2014 63 PresentationID 2006 Cisco Systems Inc All

无线控制器配置基础 2014年 6月3日 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Presentation Title 准备 作 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

基本设备 § 控制器 4400或者2100系列 § AP： 1130或者1240系列 § 交换机： 最好是 3560 POE交换机 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

2100系列无线控制器 § 支持802. 11 a/b/g/n § 支持PCI认证 § WLC 2100 硬件 8个FE口， 2个上联口，6个下联口 其中 2个FE口有以太网供电 § 未使用端口 2个USB端口和一个扩展槽留作 将来扩展用 AIR-WLC 2125 -K 9 2100 Series WLAN Controller for up to 25 Lightweight APs $18, 890 AIR-WLC 2112 -K 9 2100 Series WLAN Controller for up to 12 Lightweight APs $10, 070 AIR-WLC 2106 -K 9 2100 Series WLAN Controller for up to 6 Lightweight APs $4, 875 *2106和2006不能作为guest access的anchor controller *不支持Link Aggregation *不能通过软件升级AP容量 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

4400系列无线控制器 § 1 RU 高度 2口 或者 4口千兆上联 § 支持 12, 25, 50 or 100 AP § 支持 5000 MAC地址转发表 § 10/100 Base-TX 以太网 Service Port § 9 pin 串口Console口 44 xx WLAN Controller § 2 扩展槽和1个utility port目前未使用 § 2 热插拔电源模块插槽 § 型号 4402 支持 12, 25, 和50 AP § 型号 4404 支持100 APs *不能通过软件升级AP容量 *4400系列使用SFP光纤模块 *4400系列每port支持50个AP Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

实验拓扑示例 TRUNK VLAN 1 fa 0/1 port 1 VLAN 1/20/30/40 PC//AAA服务器 SSID: VLAN 20 WLC 说明： 1、VLAN 1用于连接控制器、AP和 ACS； 2、VLAN 20用于WPA/WPA 2认证， 认证服务器用ACS。 3、VLAN 30用作OPEN/WEP/GUEST 客户接入 3、VLAN 40用作WPA/WPA 2认证， SSID: VLAN 30 认证用本地EAP 所有3层网关设置在 3层交换机上，地址254 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

启动选项 The controller boot sequence will always have these option available since this is set in PROM to ensure controller recovery options 按5清空配置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

系统启动界面和配置 (OS 5. 1) § Would you like to terminate autoinstall? [yes]: § § System Name [Cisco_51: 2 b: 60] (31 characters max): 2106 -demo AUTO-INSTALL: process terminated -- no configuration loaded § § § Enter Administrative User Name (24 characters max): cisco Enter Administrative Password (24 characters max): cisco Re-enter Administrative Password : cisco § § § Management Interface IP Address: 192. 168. 10. 1 Management Interface Netmask: 255. 0 Management Interface Default Router: 192. 168. 10. 254 Management Interface VLAN Identifier (0 = untagged): Management Interface Port Num [1 to 8]: 1 Management Interface DHCP Server IP Address: 192. 168. 10. 254 § § AP Manager Interface IP Address: 192. 168. 10. 2 § Mobility/RF Group Name: demo Presentation_ID AP-Manager is on Management subnet, using same values AP Manager Interface DHCP Server (192. 168. 10. 254): Virtual Gateway IP Address: 1. 1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

系统启动界面（续） § Enable Symmetric Mobility Tunneling [yes][NO]: yes § § Network Name (SSID): open Allow Static IP Addresses [YES][no]: § § § Configure a RADIUS Server now? [YES][no]: no Warning! The default WLAN security policy requires a RADIUS server. Please see documentation for more details. § Enter Country Code list (enter 'help' for a list of countries) [US]: CN § § Enable 802. 11 b Network [YES][no]: Enable 802. 11 a Network [YES][no]: Enable 802. 11 g Network [YES][no]: Enable Auto-RF [YES][no]: § § Configure a NTP server now? [YES][no]: no Configure the system time now? [YES][no]: Enter the date in MM/DD/YY format: 09/28/08 Enter the time in HH: MM: SS format: 17: 11: 00 § Configuration correct? If yes, system will save it and reset. [yes][NO]: yes § § Configuration saved! Resetting system with new configuration. . . Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 非常重要， Controller的 wireless的 domain要和AP 一致。 11

配置 3层交换机 § § § § § § § Presentation_ID p dhcp excluded-address 192. 168. 10. 1 ip dhcp excluded-address 192. 168. 10. 254 ip dhcp excluded-address 192. 168. 10. 2 ! ip dhcp pool AP network 192. 168. 10. 0 255. 0 default-router 192. 168. 10. 254 ! interface Fast. Ethernet 0/1 switchport trunk encapsulation dot 1 q switchport mode trunk …… interface Vlan 1 ip address 192. 168. 10. 254 255. 0 ! interface Vlan 20 ip address 192. 168. 20. 254 255. 0 ! interface Vlan 30 ip address 192. 168. 30. 254 255. 0 ! interface Vlan 40 ip address 192. 168. 40. 254 255. 0 …… line vty 0 4 privilege level 15 password cisco login © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

配置WEB访问 1、使用直通网线，连接交换机的trunk接口到控制器端口 1 2、配置PC机的IP地址 192. 168. 100/24或者DHCP，网关 192. 168. 10. 254 3、测试PC能否Ping 通Controller的地址： 192. 168. 10. 1 3、用https: //192. 168. 10. 1访问控制器，如果要开启http访问，需要在系统里打开。 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

使用IE浏览器进行WEB访问 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

如果要升级控制器系统软件 § tftp 服务器推荐tftpd 32 § tftpd 32. jounin. net § 支持64 M以上文件传输 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

在CCO上下载新版本 支持室内室外 mesh 版本 支持802. 11 n和其他新功能的普通版本 http: //www. cisco. com/kobayashi/sw-center/sw-wireless. shtml Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16

Upgrade Path to Controller Software Release 5. 0. 148. 0 or above Current Software Release Upgrade Path to 5. 0. 148. 0 Software 3. 2. 78. 0 or later 3. 2 release Upgrade to a 4. 1 release before upgrading to 5. 0. 148. 0. 4. 0. 155. 5 or later 4. 0 release Upgrade to a 4. 1 or 4. 2 release before upgrading to 5. 0. 148. 0 4. 1. 171. 0 or later 4. 1 release You can upgrade directly to 5. 0. 148. 0. 4. 2. 61. 0 or later 4. 2 release You can upgrade directly to 5. 0. 148. 0. 注意：由于配置存储格式不同，从3. x-4. x 升级到 5. x后，原来的部分配置可能丢失 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

Upgrade Path to Controller Software Release 4. 1. 171. 0 Current Software Release Upgrade Path to 4. 1. 171. 0 Software 3. 2. 78. 0 Upgrade to 4. 0. 206. 0 or a later 4. 0 release before upgrading to 4. 1. 171. 0. 3. 2. 116. 21 3. 2. 150. 10 3. 2. 171. 6 3. 2. 193. 5 If your controller is configured with the new J 3 country code, upgrade to 3. 2. 195. 10 or a later 3. 2 release. If your controller is not configured for the new J 3 country code, you can upgrade to 3. 2. 195. 10 or a later 3. 2 release or to 4. 0. 206. 0 or a later 4. 0 release. 3. 2. 195. 10 or later 3. 2 release You can upgrade directly to 4. 1. 171. 0. 4. 0. 155. 5 Upgrade to 4. 0. 206. 0 or a later 4. 0 release before upgrading to 4. 1. 171. 0. 4. 0. 179. 11 4. 0. 206. 0 or later 4. 0 release Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential You can upgrade directly to 4. 1. 171. 0. 18

控制器软件升级 —— 命令行方式 § Step 1. ping server-ip-address 测试控制器与TFTP server的连通性 § Step 2. transfer download mode tftp 设置传输使用的协议：tftp § Step 3. transfer download datatype code 设置传输的数据类型 § Step 4. transfer download serverip server-ip-address 指定tftp server的IP地址 § Step 5. transfer download filename 制定Image的文件名 § Step 6. transfer download start 开始传输文件，确认时如果回答No, 则显示TFTP的参数设置 § Step 7. reset system WLC的系统重新启动 注：TFTP服务器软件推荐tftpd 32，可以在网上免费下载，支持64 M以上大文件传输 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19

控制器软件升级 —— 图形界面 电脑上设置好Tftp软件； 填入Tftp地址和文件名后，选择右侧的 download 按钮开始。 完成后按提示reboot。 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20

Presentation Title 熟悉无线控制器 Size 30 PT Controller配置界面 Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21

命令行 (CLI) 基本命令 cisco Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22

命令行 (CLI) “clear” Commands Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23

命令行 (CLI) “config” Commands …… and more Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24

命令行 (CLI) “debug” Command Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

命令行 (CLI) “help” Commands Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26

命令行 (CLI) “show” Commands Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

命令行 (CLI) “transfer” Commands Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28

使用IE浏览器进行WEB访问 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29

控制器上查看和设置无线网络SSID Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30

控制器配置页面 配置接口 配置控制器 做DHCP服务 器 定义无线组 参看和配置 端口 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31

配置接口页面 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

设置控制器做DHCP服务器 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33

定义移动组 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34

设置端口页面 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35

多个控制器时，设定主控制器 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36

点击WIRELESS/ALL APs Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37

安全页面 Radius服务器配置 本地用户数据库 MAC地址过滤 本地EAP WEB认证相关 配置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38

管理界面 定义能够进行 Controller管 理的管理用户 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39

控制器维护管理界面 系统和配置文 件的上传、下 载配置 控制器软重启 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

AP射频模块配置界面 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41

AP发射功率调节(AP 1131) § Tx Power § Num Of Supported Power Levels. . . 6 § Tx Power Level 1. . . 14 d. Bm § Tx Power Level 2. . . 11 d. Bm § Tx Power Level 3. . . 8 d. Bm § Tx Power Level 4. . . 5 d. Bm § Tx Power Level 5. . . 2 d. Bm § Tx Power Level 6. . . -1 d. Bm AP 1242的level 1 是 17 d. Bm Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42

5. 1版本对HA的增强 Failover等级 全局HA配置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43

Presentation Title 连接AP到控制器 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44

Controller里的Port还有Vlan以及Interface的对应关系 § Controller必需配置的接口 带内管理接口—“Management Interface” LWAPP Tunnel 终结接口—“AP Manager Interface” 桥接的无线客户端接口— “Dynamic Interfaces”. 二三层漫游而设的虚拟接口— “Virtual Interface” § 可选接口: 服务接口—带外管理接口 *2100系列和WLCM没有 service port Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45

确认控制器国家版本与AP一致 目前版本支持同时支持多国家 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46

确认时间配置无误 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47

在路由器或者3层交换机设置DHCP 在AP和控制器不在同一网段的情况下，建立AP能够获取IP Address 的地址池，加上Option 43 WLC-router(config)#ip dhcp pool LWAPP-AP WLC-router(dhcp-config)#network 192. 168. 10. 0 255. 0 WLC-router(dhcp-config)#default-router 192. 168. 0. 254 WLC-router(dhcp-config)#option 43 ascii "192. 168. 10. 1“ //很重要！通过Option 43 可以让AP在获取和控制器不同网段IP Address的时候，能够知道Controller的所在。 如果AP和控制器在一个网段和广播域，则可以不配置option 43 WLC-router(dhcp-config)#exit WLC-router(config)#ip dhcp excluded-address 192. 168. 0. 254 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48

在IOS设备配置Option 43 § 对于1000/1500系列，直接写 option 43 ascii “ 192. 168. 10. 5, 129. 168. 10. 20“ § 对于1100和1200，需要写option 60和option 43 § 假设要连接 1240，控制器地址为 192. 168. 10. 5和192. 168. 10. 20 ip dhcp pool AP network 192. 168. 10. 0 /24 default-router 192. 168. 10. 254 dns-server 192. 168. 100 option 60 ascii “Cisco AP c 1240 “ option 43 hex f 108 c 0 a 80 a 05 c 0 a 80 a 14 类型= f 1 长度 = 2 x 4 = 08 192. 168. 10. 5 VCI String 1130的是Cisco AP c 1130 192. 168. 10. 20 option 43的配置详见 http: //www. cisco. com/en/US/tech/tk 722/tk 809/technologies_configuration_ example 09186 a 00808714 fe. shtml Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49

可以在console上打开debug观察AP加入情况 § (Cisco Controller) >debug lwapp events enable § (Cisco Controller) >*Oct 04 19: 20: 19. 154: 00: 1 a: e 3: d 0: 19: 50 Received LWAPP DISCOVERY REQUEST from AP 00: 1 a: e 3: d 0: 19: 50 to 00: 1 e: 13: 51: 2 b: 60 on port '8' *Oct 04 19: 20: 19. 154: Received a packet which is a (type = DISCOVERY_REQUEST) with session id 0 *Oct 04 19: 20: 19. 154: Join Priority Processing status = 0, Incoming Ap's Priority 1, Max. Lrads = 6, joined Aps =0 *Oct 04 19: 20: 19. 155: 00: 1 a: e 3: d 0: 19: 50 Successful transmission of LWAPP Discovery Response to AP 00: 1 a: e 3: d 0: 19: 50 on port 8 *Oct 04 19: 20: 19. 156: 00: 1 a: e 3: d 0: 19: 50 Received LWAPP DISCOVERY REQUEST from AP 00: 1 a: e 3: d 0: 19: 50 to ff: ff: ff: ff on port '8' *Oct 04 19: 20: 19. 156: Received a packet which is a (type = DISCOVERY_REQUEST) with session id 0 *Oct 04 19: 20: 19. 156: Join Priority Processing status = 0, Incoming Ap's Priority 1, Max. Lrads = 6, joined Aps =0 *Oct 04 19: 20: 19. 156: 00: 1 a: e 3: d 0: 19: 50 Successful transmission of LWAPP Discovery Response to AP 00: 1 a: e 3: d 0: 19: 50 on port 8 *Oct 04 19: 20: 31. 162: 00: 1 a: e 3: d 0: 19: 50 Received LWAPP JOIN REQUEST from AP 00: 1 a: e 3: d 0: 19: 50 to 00: 1 e: 13: 51: 2 b: 67 on port '8' *Oct 04 19: 20: 31. 162: Received a packet which is a (type = JOIN_REQUEST) with session id 0 *Oct 04 19: 20: 31. 177: 00: 1 a: e 3: d 0: 19: 50 AP AP 001 b. 5302. 28 f 8: tx. Nonce 00: 1 E: 13: 51: 2 B: 60 rx. Nonce 00: 1 A: E 3: D 0: 19: 50 *Oct 04 19: 20: 31. 177: 00: 1 a: e 3: d 0: 19: 50 LWAPP Join Request MTU path from AP 00: 1 a: e 3: d 0: 19: 50 is 1500, remote debug mode is 0 *Oct 04 19: 20: 31. 177: DTL Adding AP 1 - 192. 168. 10 *Oct 04 19: 20: 31. 177: 00: 1 a: e 3: d 0: 19: 50 Successfully added NPU Entry for AP 00: 1 a: e 3: d 0: 19: 50 (index 1) § § § § § § Presentation_ID Switch IP: 192. 168. 10. 2, Switch Port: 12223, int. If. Num 8, vlan. Id 0 AP IP: 192. 168. 10, AP Port: 8847, nex *Oct 04 19: 20: 31. 911: 00: 1 a: e 3: d 0: 19: 50 Successful transmission of LWAPP Join Reply to AP 00: 1 a: e 3: d 0: 19: 50 *Oct 04 19: 20: 31. 912: 00: 1 a: e 3: d 0: 19: 50 spam_lrad. c: 1589 - Operation State 0 ===> 4 *Oct 04 19: 20: 31. 913: 00: 1 a: e 3: d 0: 19: 50 Register LWAPP event for AP 00: 1 a: e 3: d 0: 19: 50 slot 0 *Oct 04 19: 20: 31. 914: 00: 1 a: e 3: d 0: 19: 50 Register LWAPP event for AP 00: 1 a: e 3: d 0: 19: 50 slot 1 *Oct 04 19: 20: 33. 192: 00: 1 a: e 3: d 0: 19: 50 Received LWAPP CONFIGURE REQUEST from AP 00: 1 a: e 3: d 0: 19: 50 to 00: 1 e: 13: 51: 2 b: 67 *Oct 04 19: 20: 33. 194: 00: 1 a: e 3: d 0: 19: 50 Updating IP info for AP 00: 1 a: e 3: d 0: 19: 50 -- static 0, 192. 168. 10/255. 0, gtw 192. 168. 10. 254 *Oct 04 19: 20: 33. 194: 00: 1 a: e 3: d 0: 19: 50 Updating IP 192. 168. 10 ===> 192. 168. 10 for AP 00: 1 a: e 3: d 0: 19: 50 *Oct 04 19: 20: 33. 194: 00: 1 b: 53: 02: 28: f 8 Building Config Response Msg for 00: 1 b: 53: 02: 28: f 8 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50

确认AP连接到控制器 图形界面 命令行 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51

Presentation Title CSSC无线客户端 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52

802. 11 无线客户端概述 WLAN 特性 Microsoft Cisco ACU/ADU 多 WLAN Profile（不同的SSID，Yes 不同的安去策略）支持 Active Probe (hidden SSID Yes support) Yes 部署 具 Yes No Yes WPA/WPA 2 Yes Partial WPA 2 PMK caching Yes Partial EAP-FAST Yes No Partial WPA-PSK Yes Partial Static WEP (40/128 bit) Yes Yes NAC/CTA（网络准入支持） Yes No No Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. CSSC Cisco Confidential 53

Cisco SSC客户端软件的安装 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55

CSSC连接的简单设置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56

Presentation Title 构建一个OPEN和一个WEP的无线网 络 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57

配置一个无线业务的基本步骤 § 配置无线客户端的DHCP服务器 § 配置一个无线网络接口 dynamic interface § 配置一个无线业务 WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58

1、为客户端建立DHCP服务器 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60

2、为无线客户端建立一个无线接口 点击APPLY Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61

2、建立Guest无线接口: VLAN 20 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62

查看建立的接口 点击可以进行 VLAN 20接口的 参数修改 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 点击可以删除 如果想建立更多的 接口，可以继续点 击NEW设置新接口 Cisco Confidential 63

3、建立一个open的访客 WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64

3、建立一个open的访客 WLAN 很重要！很容易被忘记 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65

3、建立一个open的访客 WLAN 选择None，不对无线网络有任何加密和限制 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66

WLAN增强特性配置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67

无线客户端连接测试 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68

更改刚才的WLAN为WEP加密 40位WEP要求5位ASCII字符密码 104位WEP要求13位ASCII字符密码 Cisco Aironet 1100/1200/1300不支持128位WEP Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69

无线连接验证 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70

Presentation Title 构建一个简单WEB 认证的无线接入网络 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71

1、新建一个用于WEB 认证用户的地址池 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73

2、控制器添加一个VLAN 30接口 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 74

3、配置web页面认证的本地页面 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75

4、新建一个WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76

4、新建一个WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77

5、定义内部认证用户数据库 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78

验证WEB认证 跟前面一样，在CSSC的Manage Network中，选择并激活webauth Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79

web界面认证的验证 § 在浏览器里输入类似http: //10. 10. 10地址（因为没有 DNS，所以不能输入网址） Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80

web界面认证的验证 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81

Presentation Title 构建一个支持本地EAP 认证的无线接入网络 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82

构建一个支持WPA认证的网络 1. 增加一个新的地址池 2. 增加一个新的动态接口 3. 添加本地EAP支持或者AAA服务器（Radius服务器） 4. 建立一个新的WLAN SSID 5. 配置WPA/WPA 2认证 6. 设置CSSC客户端软件 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83

1、新建一个地址池 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84

2、控制器添加一个VLAN 40接口 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 85

3、增加本地EAP支持 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86

3、本地EAP的profile配置 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 87

4、新建一个WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88

4、新建一个WLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 89

5、配置WPA/WPA 2 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 90

5、配置本地EAP认证支持 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 91

6、设置CSSC软件，添加SSID Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 92

Presentation Title 构建一个用ACS做AAA 认证的无线接入网络 Size 30 PT Option 2: Live Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93

ACS相关配置名词解释 § § § Posture ACS – Access Control Server NAP – Network Access Profile NAF – Network Access Filter NAD – Network Access Device NDG – Network Device Group PA – Posture Agent PV – Posture Validation RAC – Radius Authorization Component DACL – Dynamic Access Control List ADF – Attribute Definition File Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 94

ACS各部件逻辑关系 NAD + AAA 组成 NDG Internal DB 组成 or Authentication DB NAF External DB Authentication Global Auth Setup Internal Posture Validation 通过认 证后检 查状态 关联 NAP Posture Validation 检查状 态后指 示设备 配置 or Rule 1 Policy 1 or 引用 External Posture Validation Audit 引用 Rule N Policy N RAC Authorization DACL Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential External Posture Validation 下载 至设 备 Switches Routers VPN GW FW 95

添加Radius服务器 Security－aaa－radius authentication Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 96

EAP Authentication Cisco的自适应 WPA或者WPA 2 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 97

EAP Authentication 配置radius Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 98

ACS配置-----增加AAA client 增加 AAA client Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 99

ACS配置-----增加 AAA server Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 100

ACS配置-----显示的AAA client和Server Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 101

ACS配置-----产生证书 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 102

ACS配置-----AAA能够返回的参数 配置AAA 需要返回 的参数 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 103

ACS配置-----选择各种EAP Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 104

ACS配置-----EAP Fast配置 不要选 择这个 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 105

ACS配置-----增加一个group Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106

ACS配置-----增加一个user加入group Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 107

EAP Authentication---funk software on PC PEAP PC 端配置 不要选 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108

配置CSSC Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 109