.
  • Page 202 Monitor mode • As shown in Figure 183, when AP 2 operates in monitor mode, it monitors all devices in the WLAN through scanning 802.1 1 frames and records scan results, but it does not provide WLAN services. For the channel detection results, see "Displaying detection record."...

  • Page 203: Configuring Channel Detection

    Figure 185 Setting AP operating mode Configure the AP operating mode as described in Table Click Apply. Table 76 Configuration items Item Description Set the AP operating mode: • Normal—The AP only provides WLAN data services. • Monitor—The AP only scans all 802.1 1 frames in the WLAN. •...

  • Page 204: Configuring The Detection Record Aging Time

    Figure 186 Displaying detection record NOTE: At present, APs, wireless bridges, clients, and ad hoc devices can be detected. Configuring the detection record aging time Select Radio > Channel Detection from the navigation tree. Click the History Record tab. Configure the detect record aging time. Click Apply.

  • Page 205: Antenna

    Figure 188 Displaying history record NOTE: If an entry in the detection record is not refreshed within the aging time, it is deleted from the detection record and added into the history record. Antenna Select Radio > Antenna to select an appropriate antenna for the corresponding radio. Figure 189 Selecting an antenna NOTE: All types of antennas supported by the corresponding radio mode are listed in the Antenna list.

  • Page 206: Aaa Configuration

    AAA can be implemented through multiple protocols. The device supports using RADIUS and HWTACACS. RADIUS is often used in practice. For more information about RADIUS, see "RADIUS configuration." NOTE: H3C WA Series WLAN Access Points Security For more information about AAA and ISP, see Configuration Guide...

  • Page 207: Configuring Aaa

    Configuring AAA Configuration prerequisites To deploy local authentication, configure local users on the access device as described in "User • configuration." To deploy remote RADIUS authentication, authorization, or accounting, create the RADIUS schemes • to be referenced as described in "RADIUS configuration."...

  • Page 208: Configuring Authentication Methods For The Domain

    Figure 191 Domain Setup page Configure an ISP domain as described in Table Click Apply. Table 77 Configuration items Item Description Enter the ISP domain name, which is for identifying the domain. Domain Name You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).
  • Page 209 Figure 192 Authentication method configuration page Configure authentication methods for different types of users in the domain, as described in Table Click Apply. A configuration progress dialog box appears. After the configuration progress is complete, click Close. Table 78 Configuration items Item Description Select an ISP...

  • Page 210: Configuring Authorization Methods For The Domain

    Item Description Configure the authentication method and secondary authentication method for login Login AuthN users. Options include: Name • HWTACACS—Performs HWTACACS authentication. You must specify the HWTACACS scheme to be used. • Local—Performs local authentication. • None—Does not perform authentication. This method trusts all users and is not for Secondary general use.
  • Page 211 Table 79 Configuration items Item Description Select an ISP Select the ISP domain for which you want to specify authentication methods. domain Configure the default authorization method and secondary authorization method for all Default AuthZ types of users. Options include: Name •...

  • Page 212: Configuring Accounting Methods For The Domain

    Configuring accounting methods for the domain Select Authentication > AAA from the navigation tree. Click the Accounting tab to enter the accounting method configuration page. Figure 194 Accounting method configuration page Configure accounting methods for different types of users in the domain, as described in Table Click Apply.

  • Page 213: Aaa Configuration Example

    Item Description LAN-access Configure the accounting method and secondary accounting method for LAN access Accounting users. Options include: Name • Local—Performs local accounting. • None—Does not perform accounting. • RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be Secondary used.
  • Page 214 The local user management page appears. Click Add. Enter telnet as the username. Enter abcd as the password. Enter abcd again to confirm the password. Select Common User as the user type. Select Configure as the level. Select Telnet as the service type. Click Apply.
  • Page 215 Figure 197 Configure ISP domain test Configure the ISP domain to use local authentication for login users: Select Authentication > AAA from the navigation tree Click the Authentication tab. Select the domain test. Select the Login AuthN box and select the authentication method Local. Click Apply.
  • Page 216 Configure the ISP domain to use local authorization for login users: Select Authentication > AAA from the navigation tree. Click the Authorization tab. Select the domain test. Select the Login AuthZ box and select the authorization method Local. Click Apply. A configuration progress dialog box appears.

  • Page 217: Radius Configuration

    RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information. NOTE: H3C WA Series WLAN Access Points Security For more information about AAA and ISP, see Configuration Guide Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
  • Page 218 Figure 201 RADIUS scheme configuration page Enter a scheme name. Select a server type and a username format. Table 81 Configuration items Item Description Select the type of the RADIUS servers supported by the device, which can be: • Standard—Specifies the standard RADIUS server. That is, the RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2138/2139 or later.
  • Page 219 Figure 202 Common configuration area Configure the advanced parameters.
  • Page 220 Table 82 Configuration items Item Description Set the shared key for RADIUS authentication packets and that for RADIUS Authentication Key accounting packets. The RADIUS client and the RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets, and they verify the validity of packets through the Confirm Authentication specified shared key.
  • Page 221 RADIUS server. RADIUS Packet Source IP H3C recommends you to use a loopback interface address instead of a physical interface address as the source IP address, because if the physical interface is down, the response packets from the server cannot reach the device.
  • Page 222 Item Description Enable or disable the accounting-on feature. The accounting-on feature enables a device to send accounting-on packets to RADIUS servers after it reboots, making the servers forcedly log out users who Send accounting-on logged in through the device before the reboot. packets IMPORTANT: When enabling the accounting-on feature on a device for the first time, you must save...

  • Page 223: Radius Configuration Examples

    Click Add to enter the access device configuration page, as shown in Figure 205. Set the shared key for authentication and accounting to expert. Set the ports for authentication and accounting to 1812 and 1813 respectively. Select the service type Device Management Service. Select the access device type H3C.
  • Page 224 Select the AP from the device list or manually add the AP (with the IP address 10.1.1.2). NOTE: The IP address of the added access device must be the same as the source IP address of the RADIUS packets sent from the AP. By default, it is the IP address of the RADIUS packets' outbound interface. Click OK.
  • Page 225 Figure 206 Device management user configuration page Configuring the AP Configure the RADIUS scheme system: Select Authentication > RADIUS from the navigation tree. Click Add. Enter the scheme name system, select the server type Extended, and select the username format Without domain name.
  • Page 226 Figure 207 RADIUS authentication server configuration page In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page again. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary accounting server, enter the port number 1813, the key expert, and click Apply, as shown Figure 208.
  • Page 227 Figure 209 RADIUS scheme configuration Create the ISP domain bbb: From the navigation tree, select Authentication > AAA. The domain setup page appears, as shown in Figure 210. Enter the domain name test. Click Apply.
  • Page 228 Figure 210 Create an ISP domain Configure an authentication method for the ISP domain: Click the Authentication tab. Select the domain name bbb. Select the Default AuthN box and then select the authentication mode RADIUS. Select the RADIUS scheme system from the Name list to use it as the authentication scheme. Click Apply.
  • Page 229 Configure an authorization method for the ISP domain: Click the Authorization tab. Select the domain name bbb. Select the Default AuthZ box and select the authorization mode RADIUS. Select the RADIUS scheme system from the Name list to use it as the authorization scheme. Click Apply.

  • Page 230: Configuration Guidelines

    Figure 213 Configure an accounting method for the ISP domain Enable the Telnet service: From the navigation tree, select Network > Services. Select the Enable Telnet service box. Click Apply. Figure 214 Enable the Telnet service Log in to the CLI and configure the AP to use AAA for Telnet users. <AP>...
  • Page 231 If you remove the accounting server used for online users, the device cannot send real-time • accounting requests and stop-accounting messages for the users to the server, and the stop-accounting messages are not buffered locally. • The status of RADIUS servers (blocked or active) determines which servers the device will communicate with or turn to when the current servers are not available.

  • Page 232: Hwtacacs Configuration

    HWTACACS server records the commands that each user performs. NOTE: H3C WA Series WLAN Access Points Security For more information about HWTACACS, see Configuration Guide...

  • Page 233: Creating Hwtacacs Scheme System

    Step Remarks Optional. Configuring HWTACACS This section describes how to configure the parameters that are necessary for parameters information exchange between the device and HWTACACS server. Creating HWTACACS scheme system If the HWTACACS scheme system does not exist, select Authentication > HWTACACS from the navigation tree.

  • Page 234: Configuring Hwtacacs Parameters

    Table 85 Configuration items Configuration item Description Select the type of the server to be configured, which can be Authentication Server Type Server, Authorization Server and Accounting Sever. Enter the IP address of the primary server. When no primary server is specified, the primary server IP address and the primary server TCP port are empty.
  • Page 235 Figure 217 HWTACACS parameter configuration Configure HWTACACS parameters as described in Table Click Apply. Table 86 Configuration items Item Description Source IP address for the device to use in HWTACACS packets to be sent to the HWTACACS server. Use a loopback interface address instead of a physical NAS-IP interface address as the source IP address to make sure that the response packets from the server can reach the device when the physical interface is...
  • Page 236 Item Description Enable or disable buffering stop-accounting requests without responses in the device. Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting Stop-Accounting Buffer servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit.

  • Page 237: Hwtacacs Configuration Example

    Item Description Specify the unit for data packets sent to the HWTACACS server for traffic accounting. Options include: • packet. • kilo-packet. Unit of Packets • mega-packet. • giga-packet. If you leave the box blank, the default unit is used. HWTACACS configuration example Network requirements As shown in...
  • Page 238 Figure 219 Create an HWTACACS scheme Configure the HWTACACS authentication server: Select Authentication Server as the server type. Enter 10.1.1.1 as the IP address of the primary server. Enter 49 as the authentication port number of the primary server. Select the Shared Key box, enter expert as the shared key, and then confirm the password. Click Apply.
  • Page 239 Click the Parameter Configuration tab. Select the username format without-domain. Click Apply. Figure 221 Configure the parameters for communication Configure ISP domain test: From the navigation tree, select Authentication > AAA. Enter the domain name test. Click Apply.
  • Page 240 Figure 222 Create an ISP domain Configure an authentication method for the ISP domain: Click the Authentication tab. Select the domain name test. Select the Default AuthN box and then select the authentication mode HWTACACS. Select the HWTACACS scheme system from the Name list to use it as the authentication scheme.
  • Page 241 Configure an authorization method for the ISP domain: Click the Authorization tab. Select the domain name test. Select the Default AuthZ box and select the authorization mode HWTACACS. Select the HWTACACS scheme system from the Name list to use it as the authorization scheme.

  • Page 242: Configuration Guidelines

    Figure 225 Configure an accounting method for the ISP domain Log in to the CLI, enable Telnet service, and configure the AP to use AAA for Telnet users. <AP> system-view [AP] telnet server enable [AP] user-interface vty 0 4 [AP-ui-vty0-4] authentication-mode scheme [AP-ui-vty0-4] quit Verifying the configuration On the Telnet client, enter the username in the format userid@bbb and the password.
  • Page 243 Number of users Real-time accounting interval (in minutes) 500 to 999 ≥1000 ≥15...

  • Page 244: User Configuration

    User configuration User overview This module allows you to configure local users, user groups, and guests. Local user A local user is an account configured on the device. It is uniquely identified by the username and has a set of user attributes, such as the password, user type, service type, and authorization attribute. For a user to pass local authentication, you must add a local user for the user on the device.
  • Page 245 Figure 226 Local user list Click Add. The local user configuration page appears. On this page, you can create a local user of any type except guest. Figure 227 Local user configuration page Configure a local user as described in Table Click Apply.
  • Page 246 Item Description Password Specify a password for the local user and confirm the password. The two passwords must be identical. Confirm IMPORTANT: Leading spaces of a password are ignored. Select a user group for the local user. Group For information about user group configuration, see "Configuring a user group."...

  • Page 247: Configuring A User Group

    Item Description Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication. IMPORTANT: This option is only effective for common PPP and LAN users. Specify the user profile for the local user. IMPORTANT: User-profile •...

  • Page 248: Configuring A Guest

    Table 89 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group, which can be Visitor, Monitor, Level Configure, or Management, in ascending order of priority. Specify the VLAN to be authorized to a user in the user group after the user passes VLAN authentication.
  • Page 249 Click Add to enter the guest configuration page. Figure 231 Guest configuration page Configure a single guest or a batch of guests as described in Table Click Apply. Table 90 Configuration items Item Description Create Users in a Specify whether to create guests in a batch. Batch Username Specify a name for the guest when users are not created in a batch.

  • Page 250: Procedure For A Guest Administrator To Configure A Guest

    Procedure for a guest administrator to configure a guest NOTE: Guest administrators can manage only guest accounts and can only manage guest accounts through the web interface. Log in to the AP as a guest administrator and select Authentication > User from the navigation tree. The guest management page appears.

  • Page 251: Certificate Management

    The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies, and it is the most widely applied encryption mechanism currently. H3C's PKI system provides certificate management for IP Security (IPsec), Secure Sockets Layer (SSL), and WLAN Authentication and Privacy Infrastructure (WAPI).

  • Page 252: Recommended Configuration Procedure For Manual Request

    You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations. Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and an entity, where an entity Creating a PKI entity is the collection of the identity information of a user.

  • Page 253: Recommended Configuration Procedure For Automatic Request

    Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which are the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.

  • Page 254: Creating A Pki Entity

    Step Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.

  • Page 255: Creating A Pki Domain

    Figure 235 PKI entity configuration page Configure the parameters as described Table Click Apply. Table 91 Configuration items Item Description Entity Name Name of the PKI entity. Common Name Common name of the entity. IP Address IP address of the entity. Fully qualified domain name (FQDN) of the entity.
  • Page 256 Click the Domain tab to enter the page displaying existing PKI domains. Figure 236 PKI domain list Click Add to enter the PKI domain configuration page. Figure 237 PKI domain configuration page Configure the parameters as described in Table Click Apply. Table 92 Configuration items Item Description...
  • Page 257 Item Description Select the authority for certificate request. • CA—Indicates that the entity requests a certificate from a CA. Institution • RA—Indicates that the entity requests a certificate from an RA. RA is recommended. URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol.

  • Page 258: Generating An Rsa Key Pair

    Item Description CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs. CRL Update Period This item is available when the Enable CRL Checking box is selected. By default, the CRL update period depends on the next update field in the CRL file. URL of the CRL distribution point.

  • Page 259: Destroying The Rsa Key Pair

    Destroying the RSA key pair Select Authentication > Certificate Management from the navigation tree. Click the Certificate tab to enter the page displaying existing PKI certificates. Click Destroy Key to enter the RSA key pair destruction page. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 240 Key pair destruction page Retrieving and displaying a certificate You can download an existing CA certificate or local certificate from the CA server and save it locally.

  • Page 260: Requesting A Local Certificate

    Item Description Enable Offline Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like Mode FTP, disk, or email). Get File From Specify the path and name of the certificate file if you retrieve the certificate in offline Device mode.

  • Page 261: Retrieving And Displaying A Crl

    Click the Certificate tab to enter the page displaying existing PKI certificates. Click Request Cert to enter the local certificate request page. Figure 243 Local certificate request page Configure the parameters as described in Table Table 94 Configuration items Item Description Domain Name Select the PKI domain for the certificate.

  • Page 262: Pki Configuration Example

    Select the CRL tab to enter the page displaying CRLs. Figure 245 CRL page Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 246 CRL information PKI configuration example Network requirements As shown in...
  • Page 263 Figure 247 Network diagram Configuring the CA server Create a CA server named myca. In this example, you must first configure the basic attributes of Nickname and Subject DN on the CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
  • Page 264 Figure 248 Configure a PKI entity Create a PKI domain. Click the Domain tab Click Add. Enter torsa as the PKI domain name. Enter myca as the CA identifier. Select aaa as the local entity. Select CA as the authority for certificate request. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request.
  • Page 265 Figure 249 Configure a PKI domain Generate an RSA key pair. Click the Certificate tab. Click Create Key. Enter 1024 as the key length. Click Apply to generate an RSA key pair. Figure 250 Generate an RSA key pair Retrieve the CA certificate. Click the Certificate tab.
  • Page 266 Click Apply. Figure 251 Retrieve the CA certificate Request a local certificate. Click the Certificate tab. Click Request Cert. Select torsa as the PKI domain. Click Password and then enter "challenge-word" as the password. Click Apply. The system gives a prompt that the request is submitted. Click OK.

  • Page 267: Configuration Guidelines

    Verifying the configuration After the configuration, select Authentication > Certificate Management > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Authentication > Certificate Management > CRL from the navigation tree to view detailed information about the retrieved CRL.

  • Page 268: Wireless Service

    Wireless service Wireless Local Area Networks (WLAN) have become very popular because they are very easy to setup and use, and low cost. Generally, one or more access points (APs) can cover a building or an area. The WLAN solution allows you to conveniently provide the following wireless access services to your customers: WLAN client connectivity to conventional 802.3 LANs •...
  • Page 269 Figure 254 Establish a client access Scanning A wireless client can get the surrounding wireless network information in two ways, passive scanning or active scanning. With passive scanning, a wireless client gets wireless network information through listening to Beacon frames sent by surrounding APs; with active scanning, a wireless actively sends a probe request frame during scanning, and gets network information by received probe response frames.
  • Page 270 A client sends a probe request (with a specified SSID): When the wireless client is configured to access a specific wireless network or has already successfully accessed a wireless network, the client periodically sends a probe request carrying the specified SSID of the configured or connected wireless network.
  • Page 271 Figure 258 Open system authentication process • Shared key authentication Figure 259 shows a shared key authentication process. The two parties have the same shared key configured. The client sends an authentication request to the AP. The AP randomly generates a challenge and sends it to the client. The client uses the shared key to encrypt the challenge and sends it to the AP.

  • Page 272: Wlan Data Security

    Receiving a data frame from a client which is unauthenticated. • • Receiving a PS-poll frame from a client which is unauthenticated. Dissociation A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In the wireless system, dissociation can occur due to many reasons, such as: Receiving a data frame from a client which is authenticated and unassociated.

  • Page 273: Client Access Authentication

    CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.1 1 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size.
  • Page 274 Figure 260 Local MAC authentication Remote MAC authentication: Remote Authentication Dial-In User Service (RADIUS) based MAC • authentication. When RADIUS-based MAC authentication is used, the device operates as the RADIUS client, and cooperates with the RADIUS server to perform the MAC authentication. If the current client is found as an unknown client, the AP operates as the RADIUS client, and cooperates with the RADIUS server to perform the MAC authentication for the client.

  • Page 275: Introduction To Wds

    802.11n As the next generation wireless LAN technology, 802.1 1n supports both 2.4GHz and 5GHz bands. It provides higher throughput to customers by using the following methods: Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel.
  • Page 276 Point to point bridge connection In this network, WDS uses two devices to form a bridge between two LANs, and interconnect the two LANs. In actual applications, each device can determine the bridge connection to be set up by configuring the MAC address of the peer device. As shown in Figure 262, a WDS bridge link is set up between AP 1 and AP 2 to connect LAN segment 1 and LAN segment 2 to form a unified LAN.

  • Page 277: Repeater Mode Overview

    Figure 264 Self topology detection and bridging Repeater mode overview An AP acting as a repeater can set up a link with another AP through a WDS link and provide wireless access service for clients at the same time, that is, an AP acting as a repeater can not only create wireless networks but also use WDS bridge connections to connect wireless networks to the existing network.
  • Page 278 Figure 266 Network diagram...

  • Page 279: Configuring Wireless Service

    Configuring wireless service Configuring access service Recommended configuration procedure Step Remarks Creating a wireless service Required. Required. Configuring wireless service Configuring clear type wireless service Use either approach. Configuring crypto type wireless service Complete the security settings as needed. Binding an AP radio to a wireless service Required.

  • Page 280: Configuring Clear Type Wireless Service

    Figure 268 Create a wireless service Configure the wireless service as described in Table Click Apply. Table 95 Configuration items Item Description Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name Wireless Service Name should not be contained in the SSID.
  • Page 281 Figure 269 Configure clear type wireless service Configure the basic settings for the clear type wireless service as described in Table Click Apply. Table 96 Configuration items Item Description Wireless Service Display the selected Service Set Identifier (SSID). Enter the ID of the VLAN whose packets are to be sent untagged. VLAN VLAN (Untagged) (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
  • Page 282 Figure 270 Advanced settings for the clear type wireless service Configure the advanced settings for the clear type wireless service as described in Table Click Apply. Table 97 Configuration items Item Description Maximum number of clients of an SSID to be associated with the same radio of the AP. IMPORTANT: Client Max Users When the number of clients of an SSID to be associated with the same radio of the AP...
  • Page 283 Figure 271 Security settings for the clear type wireless service Configure the security settings for the clear type wireless service as described in Table Click Apply. Table 98 Configuration items Item Description Authentication For the clear type wireless service, you can select Open-System only. Type...
  • Page 284 Item Description • mac-authentication—Perform MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
  • Page 285 Figure 272 mac-authentication port security configuration page Table 99 Configuration items Item Description mac-authentication—MAC-based authentication is performed on access users. Select Wireless Service > Access Service from the navigation tree, and click MAC Port Mode Authentication List to enter the page for configuring a MAC authentication list. On the page, enter the MAC address of the client.
  • Page 286 Figure 273 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is taken for example) Table 100 Configuration items Item Description • userlogin-secure—Perform port-based 802.1X authentication for access users. In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online. Port Mode •...
  • Page 287 Item Description • Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to check whether the user Handshake is online. By default, the function is enabled. • Disable—Disable the online user handshake function. •...
  • Page 288 Table 101 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.

  • Page 289: Configuring Crypto Type Wireless Service

    Item Description • Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled. • Disable—Disable the 802.1X multicast trigger function. IMPORTANT: Multicast Trigger For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication.
  • Page 290 Click the icon corresponding to the target crypto type wireless service. The page for configuring advanced settings for the crypto type wireless service appears. Figure 276 Advanced settings for the crypto type wireless service Configure the advanced settings for the crypto type wireless service as described in Table 102.
  • Page 291 Item Description Web interface management right of online clients. • Management Right Disable—Disable the web interface management right of online clients. • Enable—Enable the web interface management right of online clients. • Enable—Enable the MAC VLAN feature for the wireless service. MAC VLAN •...
  • Page 292 Figure 277 Security settings for the crypto type wireless service Configure the security settings for the crypto type wireless service as described in Table 103. Click Apply. Table 103 Configuration items Item Description Link authentication method, which can be: • Open-System—No authentication.
  • Page 293 Item Description Wireless service type (IE information carried in the beacon or probe response frame): • WPA—Wi-Fi Protected Access. Security IE • RSN—An RSN is a security network that allows only the creation of robust security network associations (RSNAs). It provides greater protection than WEP and WPA.
  • Page 294 Item Description Table Parameters such as authentication type and encryption type determine the port mode. For more information, see Table 106. After you select the Cipher Suite option, the following four port security modes are added: • mac and psk—MAC-based authentication must be performed on access users first.
  • Page 295 Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field. Domain •...

  • Page 296: Security Parameter Dependencies

    Security parameter dependencies For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are described in Table 106. Table 106 Security parameter dependencies Service Authenticat Encryption Security IE encryption Port mode type ion mode type /key ID mac-authentication mac-else-userlogin-secure mac-else-userlogin-secure-ext...

  • Page 297: Binding An Ap Radio To A Wireless Service

    Binding an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link of the wireless service to be bound to enter the page as shown in Figure 280. Figure 280 Bind an AP radio to a wireless service Select the AP radio to be bound.

  • Page 298: Configuring Wds Service

    Configuring WDS service Configuring WDS service Select Wireless Service > WDS from the navigation tree. Click the WDS Setup tab to enter the WDS setup page. Figure 282 WDS setup page Click the icon corresponding to the radio mode to be configured in the Operation column to enter the WDS Setup page.

  • Page 299: Configuring A Neighbor Mac Address

    Configuring a neighbor MAC address NOTE: If no neighbor MAC address is configured for an AP, the AP can establish a WDS link with any other AP; if a neighbor MAC address is configured for an AP, the AP can establish a WDS link with only the specified peer AP.
  • Page 300 Figure 285 Configure advanced WDS Configure advanced WDS settings as described in Table 108. Click Apply. Table 108 Configuration items Item Description Set the mesh ID. Mesh Identifier The default mesh identifier of a device depends on its radio mode. Link Keep Alive Interval Configure the mesh link keep-alive interval.
  • Page 301 Item Description The following loop types may exist in a WDS network: .When a loop exists in the network, you can block redundant links to remove the loop by STP, and can provide link backup when a WDS link fails. Set STP.

  • Page 302: Configuring Global Wds

    Item Description Enter the ID of the VLAN whose packets are to be sent tagged. VLAN VLAN (Tagged) (Tagged) indicates that the port sends the traffic of the VLAN without removing the VLAN tag. Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) VLAN (Untagged) indicates that the ports send the traffic of the VLAN with the VLAN tag removed.

  • Page 303: Enabling Wds Service

    NOTE: A radio enabled with auto DFS and WDS works in a non-radar channel. • When you select auto-DFS, if no WDS link is established, a temporary working channel is automatically • selected for a radio. The validation time of the temporary working channel is from 10 to 20 seconds. After the temporary working channel times out, a new temporary working channel is selected.

  • Page 304: Configuring The Workgroup Bridge

    Figure 288 Repeater mode Configuring the workgroup bridge Enabling the client mode Select Wireless Service > Client Mode from the navigation tree. Click Connect Setup. Figure 289 Enable the client mode Select the radio unit for which the client mode is to be enabled. Click Enable.

  • Page 305: Connecting The Wireless Service

    With the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 290 Check the wireless service list Connecting the wireless service Method 1 Click the Connect icon of the wireless service in the wireless service list. The SET CODE dialog box appears.

  • Page 306: Displaying Statistics

    Item Remarks Set the data encryption mode, which can be: • Clear—No encryption CipherSuit • WEP—WEP encryption • TKIP/AES-CCMP—TKIP/AES-CCMP encryption Configure the WEP/AES-CCMP/TKIP key according to the data encryption Password mode. There are four static keys in WEP. Their key indexes are 1, 2, 3, and 4. The key KeyID corresponding to the specified key index is used for encrypting and decrypting frames.

  • Page 307: Wireless Access Configuration Examples

    Figure 293 Display statistics Wireless access configuration examples Wireless service configuration example Network requirements As shown in Figure 294, enable the client to access the internal network resources at any time. The AP provides plain-text wireless access service with SSID service1. Figure 294 Network diagram Configuring the AP Assign an IP address to the fat AP:...
  • Page 308 Bind an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link at the right side of the wireless service service1 to enter the page as shown Figure 297. Select the box with radio mode 802.11n(2.4GHz). Click Bind.

  • Page 309: Access Service-Based Vlan Configuration Example

    Figure 298 Enable 802.11n radio Verifying the configuration The client can successfully associate with the AP and access the WLAN network. • You can view the online clients on the page you enter by selecting Summary > Client from the •...
  • Page 310 Figure 300 Network diagram Configuring the AP Configure the fat AP interface: Assign an IP address to the fat AP: Select Network > VLAN to create a VLAN on the fat AP. Select Device > Interface Management to assign an IP address to the VLAN interface. Configure the link type of the Ethernet interface on the fat AP as trunk, and allow packets from VLAN 2 and VLAN 3.

  • Page 311: Wpa-Psk Authentication Configuration Example

    Click Add. On the page that appears, enter the service name office, select the wireless service type clear, and click Apply. On the page that appears, enter 3 in the VLAN (Untagged) field, enter 3 in the Default VLAN field, enter 1 in the Delete VLAN field, and click Apply. Before you perform these VLAN settings, select Network >...
  • Page 312 Figure 304 Network diagram IP network FAT AP L2 switch Client Configuring the AP Assign an IP address to the fat AP: Select Network > VLAN to create a VLAN on the fat AP. Select Device > Interface Management to assign an IP address to the VLAN interface. Configure a wireless service: Select Wireless Service >...
  • Page 313 Figure 306 Security setup Bind an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link at the right side of the wireless service psk to enter the page as shown Figure 307.
  • Page 314 Figure 308 Enable the wireless service Enable 802.11n radio (By default, 802.11n radio is enabled. Therefore, this step is optional. ) Select Radio > Radio from the navigation tree to enter the Radio page. Make sure 802.11n radio is enabled. Configuring the client Launch the client, and refresh the network list.
  • Page 315 Figure 309 Configure the client The client has the same preshared PSK key as the AP, so the client can associate with the AP.

  • Page 316: Local Mac Authentication Configuration Example

    Figure 310 The client is associated with the AP Verifying the configuration The same PSK pre-shared key is configured on the client. The client can successfully associate with • the AP and can access the WLAN network. You can view the online clients on the page you enter by selecting Summary > Client from the •...
  • Page 317 Select Device > Interface Management to assign an IP address to the VLAN interface. Configure a wireless service: Select Wireless Service > Access Service from the navigation tree. Click Add. On the page that appears, set the service name to mac-auth, select the wireless service type clear, and click Apply.
  • Page 318 Figure 313 Security setup Bind an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link at the right side of the wireless service mac-auth to enter the page as shown Figure 314.
  • Page 319 Select the mac-auth box. Click Enable. Figure 315 Enable the wireless service Configure a MAC authentication list Select Wireless Service > Access Service from the navigation tree. Click MAC Authentication List to enter the page as shown in Figure 316. Add a local user in the MAC Address field.

  • Page 320: Remote Mac Authentication Configuration Example

    Figure 317 Configure the client Verifying the configuration If the MAC address of the client is in the MAC authentication list, the client can pass authentication • and access the WLAN network. You can view the online clients on the page you enter by selecting Summary > Client from the •...
  • Page 321 The IP address of the AP is 10.18.1.1. On the AP, configure the shared key for communication with • the RADIUS server as expert, and configure the AP to remove the domain name of a username before sending it to the RADIUS server. Figure 318 Network diagram Configuring the AP Assign an IP address to the fat AP:...
  • Page 322 Optional: On the Domain Setup tab, create a new ISP domain. This example uses the default domain system. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme mac-auth from the Name list, and click Apply.
  • Page 323 Figure 322 Configure the AAA accounting method for the ISP domain Configure wireless service Select Wireless Service > Access Service from the navigation tree. Click Add. On the page that appears, set the wireless service name to mac-auth, select the wireless service type clear, and click Apply.
  • Page 324 Figure 324 Security setup Bind an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link at the right side of the wireless service mac-auth to enter the page as shown Figure 325.
  • Page 325 On the page that appears, add expert for Shared Key, add ports 1812, and 1813 for Authentication Port and Accounting Port respectively, select LAN Access Service for Service Type, select H3C for Access Device Type, and select or manually add an access device with the IP address 10.18.1.1, and click Apply.
  • Page 326 Figure 327 Add access device Add service. Select the Service tab. Select Access Service > Access Device from the navigation tree. Click Add. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.
  • Page 327 Figure 329 Add account Configuring the RADIUS server (iMC v5) NOTE: The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server. Add an access device. Select the Service tab in the iMC platform. Select User Access Manager >...
  • Page 328 Select User Access Manager > Service Configuration from the navigation tree. Click Add. On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply. Figure 331 Add service Add an account. Select the User tab.

  • Page 329: Remote 802.1X Authentication Configuration Example

    Remote 802.1X authentication configuration example Network requirements Perform remote 802.1X authentication on the client. A RADIUS server (an iMC server for authentication, authorization, and accounting) is required. On • the RADIUS server, the client's username user and password dot1x, and the shared key expert have been configured.
  • Page 330 Figure 334 Configure RADIUS Configure AAA Select Authentication > AAA from the navigation tree. Optional: On the Domain Setup tab, create a new ISP domain. This example uses the default domain system. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme 802.1x from the Name list, and click Apply.
  • Page 331 Figure 336 Configure the AAA authorization method for the ISP domain On the Accounting tab, select the ISP domain name system, select the Accounting Optional box and then select Enable from the Accounting Optional list, select the LAN-access Accounting box, select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list, and click Apply.
  • Page 332 Figure 338 Create a wireless service Configure 802.1X authentication After you create a wireless service, you enter the wireless service configuration page. In the Security Setup area on the page, select the Open-System from the Authentication Type list. Select the Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the Security IE list.
  • Page 333 Click the Bind link at the right side of the wireless service mac-auth to enter the page as shown Figure 340. Select the box with radio mode 802.11n(2.4GHz). Click Bind. Figure 340 Bind an AP radio Enable the wireless service Select Wireless Service >...
  • Page 334 On the page that appears, enter the shared key expert, enter the authentication and accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select H3C from the Access Device Type list, select or manually add an access device with the IP address 10.18.1.1, and click Apply.
  • Page 335 Figure 343 Add service Add account. Select the User tab. Select User > All Access Users from the navigation tree. Click Add. On the page that appears, enter a username user, add an account user and password dot1x, and select the service dot1x, and click Apply. Figure 344 Add account...
  • Page 336 Configuring the RADIUS server (iMC v5) NOTE: The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server. Add an access device. Select the Service tab in the iMC platform. Select User Access Manager >...
  • Page 337 Figure 346 Add a service Add an account. Select the User tab. Select User > All Access Users from the navigation tree. Click Add. On the page that appears, enter username user, set the account name to user and password to dot1x, select the service dot1x, and click Apply.
  • Page 338 On the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. In the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any).
  • Page 339 Figure 348 Configure the wireless card (I)
  • Page 340 Figure 349 Configure the wireless card (II)

  • Page 341: Dynamic Wep Encryption-802.1X Authentication Configuration Example

    Figure 350 Configure the wireless card (III) Verifying the configuration After entering the username user and password dot1x in the popup dialog box, the client can • associate with the AP and access the WLAN. • You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.
  • Page 342 Figure 351 Network diagram Configuring the AP Assign an IP address to the fat AP: Select Network > VLAN to create a VLAN on the fat AP. Select Device > Interface Management to assign an IP address to the VLAN interface. Configure a RADIUS scheme: "Configure a RADIUS scheme:."...
  • Page 343 Disable Handshake and Multicast Trigger (recommended). Click Apply. Figure 353 Security setup Bind an AP radio to a wireless service Select Wireless Service > Access Service from the navigation tree. Click the Bind link at the right side of the wireless service dot1x to enter the page as shown Figure 354.
  • Page 344 Figure 355 Enable the wireless service Optional: Enable 802.11n radio (802.11n radio is enabled by default.). Select Radio > Radio from the navigation tree to enter the Radio page, and make sure 802.11n is enabled. Configuring the wireless card Double click the icon at the bottom right corner of your desktop.
  • Page 345 Figure 356 Configure the wireless card (I) On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. In the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any).
  • Page 346 Figure 357 Configure the wireless card (II)

  • Page 347: 802.11N Configuration Example

    Figure 358 Configure the wireless card (III) Verifying the configuration After the user enters the username user and password dot1x in the popup dialog box, the client can • associate with the AP and access the WLAN. You can view the online clients on the page you enter by selecting Summary > Client from the •...
  • Page 348 Configuring the AP Assign an IP address to the fat AP: Select Network > VLAN to create a VLAN on the fat AP. Select Device > Interface Management to assign an IP address to the VLAN interface. Configure a wireless service Select Wireless Service >...
  • Page 349 Figure 362 Enable the wireless service Enable 802.11n(2.4GHz) radio (By default, 802.11n(2.4GHz) radio is enabled.) Select Radio > Radio from the navigation tree to enter the Radio page. Make sure 802.11n(2.4GHz) is enabled. Figure 363 Enable 802.11n(2.4GHz) radio Verifying the configuration The client can successfully associate with the AP and access the WLAN network.

  • Page 350: Wds Configuration Examples

    Configuration guidelines Note the following guidelines when you configure 802.1 1n: • Select Radio > Radio from the navigation tree, select the AP radio unit to be configured, and click the corresponding icon to enter the radio configuration page, where you can modify the 802.1 1n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short GI, and Client 802.1 1n Only (permitting only 802.1 1n users to access the wireless network).
  • Page 351 Figure 366 WDS setup page Click the corresponding icon of the target radio unit. On the page that appears, select the Pass Phrase box, and enter 12345678 in the Preshared Key field, leave the neighbor MAC address box blank (indicating that the AP can establish a WDS link with any other AP), and click Apply.
  • Page 352 Figure 368 Configure the working channel Enable 802.11n(5GHz) radio (By default, 802.11n(5GHz) is enabled.). Select Radio > Radio from the navigation tree to enter the Radio page. Make sure 802.11n(5GHz) is enabled. Enable WDS Select Wireless Service > WDS from the navigation tree to enter the WDS Setup page. Select the box corresponding to 802.11n(5GHz).

  • Page 353: Wds Point-To-Multipoint Configuration Example

    Figure 370 The page displaying WDS information Configuration guidelines The output information of a WDS link includes: neighbor MAC address, local MAC address, link state, link uptime, and signal quality. When five green bars are displayed for the signal quality, the signal is of the highest quality. If yellow bars are displayed, the signal is weak.

  • Page 354: Repeater Mode Configuration Example

    Configuration guidelines Note the following guidelines when you configure WDS: • Configure a neighbor MAC address for each radio interface (otherwise, WDS links may be set up between AP 2, AP 3, and AP 4). Set the maximum number of WDS links allowed. The default value is 2. It must be set to 3 for AP 1 •...
  • Page 355 Figure 373 WDS setup page Click the icon in the Operation column of the target 802.11n (2.4GHz) radio mode. Select the Pass Phrase box and enter 12345678 in the Preshared Key field. Click Apply. Figure 374 WDS setup page Configure the working channel: Select Radio >...
  • Page 356 Figure 375 Configure the same channel Enable 802.11n (2.4GHz) radio (By default, 802.11n (2.4GHz) is enabled.). Select Radio > Radio from the navigation tree to enter the Radio page. Make sure 802.11n (2.4GHz) is enabled. Enable WDS: Select Wireless Service > WDS from the navigation tree. Select the box corresponding to 802.11n (2.4GHz).
  • Page 357 Figure 377 Configure the access service NOTE: When you configure access service on the repeater, make sure the radio mode of the repeater is the same as that of WDS. In this example, radio unit 2 in 802.11n(2.4GHz) mode is specified. Verifying the configuration The WDS link has been established for the repeater.

  • Page 358: Workgroup Bridge Mode Configuration Example

    Figure 379 The page displaying radio information Workgroup bridge mode configuration example Network requirements As shown in Figure 380, an AP working as a workgroup bridge accesses the wireless network as a client. The Ethernet interface of the workgroup bridge connects to multiple hosts or printers in the wired network, and the wired network is connected to the wireless network through the workgroup bridge.
  • Page 359 Select Wireless Service > Client Mode from the navigation tree. Click Connect Setup. On the page that appears, select the box corresponding to 802.11n (2.4GHz) and click Enable. Figure 381 Enable the client mode When the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 382 Check the wireless service list Connect the wireless service Click the Connect icon of the wireless service psk in the wireless service list...
  • Page 360 Figure 383 SET CODE Verifying the configuration On the AP shown in Figure 380, select Summary > Client from the navigation tree to enter the page shown in Figure 384, where you can verify that the workgroup bridge is online. Figure 384 Verify that the workgroup bridge is online You can see that the client with MAC address 0014-6c8a-43ff and the workgroup bridge with MAC •...
  • Page 361 NOTE: To configure VLAN information about the WLAN uplink interface of the workgroup bridge, make sure the VLAN ID of the WLAN uplink interface of the workgroup bridge is the same as the VLAN ID of the downlink Ethernet interface.

  • Page 362: Configuring Acl And Qos

    Configuring ACL and QoS NOTE: Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview Introduction to ACL An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.

  • Page 363: Configuring An Acl

    QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and packet loss ratio in the packet forwarding process. Traditional packet forwarding services On traditional IP networks, devices treat all packets equally and handle them using the first in first out (FIFO) policy.

  • Page 364: Adding A Time Range

    Step Remarks Configuring a rule for a basic IPv4 ACL Required. Configuring a rule for an advanced IPv4 ACL Complete one of the three steps according to the ACL Configuring a rule for an Ethernet frame header category. Recommended IPv6 ACL configuration procedure Step Remarks Optional.

  • Page 365: Adding An Ipv4 Acl

    Figure 386 Adding a time range Configure the time range information. Click Apply. Table 111 Configuration items Item Description Time Range Name Set the name for the time range. Start Time Set the start time of the periodic time range. Set the end time of the periodic time range.

  • Page 366: Configuring A Rule For A Basic Ipv4 Acl

    Click the Add tab to enter the IPv4 ACL adding page. Figure 387 Adding an IPv4 ACL Configure the IPv4 ACL information as described in Table 112. Click Apply. Table 112 Configuration items Item Description ACL Number Set the number of the IPv4 ACL. Set the match order of the ACL: •...
  • Page 367 Figure 388 Configuring an basic IPv4 ACL Configure a basic IPv4 ACL as described in Table 113. Click Add. Table 113 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs. Select the Rule ID option and enter a number for the rule.

  • Page 368: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description Select this option to log matching IPv4 packets. A log entry contains the ACL rule number, action on the matching packets, protocol Check Logging that IP carries, source/destination address, source/destination port number, and number of matching packets. Source IP Address Select the Source IP Address option and enter a source IPv4 address and source wildcard, in dotted decimal notation.
  • Page 369 Figure 389 Configuring an advanced IPv4 ACL Configure an advanced IPv4 ACL rule as described in Table 114. Click Add. Table 114 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs.
  • Page 370 Item Description Select the Rule ID option and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically. Rule ID IMPORTANT: If the rule number you specify already exists, the following operations modify the configuration of the rule.

  • Page 371: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description Select this option to make the rule match packets used for establishing and maintaining TCP connections. These items are available only when you select 6 TCP from TCP Connection Established the Protocol list. A rule with this item configured matches TCP connection packets with the ACK or RST flag.
  • Page 372 Figure 390 Configuring a rule for an Ethernet frame header ACL Configure an Ethernet frame header IPv4 ACL rule as described in Table 115. Click Add. Table 115 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.

  • Page 373: Adding An Ipv6 Acl

    Item Description Source MAC Select the Source MAC Address option and enter a source MAC address Address and wildcard. Source Mask Address Destination MAC Filter Select the Destination MAC Address option and enter a destination MAC Address address and wildcard. Destination Mask COS(802.1p priority) Specify the 802.1p priority for the rule.

  • Page 374: Configuring A Rule For A Basic Ipv6 Acl

    Figure 391 Adding an IPv6 ACL Configure the IPv6 ACL information as described in Table 116. Click Apply. Table 116 Configuration items Item Description Enter a number for the IPv6 ACL. ACL Number The value ranges of the ACL number vary by device. Select a match order for the ACL.
  • Page 375 Figure 392 Configuring a rule for a basic IPv6 ACL Configure the basic IPv6 ACL rule information as described in Table 117. Click Add. Table 117 Configuration items Item Description Select the basic IPv6 ACL for which you want to configure rules. Select Access Control List (ACL) Available ACLs are basic IPv6 ACLs.

  • Page 376: Configuring A Rule For An Advanced Ipv6 Acl

    Item Description Source IP Address Select the Source IP Address option and enter a source IPv6 address and prefix length. The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of Source Prefix eight 16-bit long fields, each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon (:).
  • Page 377 Click Add. Table 118 Configuration items Item Description Select the advanced IPv6 ACL for which you want to configure rules. Select Access Control List (ACL) Available ACLs are advanced IPv6 ACLs. Select the Rule ID option and enter a number for the rule. If you do not specify the rule number, the system assigns one automatically.

  • Page 378: Configuring Priority Mapping

    Item Description Operation Select the operations and enter the source port numbers and destination port numbers as required. Port These items are available only when you select 6 TCP or 17 UDP from the To Port Protocol list. Operation Different operations have different configuration requirements for the port TCP/UDP number fields: Port...
  • Page 379 Figure 394 Configuring priority trust mode Configure the priority trust mode of the interfaces as described in Table 119. Click Apply. Table 119 Configuration items Item Description Select the type of the ports to be configured. The interface types Please select the interface type available for selection depend on your device model.

  • Page 380: Configuring A Qos Policy

    Item Description Specify the ports to be configured. (Select the ports) Click the ports to be configured in the port list. You can select one or more ports. Configuring a QoS policy A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing.

  • Page 381: Adding A Class

    Step Remarks Required. Associate a traffic behavior with a class in the QoS Configuring classifier-behavior associations for policy. the policy You can associate a class with only one traffic behavior in a QoS policy. If a class is associated with multiple traffic behaviors, the last associated one takes effect.

  • Page 382: Configuring Classification Rules

    Item Description Specify the logical relationship between rules of the classifier. • And—Specifies the relationship between the rules in a class as logic AND. The device considers a packet belongs to a class only when the packet matches all Operation the rules in the class.
  • Page 383 Figure 396 Configuring classification rules Configuration classification rules as described in Table 121. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 121 Configuration items Item Description Please select a classifier...
  • Page 384 Item Description Define a rule to match DSCP values. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. DSCP You can configure up to eight DSCP values each time. If multiple identical DSCP values are specified, the system considers them as one.

  • Page 385: Adding A Traffic Behavior

    Item Description Define a rule to match a source MAC address. If multiple such rules are configured for a class, the new configuration does not Source MAC overwrite the previous one. A rule to match a source MAC address is significant only to Ethernet interfaces. Define a rule to match a destination MAC address.

  • Page 386: Configuring Actions For A Traffic Behavior

    Figure 397 Adding a traffic behavior Configuring actions for a traffic behavior Select QoS > Behavior from the navigation tree. Click the Setup tab to enter the page for setting a traffic behavior.
  • Page 387 Figure 398 Setting a traffic behavior Configure the traffic behavior actions as described in Table 122. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 122 Configuration items Item Description...
  • Page 388 Item Description Enable/Disable Enable or disable CAR. Set the committed information rate (CIR), the average traffic rate. Set the committed burst size (CBS), number of bits that can be sent in each interval. Discard Set the action to perform for exceeding packets. After selecting the Red option, you can select one of the following options: Pass...

  • Page 389: Adding A Policy

    Item Description Configure the packet filtering action. After selecting the Filter option, select one item in the following list: Filter • Permit—Forwards the packet. • Deny—Drops the packet. • Not Set—Cancels the packet filtering action. Configure the traffic accounting action. Select the Accounting option and select Enable or Disable in the following list to enable/disable the traffic accounting action.

  • Page 390: Applying A Policy To A Port

    Figure 400 Setting a policy Configure classifier-behavior associations as described in Table 123. Click Apply. Table 123 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.

  • Page 391: Applying A Qos Policy To A Wireless Service

    Figure 401 Applying a policy to a port Select a policy and apply the policy to the specified ports as described in Table 124. Click Apply. Table 124 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which you want to apply the policy: •...
  • Page 392 Figure 402 Service policy Click the icon for a wireless service to enter the service policy setup page. Figure 403 Service policy setup Apply the policy to the wireless service as described in Table 125. Click Apply. Table 125 Configuration items Item Remarks Wlan Service...

  • Page 393: Acl/Qos Configuration Example

    Item Remarks Inbound Policy Apply the QoS policy to the packets received by the wireless service. Outbound Policy Apply the QoS policy to the packets sent by the wireless service. Set the priority trust mode: • Untrust—Trusts the port priority. Trust Mode •...
  • Page 394 Figure 405 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: Select QoS > ACL IPv4 from the navigation tree. Click the Add tab. Enter the ACL number 3000. Click Apply.
  • Page 395 Figure 406 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: Click the Advanced Setup tab. Select 3000 in the ACL list. Select the Rule ID option, and enter rule ID 2. Select Permit in the Action list.
  • Page 396 Figure 407 Defining an ACL rule for traffic to the FTP server Add a class: Select QoS > Classifier from the navigation tree. Click the Add tab. Enter the class name class1. Click Add.
  • Page 397 Figure 408 Adding a class Define classification rules. Click the Setup tab. elect the class name class1 in the list. Select the ACL IPv4 option, and select ACL 3000 in the following list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
  • Page 398 Figure 409 Defining classification rules Add a traffic behavior: Select QoS > Behavior from the navigation tree. Click the Add tab. Enter the behavior name behavior1. Click Add.
  • Page 399 Figure 410 Adding a traffic behavior Configure actions for the traffic behavior: Click the Setup tab. elect behavior1 in the list. Select the Filter option, and then select Deny in the following list. Click Apply. A progress dialog box appears. Click Close when the progress dialog box prompts that the configuration succeeds.
  • Page 400 Figure 411 Configuring actions for the behavior Add a policy: Select QoS > QoS Policy from the navigation tree. Click the Add tab. Enter the policy name policy1. Click Add.
  • Page 401 Figure 412 Adding a policy Configure classifier-behavior associations for the policy. Click the Setup tab. Select policy1. Select class1 in the Classifier Name list. Select behavior1 in the Behavior Name list. Click Apply. Figure 413 Configuring classifier-behavior associations for the policy Apply the QoS policy in the inbound direction of the wireless service named service1: Select QoS >...

  • Page 402: Verifying The Configuration

    Figure 414 Applying the QoS policy in the inbound direction of wireless service service1 Verifying the configuration After you complete these configurations, the QoS policy is applied to wireless service service1, and the wireless clients cannot access the FTP server at IP address 10.1.1.1 from 8:00 to 18:00 every day, but they can do that at any other time.

  • Page 403: Configuring Wireless Qos

    Configuring wireless QoS Overview An 802.1 1 network offers wireless access based on the carrier sense multiple access with collision avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel contention opportunities, and all applications carried on the WLAN use the same channel contention parameters.

  • Page 404: Wmm Protocol Overview

    WMM protocol overview The distributed coordination function (DCF) in 802.1 1 stipulates that access points (APs) and clients use the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff.

  • Page 405: Enabling Wireless Qos

    To use a high-priority access category, a client must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policy: Channel utilization-based admission policy—The AP calculates the total time that the existing •...

  • Page 406: Setting The Svp Service

    Figure 416 Wireless QoS Select the option in front of the radio unit to be configured. Click Enable. By default, WMM is enabled. NOTE: The WMM protocol is the foundation of the 802.11n protocol. When the radio works in 802.11n (5 GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM.

  • Page 407: Setting Cac Admission Policy

    Configure SVP mapping as described in Table 126. Click Apply. Table 126 Configuration items Item Description Radio Displays the selected radio. Select the option before SVP Mapping, and then select an access category for the SVP service: • AC-VO. SVP Mapping •...
  • Page 408 By default, the QoS Service tab is displayed. Click the icon for the desired radio to enter the page for configuring wireless QoS. On the radio EDCA list, click the icon for the desired priority type (AC_BK, for example) to enter the page for setting radio EDCA parameters.

  • Page 409: Setting Edca Parameters For Wireless Clients

    Setting EDCA parameters for wireless clients Select QoS > Wireless QoS from the navigation tree. By default, the QoS Service tab is displayed. Click the icon for the desired radio to enter the page for configuring wireless QoS. On the client EDCA list, click the icon for the desired priority type (AC_BK, for example) to enter the page for setting client EDCA parameters.

  • Page 410: Displaying Radio Statistics

    • If some clients operate in 802.1 1b radio mode and some clients operate in 802.1 1g radio mode in the • network, H3C recommends the TXOPLimit parameters in Table 131. Once you enable CAC for an access category, it is enabled automatically for all higher priority access •...
  • Page 411 Field Description Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip. Radio chip max ECWmax Maximum ECWmax allowed by the radio chip. Number of clients that have been admitted to access the Client accepted radio, including the number of clients that have been admitted to access the AC-VO and the AC-VI queues.

  • Page 412: Displaying Client Statistics

    Displaying client statistics Select QoS > Wireless QoS from the navigation tree. Click the Client Statistics tab to enter the page displaying client statistics. Click a client name to see its details. Figure 423 Displaying client statistics Table 133 Field description Field Description MAC address...

  • Page 413: Setting Rate Limiting

    Field Description Downlink CAC packets Number of downlink CAC packets. Downlink CAC bytes Number of downlink CAC bytes. Downgrade packets Number of downgraded packets. Downgrade bytes Number of downgraded bytes. Discard packets Number of dropped packets. Discard bytes Number of dropped bytes. Setting rate limiting The WLAN provides limited bandwidth for each AP.

  • Page 414: Configuring The Bandwidth Guarantee Function

    Item Description Traffic direction, which can be: • Inbound—Traffic from clients to the AP. Direction • Outbound—Traffic from the AP to clients. • Both—Includes inbound traffic (traffic from clients to the AP) and outbound traffic (traffic from the AP to clients) Set a rate limiting mode, which can be: •...

  • Page 415: Setting Guaranteed Bandwidth

    Figure 425 Setting the reference radio bandwidth Set the reference radio bandwidth as described in Table 135. Click Apply. Table 135 Configuration items Item Description 802.11a Mode Set the reference radio bandwidth. 802.11b Mode IMPORTANT: 802.11g Mode Set the reference radio bandwidth slightly lower than the maximum available bandwidth.. 802.11n Mode NOTE: After you set the reference radio bandwidth values, the new settings do not take effect for the radios with...

  • Page 416: Enabling Bandwidth Guarantee

    Figure 426 Setting guaranteed bandwidth Set the guaranteed bandwidth as described in Table 136. Click Apply. Table 136 Configuration items Item Description Allocate guaranteed bandwidth as a percentage of the radio bandwidth to each Guaranteed Bandwidth wireless service. The total guaranteed bandwidth cannot exceed 100% of the ratio Percent (%) bandwidth.

  • Page 417: Displaying Guaranteed Bandwidth Settings

    Displaying guaranteed bandwidth settings Select QoS > Wireless QoS from the navigation tree. Click the Bandwidth Guarantee tab. Click the specified radio unit to view the wireless services bound to the radio unit and the guaranteed bandwidth setting for each wireless service. Figure 428 Displaying guaranteed bandwidth settings Wireless QoS configuration examples CAC service configuration example...
  • Page 418 Make sure that WMM is enabled. Figure 430 Wireless QoS configuration page Select the radio unit to be configured on the list and click the icon to enter the page for configuring wireless QoS. On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click icon to enter the page for setting client EDCA parameters.

  • Page 419: Static Rate Limiting Configuration Example

    maximum number of users allowed in high-priority access categories, which is 10 in this example, the request is allowed. The system decreases the priority of the packets from the clients exceeding the maximum number of high-priority clients. Static rate limiting configuration example Network requirements As shown in Figure...

  • Page 420: Dynamic Rate Limiting Configuration Example

    Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2. • Dynamic rate limiting configuration example Network requirements As shown in Figure 435, clients access the WLAN through a SSID named service2. Configure all clients to share 8000 kbps of bandwidth in any direction. Figure 435 Network diagram Configuration procedure Configure the wireless service.

  • Page 421: Bandwidth Guarantee Configuration Example

    When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can each pass through at a rate as high as 4000 kbps. Bandwidth guarantee configuration example Network requirements As shown in...
  • Page 422 Figure 438 Setting the reference radio bandwidth Click the icon for 802.11a to enter the page for setting guaranteed bandwidth. Set the guaranteed bandwidth percent to 80 for wireless service research. Set the guaranteed bandwidth percent to 20 for wireless service office. Set the guaranteed bandwidth percent to 0 for wireless service entertain.
  • Page 423 Verifying the configuration Send traffic from the AP to the three clients at a rate lower than 10000 kbps. The rate of traffic from • the AP to the three clients is not limited. • Send traffic at a rate higher than 2000 kbps from the AP to Client 1 and at a rate higher than 8000 kbps from the AP to Client 2.

  • Page 424: Advanced Settings

    Advanced settings Advanced settings overview District code Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Switching to fit AP mode An AP that supports the fat and fit AP modes can switch from fat to fit to cooperate with an AC or unified switch.

  • Page 425: Channel Busy Test

    Figure 442 Network diagram for uplink interface monitoring (a radio interface acts as the uplink interface) Uplink interface Client Wired Network L2 Switch FAT AP Client Channel busy test The channel busy test is a tool to test how busy a channel is. It tests channels currently supported by the district code one by one, and provides a busy rate for each channel.

  • Page 426: Configuring Wlan Advanced Settings

    Figure 443 Multicast data transmission when multicast optimization is enabled With multicast optimization enabled, the AP listens to the IGMP reports and leave messages sent by clients. When the AP receives an IGMP report, it adds or updates a multicast optimization entry and updates the multicast source addresses allowed by the client (for IGMPv3 and MLDv2 packets).

  • Page 427: Switching The Ap To Operate In Fit Ap Mode

    Figure 444 Setting a district code Configure a district code as described in Table 137. Click Apply. Table 137 Configuration items Item Description Select a district code. Country/Region Code Configure the valid district code for a WLAN device to meet the country regulations.
  • Page 428 Figure 446 Configuring continuous transmitting mode Click the icon corresponding to the target radio to enter the page for configuring transmission rate. The transmission rate varies with radio mode. When the radio mode is 802.1 1a/b/g, the page as shown in Figure 447 appears.

  • Page 429: Configuring Uplink Interface Monitoring

    Configuring uplink interface monitoring Select Advanced > Uplink Monitor from the navigation tree. Figure 449 Configuring uplink interface monitoring Configure uplink interface monitoring as described in Table 138. Table 138 Configuration items Item Description Interface Name Display the interfaces that can be configured as uplink interfaces. •...

  • Page 430: Configuring Band Navigation

    Figure 451 Testing channel busy rate Configure channel busy test as described in Table 139. Click Start. Table 139 Configuration items Item Description Radio Unit Display the radio unit of the AP. Radio Mode Display the radio mode of the AP. Set a time period in seconds within which a channel is tested.
  • Page 431 The fast association function is disabled. By default, the fast association function is disabled. For • more information about fast association, see "Configuring access services." Band navigation is enabled for the AP. By default, band navigation is enabled for the AP. •...

  • Page 432: Configuring Multicast Optimization

    Item Description Maximum denial count of client association requests. If a client has been denied more than the maximum times on the 5 GHz radio, the AP Max Denial Count considers that the client is unable to associate to any other AP or the 2.4 GHz radio of the AP, and allows the 5 GHz radio to accept the client.
  • Page 433 Table 141 Configuration items Item Description Specify the aging time for multicast optimization entries. If the AP does not receive any Aging Time IGMP report from a client within the aging time, the AP removes the client from the multicast optimization entry. Specify the maximum number of clients supported by multicast optimization.

  • Page 434: Advanced Settings Configuration Examples

    Table 142 Field description Field Description Total number of clients served by multicast optimization. If a client joins multiple multicast groups, the client is counted as multiple clients. Total Clients For example, if a client has joined two multicast groups through a radio, the client is counted as two clients by multicast optimization.
  • Page 435 Configure wireless service: Select Wireless Service > Access Service from the navigation tree. Click Add. On the page that appears, set the service name to band-navigation, select the wireless service type Clear, and click Apply. Enable wireless service: Select Wireless Service > Access Service from the navigation tree. Set the band-navigation box.

  • Page 436: Multicast Optimization Configuration Example

    Figure 457 Configuring band navigation Verifying the configuration Client 1 and Client 2 are associated to the 5 GHz radio of the AP, and Client 4 can only be associated to the 2.4 GHz radio of the AP. Because the number of clients on the 5 GHz radio has reached the upper limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 will be associated to the 2.4 GHz radio of the AP.
  • Page 437 Click Apply. Select the target wireless service. Click Enable. Figure 459 Configuring multicast optimization Verifying the configuration Client 1 and Client 2 are associated with a radio of the AP. Because the number of clients on the radio has reached the upper limit 2, Client 3 cannot receive multicast packets.

  • Page 438: Wlan Security Configuration

    WLAN security configuration WLAN security overview 802.1 1 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. To ensure security, the wireless intrusion detection system (WIDS) is introduced.

  • Page 439: Blacklist And White List

    At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged. Weak IV detection Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame.

  • Page 440: Displaying History Record

    Figure 460 Configuring WIDS Configure WIDS as described in Table 143. Click Apply. Table 143 Configuration items Item Description If you select the box, flood attack detection is enabled. Flood Attack Detect It is disabled by default. Spoof Attack Detect If you select the box, spoofing attack detection is enabled.

  • Page 441: Configuring The Blacklist And White List Functions

    Figure 462 Displaying statistics Configuring the blacklist and white list functions Configuring dynamic blacklist Select Security > Filter from the navigation tree. You will enter the Blacklist tab. Figure 463 Configuring dynamic blacklist Configure the dynamic blacklist as described in Table 144.

  • Page 442: Configuring Static Blacklist

    NOTE: At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood, and NullData-Flood. Configuring static blacklist Select Security > Filter from the navigation tree. You will enter the Blacklist tab. Click the Static tab. Click Add Static.
  • Page 443 Figure 465 Configuring white list Add a white list as described in Table 146. Click Apply. Table 146 Configuration items Item Description MAC Address Select MAC Address and then add a MAC address to the white list. Select Current Connect If you select the box, the table below lists the current existing clients.

  • Page 444: User Isolation

    User isolation If an AP has the user isolation feature enabled, clients associated with it are isolated at Layer 2. As shown in Figure 466, after user isolation is enabled on the AP, all the clients cannot ping each other or learn each other's MAC or IP addresses, because they cannot exchange Layer 2 packets.

  • Page 445: Index

    Index A B C D E F H I L M O P Q R S T U V W Configuring an ACL,350 Configuring an SNMP community,74 AAA configuration example,200 Configuring an SNMP group,75 overview,193 Configuring an SNMP user,77 Access service,255 Configuring an SNMP view,72...
  • Page 446 Creating an IPv4 static route,1 15 Interface management configuration example,61 Creating an IPv6 static route,1 18 Introduction to the web interface,158 Introduction to the web-based NM functions,159 Introduction to WDS,262 Device information,20 configuration,5 DHCP server configuration example,130 IPv4 static route configuration example,1 19 Diagnostic information,39...
  • Page 447 Recommended configuration procedure,133 Static ARP configuration example,104 Recommended configuration procedure,106 Switching the user access level to the management level,68 Recommended configuration procedure,124 Removing a file,51 Removing ARP entries,103 TR-069 configuration,63 Repeater mode configuration example,341 Trace route operation,155 Repeater mode overview,264 Troubleshooting web browser,172 Restoring...

This manual is also suitable for:

Wa2610i-gnWa2620-agnWa2620i-agnWa2610e-agnWa2620e-agnWa3610i-gn ... Show all

Table of Contents