h3c access controllers

H3C Access Controllers WLAN Roaming Configuration Guide

New H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6W104-20210413 Product version: R5426P02

Copyright © 2021, New H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Trademarks

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

Notice

The information in this document is subject to change without notice. All contents in this document, including statements, information, and recommendations, are believed to be accurate, but they are presented without warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions contained herein.

Preface The access controllers documentation set describes the software features for the access controllers and guide you through the software configuration procedures. These guides also provide configuration examples to help you apply software features to different network scenarios.

The WLAN Roaming Configuration Guide describes WLAN roaming, WLAN roaming center, and 802.11r configurations.

This preface includes the following topics about the documentation: • Audience. • Conventions. • Documentation feedback.

Audience This documentation is intended for: • Network planners. • Field technical support and servicing engineers. • Network administrators working with the H3C access controllers.

Conventions The following information describes the conventions used in the documentation.

Command conventions

Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

{ x | y | ... } * Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select a minimum of one.

[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description Boldface Window names, button names, field names, and menu items are in Boldface. For

Convention Description example, the New User window opens; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description

WARNING! An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION: An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access controller engine on a unified wired-WLAN switch.

Represents an access point.

Represents a wireless terminator unit.

Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL VPN, IPS, or ACG module.

TT

TT

Examples provided in this document Examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.

Documentation feedback You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

i

Contents

Configuring WLAN roaming ··········································································· 1

About WLAN roaming ········································································································································ 1 Terminology ··············································································································································· 1 IADTP tunnel establishment ······················································································································· 1 WLAN roaming mechanism ······················································································································· 2

Restrictions and guidelines: WLAN roaming configuration ················································································ 3 WLAN roaming tasks at a glance ······················································································································· 3 Creating a mobility group ··································································································································· 4 Setting an authentication mode for IADTP control messages ··········································································· 4 Specifying an IP address type for IADTP tunnels ······························································································ 5 Specifying the source IP address for establishing IADTP tunnels ····································································· 5 Setting the DSCP value for IADTP keepalive packets ······················································································· 5 Adding a mobility group member ······················································································································· 6

Manually adding a mobility group member ································································································ 6 Enabling automatic group member discovery ···························································································· 7

Specifying the mobility group member role of a device······················································································ 7 Disabling IADTP data tunnels ···························································································································· 8 Enabling roaming relay ······································································································································ 8 Enabling a mobility group ··································································································································· 9 Enabling tunnel isolation for mobility groups ······································································································ 9 Enabling SNMP notifications for WLAN roaming ······························································································· 9 Display and maintenance commands for WLAN roaming ··············································································· 10 WLAN roaming configuration examples ··········································································································· 10

Example: Configuring intra-AC roaming ··································································································· 10 Example: Configuring inter-AC roaming ··································································································· 14

1

Configuring WLAN roaming About WLAN roaming

WLAN roaming enables clients to seamlessly roam among APs in an ESS while retaining their IP address and authorization information during the roaming process.

Terminology • Inter Access Device Tunneling Protocol—IADTP is an H3C-proprietary protocol that

provides a generic packet encapsulation and transport mechanism for devices to securely communicate with each other. Devices that provide roaming services establish an IADTP tunnel with each other to exchange control messages and client information.

• Home AC—An HA is an AC that manages the AP with which a wireless client associates for the first time.

• Foreign AC—An FA is an AC with which a client associates after inter-AC roaming. • Mobility group—A group that contains multiple member devices among which clients can

roam.

IADTP tunnel establishment A device in a mobility group can act as a client to initiate connection requests or act as a server to listen for and respond to the connection requests.

Figure 1 Establishing an IADTP tunnel

As shown in Figure 1, two devices establish an IADTP tunnel by using the following procedure: 1. Device A sends a join request to Device B. 2. Upon receiving the join request, Device B uses the local configuration and packet content to

identify whether Device A is in the same mobility group. If they are in the same mobility group, Device B returns a join response with a result code

representing success. If they are in different mobility groups, Device A returns a join response with a result code

representing failure. 3. Upon receiving the join response, Device A examines the result code in the response.

If the result code represents failure, Device A does not return any packets. If the result code represents success, Device A sends a join confirm to Device B.

4. Upon receiving the join confirm, Device B establishes an IADTP tunnel with Device A.

Device A

Join Request

Join Response

Join Confirm

IADTP Tunnel

Device B

2

WLAN roaming mechanism Clients can roam between devices in the same mobility group.

Intra-AC roaming Intra-AC roaming enables clients to roam among APs that are managed by the same AC.

Figure 2 Intra-AC roaming

As shown in Figure 2, intra-AC roaming uses the following procedure: 1. The client comes online from AP 1, and the AC creates a roaming entry for the client. 2. The client roams to AP 2. The AC examines the roaming entry for the client and determines

whether to perform fast roaming. If the client uses RSN + 802.1X authentication and carries the same PMKID as the AC, fast roaming is used, and the client can associate with AP 2 without reauthentication. If it is not, the client must be reauthenticated before associating with AP 2.

Inter-AC roaming Inter-AC roaming enables clients to roam among APs that are managed by different ACs. These ACs must be in the same mobility group and have established an IADTP tunnel with each other.

AC

AP 1 AP 2

Client

3

Figure 3 Inter-AC roaming

As shown in Figure 3, inter-AC roaming uses the following procedure: 1. The client comes online from AP 2. AC 1 creates a roaming entry for the client and sends the

information to AC 2 through the IADTP tunnel. 2. The client roams to AP 3. AC 2 examines the roaming entry for the client and determines

whether to perform fast roaming. If the client uses RSN + 802.1X authentication and carries the same PMKID as the AC, fast roaming is used, and the client can associate with AP 3 without reauthentication If it is not, the client must be reauthenticated before associating with AP 3.

3. The client associates with AP 3. AC 2 sends a roaming request to AC 1. 4. AC 1 verifies the roaming request and performs either of the following operations:

Sends a roaming response that indicates roaming failure to AC 2 if the request is invalid. AC 2 logs off the client.

Saves the roaming trace and roam-out information and sends a roaming response that indicates roaming success to AC 2 if the request is valid. AC 2 saves roaming-in information for the client.

Restrictions and guidelines: WLAN roaming configuration

For a service template where an AP is configured as the client authenticator, WLAN roaming is not supported. For more information about client authentication, see User Access and Authentication Configuration Guide.

For RSN + 802.1X clients from different VLANs to roam between devices within a mobility group, make sure uplink interfaces of the member devices permit all client VLANs.

WLAN roaming tasks at a glance To configure WLAN roaming, perform the following tasks:

IADTP tunnel

AC 1 AC 2

AP 1 AP 2 AP 3 AP 4

Client

Mobility group office

Roaming request

Roaming response

HA: AC 1FA: AC 2

4

1. Creating a mobility group 2. (Optional.) Setting an authentication mode for IADTP control messages 3. Specifying an IP address type for IADTP tunnels 4. Specifying the source IP address for establishing IADTP tunnels 5. (Optional.) Setting the DSCP value for IADTP keepalive packets 6. Adding a mobility group member

Perform one of the following tasks: Manually adding a mobility group member Enabling automatic group member discovery

7. (Optional.) Specifying the mobility group member role of a device 8. (Optional.) Disabling IADTP data tunnels 9. (Optional.) Enabling roaming relay 10. Enabling a mobility group 11. (Optional.) Enabling tunnel isolation for mobility groups 12. (Optional.) Enabling SNMP notifications for WLAN roaming

Creating a mobility group Restrictions and guidelines

For inter-device roaming to operate correctly, create the same mobility group and add members to each device in the mobility group.

You can create only one mobility group on a device.

Procedure 1. Enter system view.

system-view

2. Create a mobility group and enter its view. wlan mobility group group-name

Setting an authentication mode for IADTP control messages About this task

This feature enables the device to verify the integrity of control messages transmitted over IADTP tunnels. WLAN roaming supports only the MD5 algorithm.


system-view

2. Enter mobility group view. wlan mobility group group-name

3. Set an authentication mode for IADTP control messages. authentication-mode authentication-mode { cipher | simple } string By default, the device does not verify the integrity of IADTP control messages.

5

Specifying an IP address type for IADTP tunnels About this task

You must specify an IP address type for IADTP tunnels after you create a mobility group.


system-view


3. Specify an IP address type for IADTP tunnels. tunnel-type { ipv4 | ipv6 } By default, the IP address type for IADTP tunnels is IPv4.

Specifying the source IP address for establishing IADTP tunnels About this task

A device uses the specified source IP address to establish IADTP tunnels with other member devices within the same mobility group.

Restrictions and guidelines You can specify one IPv4 address, one IPv6 address, or both, but only the IP address type that is the same as the IP address type for IADTP tunnels takes effect.

Make sure the mobility group is disabled before you specify the source IP address for establishing IADTP tunnels.


system-view


3. Specify the source IP address for establishing IADTP tunnels. source { ip ipv4-address | ipv6 ipv6-address } By default, no source IP address is specified for establishing IADTP tunnels.

Setting the DSCP value for IADTP keepalive packets About this task

The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet. A greater DSCP value means a higher packet priority.

In a scenario where a device establishes IADTP tunnels with other devices across NAT devices, two devices use IPsec for tunnel encryption and establishment. To prevent IADTP tunnel disconnection

6

because the device cannot receive any IADTP keepalive packets from the peer when the IADTP tunnel is busy, set the DSCP value by using this feature.

Restrictions and guidelines As a best practice, set the DSCP value to 63 for IADTP keepalive packets.


system-view


3. Set the DSCP value for IADTP keepalive packets. tunnel-dscp dscp-value The default setting is 0.

Adding a mobility group member Manually adding a mobility group member About this task

Members in a mobility group are identified by their IP addresses used to establish IADTP tunnels.

You can add both IPv4 and IPv6 members to a mobility group. Only members whose IP address type is the same as the IP address type of IADTP tunnels take effect.

You can specify VLANs for a member, so that other members in the mobility group can directly forward client data of the member from the specified VLANs. If you do not specify VLANs for the member, its client data cannot be directly forwarded by another member in the mobility group unless the clients roam to that member.

Restrictions and guidelines A device can belong to only one mobility group.

You can add a maximum of 31 IPv4 members and 31 IPv6 members to a mobility group.

When you specify VLANs for a mobility group member, follow these restrictions and guidelines: • If a mobility group has multiple members, make sure no loops exist among IADTP tunnels

between members within the mobility group. • Make sure the VLANs have not been used by interfaces or services. • Do not assign VLANs that have been specified for a member to interfaces or services.


system-view


3. Add a mobility group member. member { ip ipv4-address | ipv6 ipv6-address } [ vlan vlan-id-list ]

7

Enabling automatic group member discovery About this task

Members in a mobility group are identified by their IP addresses used to establish IADTP tunnels. You can add both IPv4 and IPv6 members to a mobility group. Only members whose IP address type is the same as the IP address type of IADTP tunnels take effect.

This feature enables a device to automatically discover member devices in a mobility group by broadcasting its source IP address in the group. Member devices in the group that receive the IP address automatically establish IADTP tunnels with the device. The device joins the mobility group after it establishes IADTP tunnels with all the other members.

Restrictions and guidelines A device can belong to only one mobility group.

You can add a maximum of 31 IPv4 members and 31 IPv6 members to a mobility group. When the maximum number is reached, the device stops establishing IADTP tunnels with newly discovered devices.

Prerequisites Execute the source command to specify the source IP address used for establishing IADTP tunnels.


system-view


3. Enable automatic group member discovery. member auto-discovery [ interval interval ] By default, automatic group member discovery is disabled.

Specifying the mobility group member role of a device About this task

This feature applies to a scenario where a device establishes an IADTP tunnel with another device in the same mobility group across a NAT device. In this scenario, the device with a lower IP address acts as the client to initiate a connection request to the device with a higher IP address. If the device with a lower IP address resides in the public network, the IADTP tunnel cannot be established. To ensure successful establishment of the IADTP tunnel in this case, specify the device in the private network as the client to initiate the connection request.


system-view


3. Specify the mobility group member role of the device. role { client | server }

8

By default, a member device with a higher IP address acts as the server, and a member device with a lower IP address acts as the client.

Disabling IADTP data tunnels About this task

CAUTION: To avoid data loss, do not disable IADTP data tunnels if no service ports are specified on the device for client VLANs.

This feature enables a device to forward client traffic directly out of client VLANs' service ports, instead of through the IADTP data tunnel. This reduces the device's workload caused by processing broadcast packets received from IADTP data tunnels and saves resources for maintaining these tunnels.

Restrictions and guidelines You must enable or disable IADTP tunnels on all devices in a mobility group.

You can configure this feature only when the mobility group is disabled.


system-view 2. Enter mobility group view.

wlan mobility group group-name 3. Disable IADTP data tunnels.

data-tunnel disable

By default, IADTP data tunnels are enabled.

Enabling roaming relay About this task

In a WLAN, client roaming will gradually turn the WLAN into a fully meshed network because any two devices must establish a tunnel with each other for roaming entry exchanging. In a large network, establishing and maintaining such tunnels can consume a lot of bandwidth resources, increasing network complexity and reducing availability. Roaming relay is introduced to resolve this issue.

With this feature configured, the device enabled with roaming relay acts as a relay device to establish an IADTP tunnel with each non-relay device, forming a star topology. Non-relay devices do not need to establish tunnels with each other. These non-relay devices synchronize roaming entries to the relay device and, upon a client roaming, request the client entry from the relay device.

Restrictions and guidelines Make sure the mobility group is disabled before you configure this feature.

To use roaming relay, you must enable roaming relay on a device and configure the device as the only mobility group member for the other devices in the same mobility group.

You can enable roaming relay on only one device in a mobility group.

If clients belong to different VLANs, make sure the tunnel interfaces on the relay device permit packets from all client VLANs.

9


system-view 2. Enter mobility group view.

wlan mobility group group-name 3. Enable roaming relay.

roam-relay enable

By default, roaming relay is disabled.

Enabling a mobility group About this task

This feature enables the device to establish IADTP tunnels and synchronize roaming entries with member devices.


system-view


3. Enable the mobility group. group enable

By default, a mobility group is disabled.

Enabling tunnel isolation for mobility groups About this task

Tunnel isolation prevents devices from forwarding packets between tunnels in a mobility group and avoids broadcast storm when loops exist among devices in the mobility group.


system-view

2. Enable tunnel isolation for mobility groups. wlan mobility-group-isolation enable

By default, tunnel isolation is enabled for mobility groups.

Enabling SNMP notifications for WLAN roaming About this task

To report critical WLAN roaming events to an NMS, enable SNMP notifications for WLAN roaming. For WLAN roaming event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

10


system-view

2. Enable SNMP notifications for WLAN roaming. snmp-agent trap enable wlan mobility By default, SNMP notifications for WLAN roaming are disabled.

Display and maintenance commands for WLAN roaming

Execute display commands in any view.

Task Command

Display information about clients that have roamed to or from the device.

display wlan mobility { roam-in | roam-out } [ member { ip ipv4-address | ipv6 ipv6-address }]

Display mobility group information. display wlan mobility group

Display roam-track information for a client on the HA.

display wlan mobility roam-track mac-address mac-address

WLAN roaming configuration examples The AP models and serial numbers in this document are used only as examples. Support for AP models and serial numbers depends on the AC model.

Example: Configuring intra-AC roaming Network configuration

As shown in Figure 4, configure intra-AC roaming to enable the client to roam from AP 1 to AP 2. The two APs are managed by the same AC.

Figure 4 Network diagram

AC

AP 1 AP 2

Client

11

Procedure # Create a service template named service, set the SSID to 1, and enable the service template. <AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] ssid 1

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create a manual AP named ap1, and specify the AP model and serial ID. [AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC13C004126

# Bind the service template to radio 1 of AP 1. [AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create a manual AP named ap2, and specify the AP model and serial ID. [AC] wlan ap ap2 model WA4320i-ACN

[AC-wlan-ap-ap2] serial-id 219801A0CNC125002216

# Bind the service template to radio 1 of AP 2. [AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] service-template service

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

Verifying the configuration # Enable the client to come online from AP 1. (Details not shown.)

# Verify that the client has associated with AP 1, and the roaming status is N/A, which indicates that the client has not performed any roaming. [AC] display wlan client verbose

Total number of clients: 1

MAC address : 9cd3-6d9e-6778

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : 1

BSSID : 000f-e200-4444

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

12

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported



Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 1minutes 13seconds

FT status : Inactive

# Verify that the AC has a roaming entry for the client. [AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries : 1

Current entries: 1

BSSID Created at Online time AC IP address RID AP name

000f-e200-4444 2016-06-14 11:12:28 00hr 01min 16sec 127.0.0.1 1 ap1

# Enable the client roam to AP 2. (Details not shown.)

# Verify that the client has associated with AP 2, and the roaming status is Intra-AC roam. [AC] display wlan client verbose


13



IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : ap2

Radio ID : 1

SSID : 1

BSSID : 000f-e203-7777

VLAN ID : 1

Sleep count : 242

















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11




Cipher suite : N/A




Roam status : Intra-AC roam

14






# Verify that the AC has updated the roaming entry for the client. [AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries : 2

Current entries: 2


000f-e203-7777 2016-06-14 11:12:28 00hr 01min 02sec 127.0.0.1 1 ap2

000f-e200-4444 2016-06-14 11:12:04 00hr 03min 51sec 127.0.0.1 1 ap1

Example: Configuring inter-AC roaming Network configuration

As shown in Figure 5, configure inter-AC roaming to enable the client to roam from AP 2 to AP 3 that are managed by different ACs.


Procedure 1. Configure AC 1:

# Create a service template named service, set the SSID to office, and enable the service template. <AC1> system-view

[AC1] wlan service-template service

[AC1-wlan-st-test] ssid office

[AC1-wlan-st-test] service-template enable

[AC1-wlan-st-test] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

IADTP tunnel

AC 1 AC 2

AP 1 AP 2 AP 3 AP 4

Client

Mobility group office

Roaming request

Roaming response

HA: AC 1FA: AC 2

15

[AC1] wlan ap ap1 model WA4320i-ACN

[AC1-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Bind the service template to radio 1 of AP 1. [AC1-wlan-ap-ap1] radio 1

[AC1-wlan-ap-ap1-radio-1] radio enable

[AC1-wlan-ap-ap1-radio-1] service-template service

[AC1-wlan-ap-ap1-radio-1] quit

[AC1-wlan-ap-ap1] quit

# Create a manual AP named ap2, and specify the AP model and serial ID. [AC1] wlan ap ap2 model WA4320i-ACN







# Create a mobility group named office. [AC1] wlan mobility group office

# Specify the IP address type for IADTP tunnels as IPv4. [AC1-wlan-mg-office] tunnel-type ipv4

# Specify the source IP address for establishing IADTP tunnels as 10.1.4.22. [AC1-wlan-mg-office] source ip 10.1.4.22

# Add AC 2 to the mobility group. [AC1-wlan-mg-office] member ip 10.1.4.23

# Enable the mobility group. [AC1-wlan-mg-office] group enable

[AC1-wlan-mg-office] quit

2. Configure AC 2: # Create a service template named service, specify the SSID as office, and enable the service template. <AC2> system-view

[AC2] wlan service-template service

[AC2-wlan-st-service] ssid office

[AC2-wlan-st-service] service-template enable

[AC2-wlan-st-service] quit









16







# Create a mobility group named office. [AC2] wlan mobility group office

# Specify the IP address type for IADTP tunnels as IPv4. [AC2-wlan-mg-office] tunnel-type ipv4

# Specify the source IP address for establishing IADTP tunnels as 10.1.4.23. [AC2-wlan-mg-office] source ip 10.1.4.23

# Add AC 2 to the mobility group. [AC2-wlan-mg-office] member ip 10.1.4.22

# Enable the mobility group. [AC2-wlan-mg-office] group enable

[AC2-wlan-mg-office] quit

Verifying the configuration # Verify that a mobility group has been created on AC 1. [AC1] display wlan mobility group

Mobility group name: office

Tunnel type: IPv4

Source IPv4: 10.1.4.22

Source IPv6: Not configured

Authentication method: Not configured

Mobility group status: Enabled

Member entries: 1

IP address State Online time

10.1.4.23 Up 00hr 00min 12sec

# Verify that a mobility group has been created on AC 2. [AC2] display wlan mobility group

Mobility group name: office

Tunnel type: IPv4

Source IPv4: 10.1.4.23

Source IPv6: Not configured

Authentication method: Not configured

Mobility group status: Enabled

Member entries: 1

IP address State Online time

10.1.4.22 Up 00hr 00min 05sec

# Get the client online on AP 2 and then make the client roam to AP 3. (Details not shown.)

# Display client roaming information on AC 1 to verify that the client has come online from AP 2 and roamed to AP 3. [AC1] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries : 2

Current entries: 2

17


000f-e203-8889 2016-06-14 11:12:28 00hr 06min 56sec 10.1.4.23 1 ap3

000f-e203-7777 2016-06-14 11:11:28 00hr 03min 30sec 127.0.0.1 1 ap2

# On AC 1, verify that the client has roamed to AC 2. <AC1> display wlan mobility roam-out

Total entries: 1

MAC address BSSID VLAN ID Online time FA IP address

9cd3-6d9e-6778 000f-e203-8889 1 00hr 01min 59sec 10.1.4.23

# On AC 2, verify that the client has associated with AP 3, and the roaming status is Inter-AC roam. <AC2> display wlan client verbose




IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 3

AP name : ap3

Radio ID : 1

SSID : 1

BSSID : 000f-e203-8889

VLAN ID : 1

Sleep count : 242

















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

18


RSSI : 62

Rx/Tx rate : 130/11




Cipher suite : N/A




Roam status : Inter-AC roam






# Verify that the client has roamed from AC 1 to AC 2. <AC2> display wlan mobility roam-in

Total entries: 1

MAC address BSSID VLAN ID HA IP address

9cd3-6d9e-6778 000f-e203-8889 1 10.1.4.22

i

Contents

Configuring the WLAN roaming center ·························································· 1

About the WLAN roaming center ······················································································································· 1 Operating mechanism ········································································································································ 1 Restrictions: Hardware compatibility with WLAN roaming center ······································································ 2 WLAN roaming center tasks at a glance ············································································································ 3 Enabling the WLAN roaming center ··················································································································· 3 Specifying a port number for the WLAN roaming center ··················································································· 3 Setting the wait timer for user offline notification responses ·············································································· 4 Setting the maximum transmission attempts for user offline notification requests ············································ 4 Specifying portal roaming centers permitted by the WLAN roaming center······················································· 5 Display and maintenance commands for WLAN roaming center ······································································ 5 WLAN roaming center configuration examples ·································································································· 6

Example: Configuring the WLAN roaming center ······················································································ 6

1

Configuring the WLAN roaming center About the WLAN roaming center

A WLAN roaming center is an AC that manages information about wireless client authentication, authorization, and roaming to enable seamless inter-AC roaming. With the roaming center feature configured, clients can roam to another AC without being reauthenticated.

WLAN roaming center supports only portal authentication. For more information about inter-AC roaming for portal users, see portal in User Access and Authentication Configuration Guide.

Operating mechanism As shown in Figure 1, a roaming center network must contain the following components: • WLAN roaming center—An AC enabled with the WLAN roaming center feature. It manages

client roaming and can also act as a portal roaming center to provide wireless services. Each network can have only one WLAN roaming center.

• Portal roaming centers—ACs enabled with the portal roaming center feature to provide access and roaming services to clients, AC 1 and AC 2 for example.


In a roaming center network, the WLAN roaming center feature operates as follows: 1. The AC with which a client attempts to associate sends a user query request to the WLAN

roaming center. Upon receiving the request, the WLAN roaming center replies with a user query response.

2. When the client comes online, the AC sends a user online request to the WLAN roaming center. If it is the first time the client comes online, the WLAN roaming center creates a client entry

and replies with a user online response. If the client has come online from another AC and roams to the AC, the WLAN roaming

center updates the client entry and then replies with a user online response. 3. When the client goes offline, the AC sends a user offline request to the WLAN roaming center.

Upon receiving the packet, the WLAN roaming center removes the AC from the access device list and replies with a user offline response. Then, the WLAN roaming center sends user offline notification requests to the other ACs in the access device list and removes the client entry after receiving responses from the ACs.

WLAN roaming center

AC 1 AC 2

AAA server

APClient

Switch

2

Restrictions: Hardware compatibility with WLAN roaming center

Hardware series Model Product code WLAN roaming center compatibility

WX1800H series WX1804H EWP-WX1804H-PWR-CN No

WX2500H series

WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H

EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H

No

WX3000H series

WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F

EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F

No

WX3500H series

WX3508H WX3510H WX3520H WX3520H-F WX3540H

EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H

Yes: • WX3510H • WX3520H • WX3540H • WX3520H-F No: WX3508H

WX5500E series WX5510E WX5540E

EWP-WX5510E EWP-WX5540E

Yes

WX5500H series WX5540H WX5560H WX5580H

EWP-WX5540H EWP-WX5560H EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F

LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F

Yes: • LSUM1WCME0 • EWPXM1WCME0 • LSQM1WCMX40 • LSUM1WCMX40RT • EWPXM1MAC0F No: • LSQM1WCMX20 • LSUM1WCMX20RT • EWPXM2WCMD0F

Hardware series Model Product code WLAN roaming center compatibility

WX1800H series WX1804H WX1810H

EWP-WX1804H-PWR EWP-WX1810H-PWR

No

3

WX1820H WX1840H

EWP-WX1820H EWP-WX1840H-GL

WX3800H series WX3820H WX3840H

EWP-WX3820H-GL EWP-WX3840H-GL

Yes

WX5800H series WX5860H EWP-WX5860H-GL Yes

WLAN roaming center tasks at a glance To configure the WLAN roaming center, perform the following tasks: 1. Enabling the WLAN roaming center 2. (Optional.) Specifying a port number for the WLAN roaming center 3. (Optional.) Setting the wait timer for user offline notification responses 4. (Optional.) Setting the maximum transmission attempts for user offline notification requests 5. (Optional.) Specifying portal roaming centers permitted by the WLAN roaming center

Enabling the WLAN roaming center Restrictions and guidelines

You can enable the WLAN roaming center on only one AC in a network.

Disabling the WLAN roaming center feature deletes all portal client information.


system-view 2. Create a WLAN roaming center and enter its view.

wlan roaming-center 3. Enable the WLAN roaming center.

roaming-center enable By default, the WLAN roaming center is disabled.

Specifying a port number for the WLAN roaming center About this task

The WLAN roaming center uses the specified port number to communicate with portal roaming centers.

Restrictions and guidelines Make sure the port specified for the WLAN roaming center is the same as the port specified for portal roaming centers.

Changing the port number when portal clients are online might cause information synchronization failure between the WLAN roaming center and portal roaming centers. Portal clients might fail to roam and must be reauthenticated.

4

As a best practice to avoid data residual, disable the WLAN roaming center before you change the port number.



wlan roaming-center 3. Specify a port number for the WLAN roaming center.

port port-number By default, the WLAN roaming center uses port 1088.

Setting the wait timer for user offline notification responses About this task

After sending a user offline notification request to an AC, the WLAN roaming center resends the request if it fails to receive a response before the wait timer expires. If it fails to receive any response after the maximum transmission attempt limit is reached, the WLAN roaming center deletes the timeout timer and removes the AC from the access device list of the client.



wlan roaming-center 3. Set the wait timer for user offline notification responses.

response-timeout timeout By default, the wait timer for user offline notification responses is 3 seconds.

Setting the maximum transmission attempts for user offline notification requests About this task

After sending a user offline notification request to an AC, the WLAN roaming center resends the request if it fails to receive a response before the wait timer expires. If it fails to receive any response after the maximum transmission attempt limit is reached, the WLAN roaming center deletes the timeout timer and removes the AC from the access device list of the client.



wlan roaming-center 3. Set the maximum transmission attempts for user offline notification requests.

retry retries

5

By default, the maximum number of transmission attempts for user offline notification requests is 5.

Specifying portal roaming centers permitted by the WLAN roaming center About this task

This feature enables the WLAN roaming center to process packets only from the permitted portal roaming centers, enhancing network security. If no permitted portal roaming centers are specified, the WLAN roaming center processes packets from all portal roaming centers.



wlan roaming-center 3. Specify the IP address of a portal roaming center permitted by the WLAN roaming center.

control-access { bas-ip ipv4-address | bas-ipv6 ipv6-address } By default, no permitted portal roaming center is specified.

Display and maintenance commands for WLAN roaming center

Execute display commands in any view and reset commands in user view.

Task Command

Display offline client history on the WLAN roaming center.

display wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }

Display packet statistics on the WLAN roaming center.

display wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]

Display client information on the WLAN roaming center.

display wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6 ipv6-address | mac mac-address } [ verbose ]

Clear client history information on the WLAN roaming center.

reset wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }

Clear packet statistics on the WLAN roaming center.

reset wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]

Clear client information on the WLAN roaming center.

reset wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6

6

Task Command ipv6-address | mac mac-address }

WLAN roaming center configuration examples Example: Configuring the WLAN roaming center Network configuration

As shown in Figure 2, configure AC 1 as the WLAN roaming center and AC 2 and AC 3 as portal roaming centers to enable the client to roam from AC 2 to AC 3 without being authenticated.


Configuring AC 1 # Create a WLAN roaming center and enter its view. <AC1> system-view

[AC1] wlan roaming-center

# Specify the port used by the WLAN roaming center as port 40000. [AC1-wlan-roaming-center] port 40000

# Enable the WLAN roaming center. [AC1-wlan-roaming-center] roaming-center enable

[AC1-wlan-roaming-center] quit

Configuring AC 2 1. Assign IP addresses to interfaces and make sure the client, server, and AC can reach each

other. (Details not shown.) 2. Configure a RADIUS scheme:

# Create RADIUS scheme rs1 and enter its view. <AC2> system-view

[AC2] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [AC2-radius-rs1] primary authentication 192.168.0.112

[AC2-radius-rs1] primary accounting 192.168.0.112

AC 1

AC 2 AC 3

AAA server

APClient

Switch

7

[AC2-radius-rs1] key authentication simple radius

[AC2-radius-rs1] key accounting simple radius

# Exclude the ISP domain name from the username sent to the RADIUS server. [AC2-radius-rs1] user-name-format without-domain

[AC2-radius-rs1] quit

# Enable RADIUS session control. [AC2] radius session-control enable

3. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [AC2] domain dm1

# Configure AAA methods for the ISP domain. [AC2-isp-dm1] authentication portal radius-scheme rs1

[AC2-isp-dm1] authorization portal radius-scheme rs1

[AC2-isp-dm1] accounting portal radius-scheme rs1

[AC2-isp-dm1] quit

# Configure domain dm1 as the default ISP domain. If a user uses a username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [AC2] domain default enable dm1

4. Configure portal authentication: # Configure a portal authentication server. [AC2] portal server newpt

[AC2-portal-server-newpt] ip 192.168.0.111 key simple portal

[AC2-portal-server-newpt] port 50100

[AC2-portal-server-newpt] quit

# Configure a portal Web server. [AC2] portal web-server newpt

[AC2-portal-websvr-newpt] url http://192.168.0.111:8080/portal

[AC2-portal-websvr-newpt] quit

# Create AP ap2 and specify the AP model and serial ID. [AC2] wlan ap ap2 model WA4320i-ACN

[AC2-wlan-ap-ap2] serial-id 210235A29G007C000020


# Create service template newst and set the SSID to portal_1. [AC2] wlan service-template newst

[AC2–wlan-st-newst] ssid portal_1

# Enable direct portal authentication. [AC2–wlan-st-newst] portal enable method direct

# Apply portal Web server newpt. [AC2–wlan-st-newst] portal apply web-server newpt

# Configure the BAS-IP as 192.168.0.110 for portal packets sent to the portal authentication server. [AC2–wlan-st-newst] portal bas-ip 192.168.0.110

# Configure APs to forward client data traffic. [AC2–wlan-st-newst] client forwarding-location ap

# Enable the service template. [AC2–wlan-st-newst] service-template enable

8

[AC2–wlan-st-newst] quit

# Specify the working channel of radio 2 on AP ap2 as 11. [AC2] wlan ap ap2

[AC2-wlan-ap-ap2] radio 2

[AC2-wlan-ap-ap2-radio-2] channel 11

# Enable radio 2. Apply service template newst and bind VLAN 2 to the radio. [AC2-wlan-ap-ap2-radio-2] radio enable

[AC2-wlan-ap-ap2-radio-2] service-template newst vlan 2



5. Configure the portal roaming center: # Enter portal roaming center view. [AC2] portal roaming-center

# Specify the IP address of the WLAN roaming center as 192.168.1.1. [AC2-portal-roaming-center] ip 192.168.1.1

# Configure the portal roaming center to use port 4000 to communicate with the WLAN roaming center. [AC2-portal-roaming-center] port 40000

# Set the wait timer for user offline notification responses to 5 seconds. [AC2-portal-roaming-center] response-timeout 5

# Set the maximum transmission attempts for packets sent to the WLAN roaming center to 3. [AC2-portal-roaming-center] retry 3

# Enable the portal roaming center. [AC2-portal-roaming-center] roaming-center enable [AC2-portal-roaming-center] quit

Configuring AC 3 # Configure AC 3 in the same way AC 2 is configured.

Configuring the AAA server 1. Configure the RADIUS server correctly for the server to provide authentication and accounting

functions. (Details not shown.) 2. Configure the portal authentication server:

NOTE: In this example, the portal server runs on IMC PLAT 7.1(E0303) and IMC EIA 7.1(E0304).

a. Log in to IMC and click the User tab. b. Select User Access Policy > Portal Service > Server from the navigation pane, as shown

in Figure 3. c. Configure the portal server parameters as needed.

This example uses the default settings. d. Click OK.

9

Figure 3 Configuring the portal server

3. Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation pane. b. Click Add. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group.

Make sure the host IP address is in the IP group. e. Select a service group.

This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK.

Figure 4 Adding an IP address group

4. Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation pane. b. Click Add.

10

c. Enter the device name NAS. d. Enter the IP address of the interface that connects the router to the host. e. Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, No is selected for both Support Server Heartbeat and Support User Heartbeat.

f. Enter the key, which must be the same as that configured on the router. g. Select Directly Connected as the Access Method. h. Click OK.

Figure 5 Adding a portal device

5. Associate the portal device with the IP address group: a. As shown in Figure 6, click the Port Group Information Management icon for device NAS. b. Click Add. c. Enter the port group name. d. Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e. Use the default settings for other parameters. f. Click OK.

Figure 6 Device list

11

Figure 7 Adding a port group

6. Select User Access Policy > Service Parameters > Validate System Configuration from the navigation pane to validate the configurations.

Verifying the configuration # Display client information on the WLAN roaming center. [AC1] display wlan roaming-center user all

Total user: 1

MAC address IP address

000d-88f8-0eac 122.122.111.100

# Display detailed client roaming information on the WLAN roaming center. [AC1] display wlan roaming-center user all verbose

MAC address: 000d-88f8-0eac

IP address: 122.122.111.100

Username: 1

Authorization information:

User profile: abc

ACL number/name: N/A

Inbound CAR: N/A

Outbound CAR: N/A

Session Timeout period: N/A

Idle cut: N/A

Roaming information:

Online BAS IP: 192.168.0.10

Online time: 12:01:12 01/02 2018 UTC

Roaming count: 3

BAS-IP Roam-in time

192.168.0.11 12:20:12 01/02 2018 UTC

192.168.0.10 12:18:12 01/02 2018 UTC

i

Contents

Configuring 802.11r ······················································································· 1

About 802.11r····················································································································································· 1 802.11r operating mechanism···················································································································· 1 Protocols and standards ···························································································································· 4

Restrictions and guidelines: 802.11r configuration ···························································································· 4 Configuring 802.11r············································································································································ 4 802.11r configuration examples (intra-AC) ········································································································ 4

Example: Configuring over-the-DS FT and PSK authentication ································································ 4 Example: Configuring over-the-air FT and PSK authentication ································································· 9 Example: Configuring over-the-DS FT and 802.1X authentication ·························································· 13 Example: Configuring over-the-air FT and 802.1X authentication ··························································· 17

1

Configuring 802.11r About 802.11r

802.11r fast BSS transition (FT) minimizes the delay when a client roams from a BSS to another BSS within the same ESS. During 802.11r FT, a client needs to exchange messages with the target AP.

802.11r operating mechanism FT provides the following message exchanging methods: • Over-the-air—The client communicates directly with the target AP for pre-roaming

authentication. • Over-the-DS—The client communicates with the target AP through the current AP for

pre-roaming authentication.

Intra-AC roaming through over-the-air FT As shown in Figure 1, the client is associated with AP 1. Intra-AC roaming through over-the-air FT uses the following process: 1. The client sends an FT authentication request to AP 2. 2. AP 2 sends an FT authentication response to the client. 3. The client sends a reassociation request to AP 2. 4. AP 2 sends a reassociation response to the client. 5. The client roams to AP 2.

Figure 1 Intra-AC roaming through over-the-air FT

Inter-AC roaming through over-the-air FT As shown in Figure 2, the client is associated with AP 1. Inter-AC roaming through over-the-air FT uses the following process:

AP 1 AP 2

Client

AC

1. Associated with old AP

2. FT authentication request3. FT authentication response4. Reassociation request5. Reassociation response6. Roaming to AP 2

2

1. After the client comes online, AC 1 sends roaming information for the client to AC 2. Roaming information includes the PMK and the client VLAN.

2. The client sends an FT authentication request to AP 2. 3. AP 2 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.

Figure 2 Inter-AC roaming through over-the-air FT

Intra-AC roaming through over-the-DS FT As shown in Figure 3, the client is associated with AP 1. Intra-AC roaming through over-the-DS FT uses the following process: 1. After the client comes online, the AC creates a roaming entry and saves it for the client. 2. The client sends an FT authentication request to AP 1. 3. AP 1 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.

AP 1 AP 2

Client

AC 1


3. FT authentication request4. FT authentication response5. Reassociation request6. Reassociation response

AC 2

2. Synchronizing PMK for the client

7. Roaming to AP 2

3

Figure 3 Intra-AC roaming through over-the-DS FT

Inter-AC roaming through over-the-DS FT As shown in Figure 4, the client is associated with AP 1. Inter-AC roaming through over-the-DS FT uses the following process: 1. After the client comes online, AC 1 sends roaming information for the client to AC 2. Roaming

information includes the PMK and the client VLAN. 2. The client sends an FT authentication request to AP 1. 3. AP 1 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.

Figure 4 Inter-AC roaming through over-the-DS FT

AP 1 AP 2

Client

AC


3. Action frame FT request

5. Reassociation request6. Reassociation response

2. Preroam

4. Action frame FT response

7. Roaming to AP 2

Client


3. Action frame FT request

5. Reassociation request6. Reassociation response

4. Action frame FT response

AP 1 AP 2

AC 1 AC 2

2. Synchronizing PMK for the client

7. Roaming to AP 2

4

Protocols and standards 802.11r IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

Restrictions and guidelines: 802.11r configuration When you configure 802.11r, follow these restrictions and guidelines: • To enable a client that does not support FT to access the WLAN, create two service templates

using the same SSID: one enabled with FT and the other not. • To prevent a client from coming online every time the periodic re-authentication timer expires,

do not enable FT and 802.1X periodic re-authentication for the same service template. For more information about 802.1X periodic re-authentication, see User Access and Authentication Configuration Guide.

• PTK updates are not supported for clients that have been associated with a WLAN through FT. For more information about PTK updates, see WLAN Security Configuration Guide.

Configuring 802.11r 1. Enter system view.

system-view 2. Enter service template view.

wlan service-template service-template-name 3. Enable FT.

ft enable By default, FT is disabled.

4. (Optional.) Set the FT method. ft method { over-the-air | over-the-ds } By default, the FT method is over-the-air.

5. (Optional.) Set the reassociation timeout timer. ft reassociation-timeout timeout By default, the association timeout timer is 20 seconds. The roaming process is terminated if a client does not send any reassociation requests before the timeout timer expires.

802.11r configuration examples (intra-AC) The AP models and serial numbers in this document are used only as examples. Support for AP models and serial numbers depends on the AC model.

Example: Configuring over-the-DS FT and PSK authentication Network configuration

As shown in Figure 5, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.

5


Procedure # Create service template acstname. <AC> system-view

[AC] wlan service-template acstname

# Set the SSID to service. [AC-wlan-st-acstname] ssid service

# Set the authentication and key management mode to PSK, and configure simple string 12345678 as the PSK. [AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# Set the CCMP cipher suite and enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# Enable FT. [AC-wlan-st-acstname] ft enable

# Set the reassociation timeout timer to 50 seconds. [AC-wlan-st-acstname] ft reassociation-timeout 50

# Set the FT method to over-the-DS. [AC-wlan-st-acstname] ft method over-the-ds

# Enable the service template. [AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# Create AP 1, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 1 model WA4320i-ACN

[AC-wlan-ap-1] serial-id 210235A1BSC123000050

[AC-wlan-ap-1] radio 1

[AC-wlan-ap-1-radio-1] service-template acstname

[AC-wlan-ap-1-radio-1] radio enable

[AC-wlan-ap-1-radio-1] quit

[AC-wlan-ap-1] quit

AC

AP 1 AP 2

Client

6







[AC-wlan-ap-2] quit

Verifying the configuration # Verify that the service template is correctly configured. [AC] display wlan service-template acstname verbose

Service template name : acstname

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : Not configured

Frame format : Dot3

Seamless-roam status : Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0 sec

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Disabled


Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users : 4096

Max MAC-auth users : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

7


PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT Status : Enable

FT Method : over-the-ds

FT Reassociation Deadline : 50 sec

QoS trust : Port

QoS priority : 0

# Verify that the roaming status is N/A and the FT status is Active. [AC] display wlan client verbose


MAC address : fc25-3f03-8361


IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 1

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Sleep count : 242

















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

8

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : PSK

Encryption cipher : CCMP




Roam status : N/A





FT status : Active

# Move the client to the coverage of AP 2. (Details not shown.)

# Verify that the authentication method is FT and the roaming status is Intra-AC roam. [AC] display wlan client verbose




IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : 2

Radio ID : 1

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Sleep count : 242













9





NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11

Authentication method : FT

Security mode : RSN

AKM mode : PSK










FT status : Active

Example: Configuring over-the-air FT and PSK authentication Network configuration

As shown in Figure 5, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.




# Set the authentication and key management mode to PSK, and configure simple string 12345678 as the PSK. [AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# Enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp

10



# Set the reassociation timeout timer to 50 seconds. [AC-wlan-st-acstname] ft reassociation-timeout 50









[AC-wlan-ap-1] quit







[AC-wlan-ap-2] quit

Verifying the configuration # Verify the following information: • RSN IE is enabled. • The AKM mode is PSK. • The cipher suite is CCMP. • The FT status is Active. [AC] display wlan client verbose




IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 1

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Sleep count : 242


11
















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : PSK





Roam status : N/A





FT status : Active






IPv6 address : N/A

Username : N/A

12

AID : 1

AP ID : 2

AP name : 2

Radio ID : 1

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Sleep count : 242

















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : PSK










FT status : Active

13

Example: Configuring over-the-DS FT and 802.1X authentication Network configuration

As shown in Figure 5, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.




# Set the AKM mode to 802.1X. [AC-wlan-st-acstname] akm mode dot1x



# Set the authentication mode to 802.1X for clients. [AC-wlan-st-acstname] client-security authentication-mode dot1x

[AC-wlan-st-acstname] dot1x domain imc


# Set the FT method to over-the-DS. [AC-wlan-st-acstname] ft method over-the-ds



# Set the 802.1X authentication mode to EAP. [AC] dot1x authentication-method eap

# Create RADIUS scheme imcc. [AC] radius scheme imcc

# Set the IP address of the primary authentication and accounting servers to 10.1.1.3. [AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678. [AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server. [AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# Create ISP domain imc, and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting. [AC] domain imc

14

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit







[AC-wlan-ap-1] quit







[AC-wlan-ap-2] quit

Verifying the configuration # Verify that the service template is correctly configured. [AC] display wlan service-template acstname verbose

Service template name : acstname

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : Not configured

Frame format : Dot3

Seamless-roam status : Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap : 20

VLAN ID : 1

AKM mode : 802.1X

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0 sec

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Disabled

User authentication mode : 802.1X

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

15

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : imc

MAC-auth domain : Not configured

Max 802.1X users : 4096

Max MAC-auth users : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted


PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT Status : Enable

FT Method : over-the-ds

FT Reassociation Deadline : 20 sec

QoS trust : Port

QoS priority : 0

# Verify that the roaming status is N/A and the FT status is Active. [AC] display wlan client verbose




IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 1

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Sleep count : 242









16









NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : 802.1X





Roam status : N/A





FT status : Active






IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : 2

Radio ID : 1

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

17

Sleep count : 242

















NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : 802.1X










FT status : Active

Example: Configuring over-the-air FT and 802.1X authentication Network configuration

As shown in Figure 5, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.

18




# Set the AKM mode to 802.1X. [AC-wlan-st-acstname] akm mode dot1x



# Set the authentication mode to 802.1X for clients. [AC-wlan-st-acstname] client-security authentication-mode dot1x

[AC-wlan-st-acstname] dot1x domain imc




# Set the 802.1X authentication mode to EAP. [AC] dot1x authentication-method eap

# Create RADIUS scheme imcc. [AC] radius scheme imcc

# Set the IP address of the primary authentication and accounting servers to 10.1.1.3. [AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678. [AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server. [AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# Create ISP domain imc, and configure the domain to use RADIUS scheme imcc for authentication, authorization, and accounting. [AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit





19



[AC-wlan-ap-1] quit







[AC-wlan-ap-2] quit

Verifying the configuration # Verify the following information: • RSN IE is enabled. • The AKM mode is 802.1X. • The cipher suite is CCMP. • The FT status is Active. [AC] display wlan client verbose




IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 1

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Sleep count : 242
















20


NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : 802.1X





Roam status : N/A





FT status : Active






IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : 2

Radio ID : 1

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Sleep count : 242







21











NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8


8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM


RSSI : 62

Rx/Tx rate : 130/11


Security mode : RSN

AKM mode : 802.1X










FT status : Active

h3c access controllers

Documents