h3c access controllers
TRANSCRIPT
H3C Access Controllers WLAN Roaming Configuration Guide
New H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6W104-20210413 Product version: R5426P02
Copyright © 2021, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Trademarks
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
Notice
The information in this document is subject to change without notice. All contents in this document, including statements, information, and recommendations, are believed to be accurate, but they are presented without warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions contained herein.
Preface The access controllers documentation set describes the software features for the access controllers and guide you through the software configuration procedures. These guides also provide configuration examples to help you apply software features to different network scenarios.
The WLAN Roaming Configuration Guide describes WLAN roaming, WLAN roaming center, and 802.11r configurations.
This preface includes the following topics about the documentation: • Audience. • Conventions. • Documentation feedback.
Audience This documentation is intended for: • Network planners. • Field technical support and servicing engineers. • Network administrators working with the H3C access controllers.
Conventions The following information describes the conventions used in the documentation.
Command conventions
Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.
{ x | y | ... } * Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select a minimum of one.
[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.
&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description Boldface Window names, button names, field names, and menu items are in Boldface. For
Convention Description example, the New User window opens; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
WARNING! An alert that calls attention to important information that if not understood or followed can result in personal injury.
CAUTION: An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT: An alert that calls attention to essential information.
NOTE: An alert that contains additional or supplementary information.
TIP: An alert that provides helpful information.
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access controller engine on a unified wired-WLAN switch.
Represents an access point.
Represents a wireless terminator unit.
Represents a wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL VPN, IPS, or ACG module.
TT
TT
Examples provided in this document Examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.
Documentation feedback You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
i
Contents
Configuring WLAN roaming ··········································································· 1
About WLAN roaming ········································································································································ 1 Terminology ··············································································································································· 1 IADTP tunnel establishment ······················································································································· 1 WLAN roaming mechanism ······················································································································· 2
Restrictions and guidelines: WLAN roaming configuration ················································································ 3 WLAN roaming tasks at a glance ······················································································································· 3 Creating a mobility group ··································································································································· 4 Setting an authentication mode for IADTP control messages ··········································································· 4 Specifying an IP address type for IADTP tunnels ······························································································ 5 Specifying the source IP address for establishing IADTP tunnels ····································································· 5 Setting the DSCP value for IADTP keepalive packets ······················································································· 5 Adding a mobility group member ······················································································································· 6
Manually adding a mobility group member ································································································ 6 Enabling automatic group member discovery ···························································································· 7
Specifying the mobility group member role of a device······················································································ 7 Disabling IADTP data tunnels ···························································································································· 8 Enabling roaming relay ······································································································································ 8 Enabling a mobility group ··································································································································· 9 Enabling tunnel isolation for mobility groups ······································································································ 9 Enabling SNMP notifications for WLAN roaming ······························································································· 9 Display and maintenance commands for WLAN roaming ··············································································· 10 WLAN roaming configuration examples ··········································································································· 10
Example: Configuring intra-AC roaming ··································································································· 10 Example: Configuring inter-AC roaming ··································································································· 14
1
Configuring WLAN roaming About WLAN roaming
WLAN roaming enables clients to seamlessly roam among APs in an ESS while retaining their IP address and authorization information during the roaming process.
Terminology • Inter Access Device Tunneling Protocol—IADTP is an H3C-proprietary protocol that
provides a generic packet encapsulation and transport mechanism for devices to securely communicate with each other. Devices that provide roaming services establish an IADTP tunnel with each other to exchange control messages and client information.
• Home AC—An HA is an AC that manages the AP with which a wireless client associates for the first time.
• Foreign AC—An FA is an AC with which a client associates after inter-AC roaming. • Mobility group—A group that contains multiple member devices among which clients can
roam.
IADTP tunnel establishment A device in a mobility group can act as a client to initiate connection requests or act as a server to listen for and respond to the connection requests.
Figure 1 Establishing an IADTP tunnel
As shown in Figure 1, two devices establish an IADTP tunnel by using the following procedure: 1. Device A sends a join request to Device B. 2. Upon receiving the join request, Device B uses the local configuration and packet content to
identify whether Device A is in the same mobility group. If they are in the same mobility group, Device B returns a join response with a result code
representing success. If they are in different mobility groups, Device A returns a join response with a result code
representing failure. 3. Upon receiving the join response, Device A examines the result code in the response.
If the result code represents failure, Device A does not return any packets. If the result code represents success, Device A sends a join confirm to Device B.
4. Upon receiving the join confirm, Device B establishes an IADTP tunnel with Device A.
Device A
Join Request
Join Response
Join Confirm
IADTP Tunnel
Device B
2
WLAN roaming mechanism Clients can roam between devices in the same mobility group.
Intra-AC roaming Intra-AC roaming enables clients to roam among APs that are managed by the same AC.
Figure 2 Intra-AC roaming
As shown in Figure 2, intra-AC roaming uses the following procedure: 1. The client comes online from AP 1, and the AC creates a roaming entry for the client. 2. The client roams to AP 2. The AC examines the roaming entry for the client and determines
whether to perform fast roaming. If the client uses RSN + 802.1X authentication and carries the same PMKID as the AC, fast roaming is used, and the client can associate with AP 2 without reauthentication. If it is not, the client must be reauthenticated before associating with AP 2.
Inter-AC roaming Inter-AC roaming enables clients to roam among APs that are managed by different ACs. These ACs must be in the same mobility group and have established an IADTP tunnel with each other.
AC
AP 1 AP 2
Client
3
Figure 3 Inter-AC roaming
As shown in Figure 3, inter-AC roaming uses the following procedure: 1. The client comes online from AP 2. AC 1 creates a roaming entry for the client and sends the
information to AC 2 through the IADTP tunnel. 2. The client roams to AP 3. AC 2 examines the roaming entry for the client and determines
whether to perform fast roaming. If the client uses RSN + 802.1X authentication and carries the same PMKID as the AC, fast roaming is used, and the client can associate with AP 3 without reauthentication If it is not, the client must be reauthenticated before associating with AP 3.
3. The client associates with AP 3. AC 2 sends a roaming request to AC 1. 4. AC 1 verifies the roaming request and performs either of the following operations:
Sends a roaming response that indicates roaming failure to AC 2 if the request is invalid. AC 2 logs off the client.
Saves the roaming trace and roam-out information and sends a roaming response that indicates roaming success to AC 2 if the request is valid. AC 2 saves roaming-in information for the client.
Restrictions and guidelines: WLAN roaming configuration
For a service template where an AP is configured as the client authenticator, WLAN roaming is not supported. For more information about client authentication, see User Access and Authentication Configuration Guide.
For RSN + 802.1X clients from different VLANs to roam between devices within a mobility group, make sure uplink interfaces of the member devices permit all client VLANs.
WLAN roaming tasks at a glance To configure WLAN roaming, perform the following tasks:
IADTP tunnel
AC 1 AC 2
AP 1 AP 2 AP 3 AP 4
Client
Mobility group office
Roaming request
Roaming response
HA: AC 1FA: AC 2
4
1. Creating a mobility group 2. (Optional.) Setting an authentication mode for IADTP control messages 3. Specifying an IP address type for IADTP tunnels 4. Specifying the source IP address for establishing IADTP tunnels 5. (Optional.) Setting the DSCP value for IADTP keepalive packets 6. Adding a mobility group member
Perform one of the following tasks: Manually adding a mobility group member Enabling automatic group member discovery
7. (Optional.) Specifying the mobility group member role of a device 8. (Optional.) Disabling IADTP data tunnels 9. (Optional.) Enabling roaming relay 10. Enabling a mobility group 11. (Optional.) Enabling tunnel isolation for mobility groups 12. (Optional.) Enabling SNMP notifications for WLAN roaming
Creating a mobility group Restrictions and guidelines
For inter-device roaming to operate correctly, create the same mobility group and add members to each device in the mobility group.
You can create only one mobility group on a device.
Procedure 1. Enter system view.
system-view
2. Create a mobility group and enter its view. wlan mobility group group-name
Setting an authentication mode for IADTP control messages About this task
This feature enables the device to verify the integrity of control messages transmitted over IADTP tunnels. WLAN roaming supports only the MD5 algorithm.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Set an authentication mode for IADTP control messages. authentication-mode authentication-mode { cipher | simple } string By default, the device does not verify the integrity of IADTP control messages.
5
Specifying an IP address type for IADTP tunnels About this task
You must specify an IP address type for IADTP tunnels after you create a mobility group.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Specify an IP address type for IADTP tunnels. tunnel-type { ipv4 | ipv6 } By default, the IP address type for IADTP tunnels is IPv4.
Specifying the source IP address for establishing IADTP tunnels About this task
A device uses the specified source IP address to establish IADTP tunnels with other member devices within the same mobility group.
Restrictions and guidelines You can specify one IPv4 address, one IPv6 address, or both, but only the IP address type that is the same as the IP address type for IADTP tunnels takes effect.
Make sure the mobility group is disabled before you specify the source IP address for establishing IADTP tunnels.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Specify the source IP address for establishing IADTP tunnels. source { ip ipv4-address | ipv6 ipv6-address } By default, no source IP address is specified for establishing IADTP tunnels.
Setting the DSCP value for IADTP keepalive packets About this task
The DSCP value of an IP packet specifies the priority level of the packet and affects the transmission priority of the packet. A greater DSCP value means a higher packet priority.
In a scenario where a device establishes IADTP tunnels with other devices across NAT devices, two devices use IPsec for tunnel encryption and establishment. To prevent IADTP tunnel disconnection
6
because the device cannot receive any IADTP keepalive packets from the peer when the IADTP tunnel is busy, set the DSCP value by using this feature.
Restrictions and guidelines As a best practice, set the DSCP value to 63 for IADTP keepalive packets.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Set the DSCP value for IADTP keepalive packets. tunnel-dscp dscp-value The default setting is 0.
Adding a mobility group member Manually adding a mobility group member About this task
Members in a mobility group are identified by their IP addresses used to establish IADTP tunnels.
You can add both IPv4 and IPv6 members to a mobility group. Only members whose IP address type is the same as the IP address type of IADTP tunnels take effect.
You can specify VLANs for a member, so that other members in the mobility group can directly forward client data of the member from the specified VLANs. If you do not specify VLANs for the member, its client data cannot be directly forwarded by another member in the mobility group unless the clients roam to that member.
Restrictions and guidelines A device can belong to only one mobility group.
You can add a maximum of 31 IPv4 members and 31 IPv6 members to a mobility group.
When you specify VLANs for a mobility group member, follow these restrictions and guidelines: • If a mobility group has multiple members, make sure no loops exist among IADTP tunnels
between members within the mobility group. • Make sure the VLANs have not been used by interfaces or services. • Do not assign VLANs that have been specified for a member to interfaces or services.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Add a mobility group member. member { ip ipv4-address | ipv6 ipv6-address } [ vlan vlan-id-list ]
7
Enabling automatic group member discovery About this task
Members in a mobility group are identified by their IP addresses used to establish IADTP tunnels. You can add both IPv4 and IPv6 members to a mobility group. Only members whose IP address type is the same as the IP address type of IADTP tunnels take effect.
This feature enables a device to automatically discover member devices in a mobility group by broadcasting its source IP address in the group. Member devices in the group that receive the IP address automatically establish IADTP tunnels with the device. The device joins the mobility group after it establishes IADTP tunnels with all the other members.
Restrictions and guidelines A device can belong to only one mobility group.
You can add a maximum of 31 IPv4 members and 31 IPv6 members to a mobility group. When the maximum number is reached, the device stops establishing IADTP tunnels with newly discovered devices.
Prerequisites Execute the source command to specify the source IP address used for establishing IADTP tunnels.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Enable automatic group member discovery. member auto-discovery [ interval interval ] By default, automatic group member discovery is disabled.
Specifying the mobility group member role of a device About this task
This feature applies to a scenario where a device establishes an IADTP tunnel with another device in the same mobility group across a NAT device. In this scenario, the device with a lower IP address acts as the client to initiate a connection request to the device with a higher IP address. If the device with a lower IP address resides in the public network, the IADTP tunnel cannot be established. To ensure successful establishment of the IADTP tunnel in this case, specify the device in the private network as the client to initiate the connection request.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Specify the mobility group member role of the device. role { client | server }
8
By default, a member device with a higher IP address acts as the server, and a member device with a lower IP address acts as the client.
Disabling IADTP data tunnels About this task
CAUTION: To avoid data loss, do not disable IADTP data tunnels if no service ports are specified on the device for client VLANs.
This feature enables a device to forward client traffic directly out of client VLANs' service ports, instead of through the IADTP data tunnel. This reduces the device's workload caused by processing broadcast packets received from IADTP data tunnels and saves resources for maintaining these tunnels.
Restrictions and guidelines You must enable or disable IADTP tunnels on all devices in a mobility group.
You can configure this feature only when the mobility group is disabled.
Procedure 1. Enter system view.
system-view 2. Enter mobility group view.
wlan mobility group group-name 3. Disable IADTP data tunnels.
data-tunnel disable
By default, IADTP data tunnels are enabled.
Enabling roaming relay About this task
In a WLAN, client roaming will gradually turn the WLAN into a fully meshed network because any two devices must establish a tunnel with each other for roaming entry exchanging. In a large network, establishing and maintaining such tunnels can consume a lot of bandwidth resources, increasing network complexity and reducing availability. Roaming relay is introduced to resolve this issue.
With this feature configured, the device enabled with roaming relay acts as a relay device to establish an IADTP tunnel with each non-relay device, forming a star topology. Non-relay devices do not need to establish tunnels with each other. These non-relay devices synchronize roaming entries to the relay device and, upon a client roaming, request the client entry from the relay device.
Restrictions and guidelines Make sure the mobility group is disabled before you configure this feature.
To use roaming relay, you must enable roaming relay on a device and configure the device as the only mobility group member for the other devices in the same mobility group.
You can enable roaming relay on only one device in a mobility group.
If clients belong to different VLANs, make sure the tunnel interfaces on the relay device permit packets from all client VLANs.
9
Procedure 1. Enter system view.
system-view 2. Enter mobility group view.
wlan mobility group group-name 3. Enable roaming relay.
roam-relay enable
By default, roaming relay is disabled.
Enabling a mobility group About this task
This feature enables the device to establish IADTP tunnels and synchronize roaming entries with member devices.
Procedure 1. Enter system view.
system-view
2. Enter mobility group view. wlan mobility group group-name
3. Enable the mobility group. group enable
By default, a mobility group is disabled.
Enabling tunnel isolation for mobility groups About this task
Tunnel isolation prevents devices from forwarding packets between tunnels in a mobility group and avoids broadcast storm when loops exist among devices in the mobility group.
Procedure 1. Enter system view.
system-view
2. Enable tunnel isolation for mobility groups. wlan mobility-group-isolation enable
By default, tunnel isolation is enabled for mobility groups.
Enabling SNMP notifications for WLAN roaming About this task
To report critical WLAN roaming events to an NMS, enable SNMP notifications for WLAN roaming. For WLAN roaming event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
10
Procedure 1. Enter system view.
system-view
2. Enable SNMP notifications for WLAN roaming. snmp-agent trap enable wlan mobility By default, SNMP notifications for WLAN roaming are disabled.
Display and maintenance commands for WLAN roaming
Execute display commands in any view.
Task Command
Display information about clients that have roamed to or from the device.
display wlan mobility { roam-in | roam-out } [ member { ip ipv4-address | ipv6 ipv6-address }]
Display mobility group information. display wlan mobility group
Display roam-track information for a client on the HA.
display wlan mobility roam-track mac-address mac-address
WLAN roaming configuration examples The AP models and serial numbers in this document are used only as examples. Support for AP models and serial numbers depends on the AC model.
Example: Configuring intra-AC roaming Network configuration
As shown in Figure 4, configure intra-AC roaming to enable the client to roam from AP 1 to AP 2. The two APs are managed by the same AC.
Figure 4 Network diagram
AC
AP 1 AP 2
Client
11
Procedure # Create a service template named service, set the SSID to 1, and enable the service template. <AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] ssid 1
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# Create a manual AP named ap1, and specify the AP model and serial ID. [AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC13C004126
# Bind the service template to radio 1 of AP 1. [AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] service-template service
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Create a manual AP named ap2, and specify the AP model and serial ID. [AC] wlan ap ap2 model WA4320i-ACN
[AC-wlan-ap-ap2] serial-id 219801A0CNC125002216
# Bind the service template to radio 1 of AP 2. [AC-wlan-ap-ap2] radio 1
[AC-wlan-ap-ap2-radio-1] radio enable
[AC-wlan-ap-ap2-radio-1] service-template service
[AC-wlan-ap-ap2-radio-1] quit
[AC-wlan-ap-ap2] quit
Verifying the configuration # Enable the client to come online from AP 1. (Details not shown.)
# Verify that the client has associated with AP 1, and the roaming status is N/A, which indicates that the client has not performed any roaming. [AC] display wlan client verbose
Total number of clients: 1
MAC address : 9cd3-6d9e-6778
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : ap1
Radio ID : 1
SSID : 1
BSSID : 000f-e200-4444
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
12
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : Not configured
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Inactive
# Verify that the AC has a roaming entry for the client. [AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778
Total entries : 1
Current entries: 1
BSSID Created at Online time AC IP address RID AP name
000f-e200-4444 2016-06-14 11:12:28 00hr 01min 16sec 127.0.0.1 1 ap1
# Enable the client roam to AP 2. (Details not shown.)
# Verify that the client has associated with AP 2, and the roaming status is Intra-AC roam. [AC] display wlan client verbose
Total number of clients: 1
13
MAC address : 9cd3-6d9e-6778
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : ap2
Radio ID : 1
SSID : 1
BSSID : 000f-e203-7777
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : Not configured
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
14
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Inactive
# Verify that the AC has updated the roaming entry for the client. [AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778
Total entries : 2
Current entries: 2
BSSID Created at Online time AC IP address RID AP name
000f-e203-7777 2016-06-14 11:12:28 00hr 01min 02sec 127.0.0.1 1 ap2
000f-e200-4444 2016-06-14 11:12:04 00hr 03min 51sec 127.0.0.1 1 ap1
Example: Configuring inter-AC roaming Network configuration
As shown in Figure 5, configure inter-AC roaming to enable the client to roam from AP 2 to AP 3 that are managed by different ACs.
Figure 5 Network diagram
Procedure 1. Configure AC 1:
# Create a service template named service, set the SSID to office, and enable the service template. <AC1> system-view
[AC1] wlan service-template service
[AC1-wlan-st-test] ssid office
[AC1-wlan-st-test] service-template enable
[AC1-wlan-st-test] quit
# Create a manual AP named ap1, and specify the AP model and serial ID.
IADTP tunnel
AC 1 AC 2
AP 1 AP 2 AP 3 AP 4
Client
Mobility group office
Roaming request
Roaming response
HA: AC 1FA: AC 2
15
[AC1] wlan ap ap1 model WA4320i-ACN
[AC1-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Bind the service template to radio 1 of AP 1. [AC1-wlan-ap-ap1] radio 1
[AC1-wlan-ap-ap1-radio-1] radio enable
[AC1-wlan-ap-ap1-radio-1] service-template service
[AC1-wlan-ap-ap1-radio-1] quit
[AC1-wlan-ap-ap1] quit
# Create a manual AP named ap2, and specify the AP model and serial ID. [AC1] wlan ap ap2 model WA4320i-ACN
[AC1-wlan-ap-ap2] serial-id 219801A0CNC138011445
# Bind the service template to radio 1 of AP 2. [AC1-wlan-ap-ap2] radio 1
[AC1-wlan-ap-ap2-radio-1] radio enable
[AC1-wlan-ap-ap2-radio-1] service-template service
[AC1-wlan-ap-ap2-radio-1] quit
[AC1-wlan-ap-ap2] quit
# Create a mobility group named office. [AC1] wlan mobility group office
# Specify the IP address type for IADTP tunnels as IPv4. [AC1-wlan-mg-office] tunnel-type ipv4
# Specify the source IP address for establishing IADTP tunnels as 10.1.4.22. [AC1-wlan-mg-office] source ip 10.1.4.22
# Add AC 2 to the mobility group. [AC1-wlan-mg-office] member ip 10.1.4.23
# Enable the mobility group. [AC1-wlan-mg-office] group enable
[AC1-wlan-mg-office] quit
2. Configure AC 2: # Create a service template named service, specify the SSID as office, and enable the service template. <AC2> system-view
[AC2] wlan service-template service
[AC2-wlan-st-service] ssid office
[AC2-wlan-st-service] service-template enable
[AC2-wlan-st-service] quit
# Create a manual AP named ap3, and specify the AP model and serial ID. [AC2] wlan ap ap3 model WA4320i-ACN
[AC2-wlan-ap-ap3] serial-id 219801A0CNC138011439
# Bind the service template to radio 1 of AP 3. [AC2-wlan-ap-ap3] radio 1
[AC2-wlan-ap-ap3-radio-1] radio enable
[AC2-wlan-ap-ap3-radio-1] service-template service
[AC2-wlan-ap-ap3-radio-1] quit
[AC2-wlan-ap-ap3] quit
# Create a manual AP named ap4, and specify the AP model and serial ID. [AC2] wlan ap ap4 model WA4320i-ACN
16
[AC2-wlan-ap-ap4] serial-id 219801A0CNC138011448
# Bind the service template to radio 1 of AP 4. [AC2-wlan-ap-ap4] radio 1
[AC2-wlan-ap-ap4-radio-1] radio enable
[AC2-wlan-ap-ap4-radio-1] service-template service
[AC2-wlan-ap-ap4-radio-1] quit
[AC2-wlan-ap-ap4] quit
# Create a mobility group named office. [AC2] wlan mobility group office
# Specify the IP address type for IADTP tunnels as IPv4. [AC2-wlan-mg-office] tunnel-type ipv4
# Specify the source IP address for establishing IADTP tunnels as 10.1.4.23. [AC2-wlan-mg-office] source ip 10.1.4.23
# Add AC 2 to the mobility group. [AC2-wlan-mg-office] member ip 10.1.4.22
# Enable the mobility group. [AC2-wlan-mg-office] group enable
[AC2-wlan-mg-office] quit
Verifying the configuration # Verify that a mobility group has been created on AC 1. [AC1] display wlan mobility group
Mobility group name: office
Tunnel type: IPv4
Source IPv4: 10.1.4.22
Source IPv6: Not configured
Authentication method: Not configured
Mobility group status: Enabled
Member entries: 1
IP address State Online time
10.1.4.23 Up 00hr 00min 12sec
# Verify that a mobility group has been created on AC 2. [AC2] display wlan mobility group
Mobility group name: office
Tunnel type: IPv4
Source IPv4: 10.1.4.23
Source IPv6: Not configured
Authentication method: Not configured
Mobility group status: Enabled
Member entries: 1
IP address State Online time
10.1.4.22 Up 00hr 00min 05sec
# Get the client online on AP 2 and then make the client roam to AP 3. (Details not shown.)
# Display client roaming information on AC 1 to verify that the client has come online from AP 2 and roamed to AP 3. [AC1] display wlan mobility roam-track mac-address 9cd3-6d9e-6778
Total entries : 2
Current entries: 2
17
BSSID Created at Online time AC IP address RID AP name
000f-e203-8889 2016-06-14 11:12:28 00hr 06min 56sec 10.1.4.23 1 ap3
000f-e203-7777 2016-06-14 11:11:28 00hr 03min 30sec 127.0.0.1 1 ap2
# On AC 1, verify that the client has roamed to AC 2. <AC1> display wlan mobility roam-out
Total entries: 1
MAC address BSSID VLAN ID Online time FA IP address
9cd3-6d9e-6778 000f-e203-8889 1 00hr 01min 59sec 10.1.4.23
# On AC 2, verify that the client has associated with AP 3, and the roaming status is Inter-AC roam. <AC2> display wlan client verbose
Total number of clients: 1
MAC address : 9cd3-6d9e-6778
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 3
AP name : ap3
Radio ID : 1
SSID : 1
BSSID : 000f-e203-8889
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
18
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : Not configured
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Inter-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Inactive
# Verify that the client has roamed from AC 1 to AC 2. <AC2> display wlan mobility roam-in
Total entries: 1
MAC address BSSID VLAN ID HA IP address
9cd3-6d9e-6778 000f-e203-8889 1 10.1.4.22
i
Contents
Configuring the WLAN roaming center ·························································· 1
About the WLAN roaming center ······················································································································· 1 Operating mechanism ········································································································································ 1 Restrictions: Hardware compatibility with WLAN roaming center ······································································ 2 WLAN roaming center tasks at a glance ············································································································ 3 Enabling the WLAN roaming center ··················································································································· 3 Specifying a port number for the WLAN roaming center ··················································································· 3 Setting the wait timer for user offline notification responses ·············································································· 4 Setting the maximum transmission attempts for user offline notification requests ············································ 4 Specifying portal roaming centers permitted by the WLAN roaming center······················································· 5 Display and maintenance commands for WLAN roaming center ······································································ 5 WLAN roaming center configuration examples ·································································································· 6
Example: Configuring the WLAN roaming center ······················································································ 6
1
Configuring the WLAN roaming center About the WLAN roaming center
A WLAN roaming center is an AC that manages information about wireless client authentication, authorization, and roaming to enable seamless inter-AC roaming. With the roaming center feature configured, clients can roam to another AC without being reauthenticated.
WLAN roaming center supports only portal authentication. For more information about inter-AC roaming for portal users, see portal in User Access and Authentication Configuration Guide.
Operating mechanism As shown in Figure 1, a roaming center network must contain the following components: • WLAN roaming center—An AC enabled with the WLAN roaming center feature. It manages
client roaming and can also act as a portal roaming center to provide wireless services. Each network can have only one WLAN roaming center.
• Portal roaming centers—ACs enabled with the portal roaming center feature to provide access and roaming services to clients, AC 1 and AC 2 for example.
Figure 1 Network diagram
In a roaming center network, the WLAN roaming center feature operates as follows: 1. The AC with which a client attempts to associate sends a user query request to the WLAN
roaming center. Upon receiving the request, the WLAN roaming center replies with a user query response.
2. When the client comes online, the AC sends a user online request to the WLAN roaming center. If it is the first time the client comes online, the WLAN roaming center creates a client entry
and replies with a user online response. If the client has come online from another AC and roams to the AC, the WLAN roaming
center updates the client entry and then replies with a user online response. 3. When the client goes offline, the AC sends a user offline request to the WLAN roaming center.
Upon receiving the packet, the WLAN roaming center removes the AC from the access device list and replies with a user offline response. Then, the WLAN roaming center sends user offline notification requests to the other ACs in the access device list and removes the client entry after receiving responses from the ACs.
WLAN roaming center
AC 1 AC 2
AAA server
APClient
Switch
2
Restrictions: Hardware compatibility with WLAN roaming center
Hardware series Model Product code WLAN roaming center compatibility
WX1800H series WX1804H EWP-WX1804H-PWR-CN No
WX2500H series
WX2508H-PWR-LTE WX2510H WX2510H-F WX2540H WX2540H-F WX2560H
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H
No
WX3000H series
WX3010H WX3010H-X WX3010H-L WX3024H WX3024H-L WX3024H-F
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F
No
WX3500H series
WX3508H WX3510H WX3520H WX3520H-F WX3540H
EWP-WX3508H EWP-WX3510H EWP-WX3520H EWP-WX3520H-F EWP-WX3540H
Yes: • WX3510H • WX3520H • WX3540H • WX3520H-F No: WX3508H
WX5500E series WX5510E WX5540E
EWP-WX5510E EWP-WX5540E
Yes
WX5500H series WX5540H WX5560H WX5580H
EWP-WX5540H EWP-WX5560H EWP-WX5580H
Yes
Access controller modules
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F
Yes: • LSUM1WCME0 • EWPXM1WCME0 • LSQM1WCMX40 • LSUM1WCMX40RT • EWPXM1MAC0F No: • LSQM1WCMX20 • LSUM1WCMX20RT • EWPXM2WCMD0F
Hardware series Model Product code WLAN roaming center compatibility
WX1800H series WX1804H WX1810H
EWP-WX1804H-PWR EWP-WX1810H-PWR
No
3
WX1820H WX1840H
EWP-WX1820H EWP-WX1840H-GL
WX3800H series WX3820H WX3840H
EWP-WX3820H-GL EWP-WX3840H-GL
Yes
WX5800H series WX5860H EWP-WX5860H-GL Yes
WLAN roaming center tasks at a glance To configure the WLAN roaming center, perform the following tasks: 1. Enabling the WLAN roaming center 2. (Optional.) Specifying a port number for the WLAN roaming center 3. (Optional.) Setting the wait timer for user offline notification responses 4. (Optional.) Setting the maximum transmission attempts for user offline notification requests 5. (Optional.) Specifying portal roaming centers permitted by the WLAN roaming center
Enabling the WLAN roaming center Restrictions and guidelines
You can enable the WLAN roaming center on only one AC in a network.
Disabling the WLAN roaming center feature deletes all portal client information.
Procedure 1. Enter system view.
system-view 2. Create a WLAN roaming center and enter its view.
wlan roaming-center 3. Enable the WLAN roaming center.
roaming-center enable By default, the WLAN roaming center is disabled.
Specifying a port number for the WLAN roaming center About this task
The WLAN roaming center uses the specified port number to communicate with portal roaming centers.
Restrictions and guidelines Make sure the port specified for the WLAN roaming center is the same as the port specified for portal roaming centers.
Changing the port number when portal clients are online might cause information synchronization failure between the WLAN roaming center and portal roaming centers. Portal clients might fail to roam and must be reauthenticated.
4
As a best practice to avoid data residual, disable the WLAN roaming center before you change the port number.
Procedure 1. Enter system view.
system-view 2. Create a WLAN roaming center and enter its view.
wlan roaming-center 3. Specify a port number for the WLAN roaming center.
port port-number By default, the WLAN roaming center uses port 1088.
Setting the wait timer for user offline notification responses About this task
After sending a user offline notification request to an AC, the WLAN roaming center resends the request if it fails to receive a response before the wait timer expires. If it fails to receive any response after the maximum transmission attempt limit is reached, the WLAN roaming center deletes the timeout timer and removes the AC from the access device list of the client.
Procedure 1. Enter system view.
system-view 2. Create a WLAN roaming center and enter its view.
wlan roaming-center 3. Set the wait timer for user offline notification responses.
response-timeout timeout By default, the wait timer for user offline notification responses is 3 seconds.
Setting the maximum transmission attempts for user offline notification requests About this task
After sending a user offline notification request to an AC, the WLAN roaming center resends the request if it fails to receive a response before the wait timer expires. If it fails to receive any response after the maximum transmission attempt limit is reached, the WLAN roaming center deletes the timeout timer and removes the AC from the access device list of the client.
Procedure 1. Enter system view.
system-view 2. Create a WLAN roaming center and enter its view.
wlan roaming-center 3. Set the maximum transmission attempts for user offline notification requests.
retry retries
5
By default, the maximum number of transmission attempts for user offline notification requests is 5.
Specifying portal roaming centers permitted by the WLAN roaming center About this task
This feature enables the WLAN roaming center to process packets only from the permitted portal roaming centers, enhancing network security. If no permitted portal roaming centers are specified, the WLAN roaming center processes packets from all portal roaming centers.
Procedure 1. Enter system view.
system-view 2. Create a WLAN roaming center and enter its view.
wlan roaming-center 3. Specify the IP address of a portal roaming center permitted by the WLAN roaming center.
control-access { bas-ip ipv4-address | bas-ipv6 ipv6-address } By default, no permitted portal roaming center is specified.
Display and maintenance commands for WLAN roaming center
Execute display commands in any view and reset commands in user view.
Task Command
Display offline client history on the WLAN roaming center.
display wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }
Display packet statistics on the WLAN roaming center.
display wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]
Display client information on the WLAN roaming center.
display wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6 ipv6-address | mac mac-address } [ verbose ]
Clear client history information on the WLAN roaming center.
reset wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }
Clear packet statistics on the WLAN roaming center.
reset wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]
Clear client information on the WLAN roaming center.
reset wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6
6
Task Command ipv6-address | mac mac-address }
WLAN roaming center configuration examples Example: Configuring the WLAN roaming center Network configuration
As shown in Figure 2, configure AC 1 as the WLAN roaming center and AC 2 and AC 3 as portal roaming centers to enable the client to roam from AC 2 to AC 3 without being authenticated.
Figure 2 Network diagram
Configuring AC 1 # Create a WLAN roaming center and enter its view. <AC1> system-view
[AC1] wlan roaming-center
# Specify the port used by the WLAN roaming center as port 40000. [AC1-wlan-roaming-center] port 40000
# Enable the WLAN roaming center. [AC1-wlan-roaming-center] roaming-center enable
[AC1-wlan-roaming-center] quit
Configuring AC 2 1. Assign IP addresses to interfaces and make sure the client, server, and AC can reach each
other. (Details not shown.) 2. Configure a RADIUS scheme:
# Create RADIUS scheme rs1 and enter its view. <AC2> system-view
[AC2] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [AC2-radius-rs1] primary authentication 192.168.0.112
[AC2-radius-rs1] primary accounting 192.168.0.112
AC 1
AC 2 AC 3
AAA server
APClient
Switch
7
[AC2-radius-rs1] key authentication simple radius
[AC2-radius-rs1] key accounting simple radius
# Exclude the ISP domain name from the username sent to the RADIUS server. [AC2-radius-rs1] user-name-format without-domain
[AC2-radius-rs1] quit
# Enable RADIUS session control. [AC2] radius session-control enable
3. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [AC2] domain dm1
# Configure AAA methods for the ISP domain. [AC2-isp-dm1] authentication portal radius-scheme rs1
[AC2-isp-dm1] authorization portal radius-scheme rs1
[AC2-isp-dm1] accounting portal radius-scheme rs1
[AC2-isp-dm1] quit
# Configure domain dm1 as the default ISP domain. If a user uses a username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [AC2] domain default enable dm1
4. Configure portal authentication: # Configure a portal authentication server. [AC2] portal server newpt
[AC2-portal-server-newpt] ip 192.168.0.111 key simple portal
[AC2-portal-server-newpt] port 50100
[AC2-portal-server-newpt] quit
# Configure a portal Web server. [AC2] portal web-server newpt
[AC2-portal-websvr-newpt] url http://192.168.0.111:8080/portal
[AC2-portal-websvr-newpt] quit
# Create AP ap2 and specify the AP model and serial ID. [AC2] wlan ap ap2 model WA4320i-ACN
[AC2-wlan-ap-ap2] serial-id 210235A29G007C000020
[AC2-wlan-ap-ap2] quit
# Create service template newst and set the SSID to portal_1. [AC2] wlan service-template newst
[AC2–wlan-st-newst] ssid portal_1
# Enable direct portal authentication. [AC2–wlan-st-newst] portal enable method direct
# Apply portal Web server newpt. [AC2–wlan-st-newst] portal apply web-server newpt
# Configure the BAS-IP as 192.168.0.110 for portal packets sent to the portal authentication server. [AC2–wlan-st-newst] portal bas-ip 192.168.0.110
# Configure APs to forward client data traffic. [AC2–wlan-st-newst] client forwarding-location ap
# Enable the service template. [AC2–wlan-st-newst] service-template enable
8
[AC2–wlan-st-newst] quit
# Specify the working channel of radio 2 on AP ap2 as 11. [AC2] wlan ap ap2
[AC2-wlan-ap-ap2] radio 2
[AC2-wlan-ap-ap2-radio-2] channel 11
# Enable radio 2. Apply service template newst and bind VLAN 2 to the radio. [AC2-wlan-ap-ap2-radio-2] radio enable
[AC2-wlan-ap-ap2-radio-2] service-template newst vlan 2
[AC2-wlan-ap-ap2-radio-2] quit
[AC2-wlan-ap-ap2] quit
5. Configure the portal roaming center: # Enter portal roaming center view. [AC2] portal roaming-center
# Specify the IP address of the WLAN roaming center as 192.168.1.1. [AC2-portal-roaming-center] ip 192.168.1.1
# Configure the portal roaming center to use port 4000 to communicate with the WLAN roaming center. [AC2-portal-roaming-center] port 40000
# Set the wait timer for user offline notification responses to 5 seconds. [AC2-portal-roaming-center] response-timeout 5
# Set the maximum transmission attempts for packets sent to the WLAN roaming center to 3. [AC2-portal-roaming-center] retry 3
# Enable the portal roaming center. [AC2-portal-roaming-center] roaming-center enable [AC2-portal-roaming-center] quit
Configuring AC 3 # Configure AC 3 in the same way AC 2 is configured.
Configuring the AAA server 1. Configure the RADIUS server correctly for the server to provide authentication and accounting
functions. (Details not shown.) 2. Configure the portal authentication server:
NOTE: In this example, the portal server runs on IMC PLAT 7.1(E0303) and IMC EIA 7.1(E0304).
a. Log in to IMC and click the User tab. b. Select User Access Policy > Portal Service > Server from the navigation pane, as shown
in Figure 3. c. Configure the portal server parameters as needed.
This example uses the default settings. d. Click OK.
9
Figure 3 Configuring the portal server
3. Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation pane. b. Click Add. c. Enter the IP group name. d. Enter the start IP address and end IP address of the IP group.
Make sure the host IP address is in the IP group. e. Select a service group.
This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK.
Figure 4 Adding an IP address group
4. Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation pane. b. Click Add.
10
c. Enter the device name NAS. d. Enter the IP address of the interface that connects the router to the host. e. Set whether to support the portal server heartbeat and user heartbeat functions.
In this example, No is selected for both Support Server Heartbeat and Support User Heartbeat.
f. Enter the key, which must be the same as that configured on the router. g. Select Directly Connected as the Access Method. h. Click OK.
Figure 5 Adding a portal device
5. Associate the portal device with the IP address group: a. As shown in Figure 6, click the Port Group Information Management icon for device NAS. b. Click Add. c. Enter the port group name. d. Select the configured IP address group.
The IP address used by the user to access the network must be within this IP address group.
e. Use the default settings for other parameters. f. Click OK.
Figure 6 Device list
11
Figure 7 Adding a port group
6. Select User Access Policy > Service Parameters > Validate System Configuration from the navigation pane to validate the configurations.
Verifying the configuration # Display client information on the WLAN roaming center. [AC1] display wlan roaming-center user all
Total user: 1
MAC address IP address
000d-88f8-0eac 122.122.111.100
# Display detailed client roaming information on the WLAN roaming center. [AC1] display wlan roaming-center user all verbose
MAC address: 000d-88f8-0eac
IP address: 122.122.111.100
Username: 1
Authorization information:
User profile: abc
ACL number/name: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Session Timeout period: N/A
Idle cut: N/A
Roaming information:
Online BAS IP: 192.168.0.10
Online time: 12:01:12 01/02 2018 UTC
Roaming count: 3
BAS-IP Roam-in time
192.168.0.11 12:20:12 01/02 2018 UTC
192.168.0.10 12:18:12 01/02 2018 UTC
i
Contents
Configuring 802.11r ······················································································· 1
About 802.11r····················································································································································· 1 802.11r operating mechanism···················································································································· 1 Protocols and standards ···························································································································· 4
Restrictions and guidelines: 802.11r configuration ···························································································· 4 Configuring 802.11r············································································································································ 4 802.11r configuration examples (intra-AC) ········································································································ 4
Example: Configuring over-the-DS FT and PSK authentication ································································ 4 Example: Configuring over-the-air FT and PSK authentication ································································· 9 Example: Configuring over-the-DS FT and 802.1X authentication ·························································· 13 Example: Configuring over-the-air FT and 802.1X authentication ··························································· 17
1
Configuring 802.11r About 802.11r
802.11r fast BSS transition (FT) minimizes the delay when a client roams from a BSS to another BSS within the same ESS. During 802.11r FT, a client needs to exchange messages with the target AP.
802.11r operating mechanism FT provides the following message exchanging methods: • Over-the-air—The client communicates directly with the target AP for pre-roaming
authentication. • Over-the-DS—The client communicates with the target AP through the current AP for
pre-roaming authentication.
Intra-AC roaming through over-the-air FT As shown in Figure 1, the client is associated with AP 1. Intra-AC roaming through over-the-air FT uses the following process: 1. The client sends an FT authentication request to AP 2. 2. AP 2 sends an FT authentication response to the client. 3. The client sends a reassociation request to AP 2. 4. AP 2 sends a reassociation response to the client. 5. The client roams to AP 2.
Figure 1 Intra-AC roaming through over-the-air FT
Inter-AC roaming through over-the-air FT As shown in Figure 2, the client is associated with AP 1. Inter-AC roaming through over-the-air FT uses the following process:
AP 1 AP 2
Client
AC
1. Associated with old AP
2. FT authentication request3. FT authentication response4. Reassociation request5. Reassociation response6. Roaming to AP 2
2
1. After the client comes online, AC 1 sends roaming information for the client to AC 2. Roaming information includes the PMK and the client VLAN.
2. The client sends an FT authentication request to AP 2. 3. AP 2 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.
Figure 2 Inter-AC roaming through over-the-air FT
Intra-AC roaming through over-the-DS FT As shown in Figure 3, the client is associated with AP 1. Intra-AC roaming through over-the-DS FT uses the following process: 1. After the client comes online, the AC creates a roaming entry and saves it for the client. 2. The client sends an FT authentication request to AP 1. 3. AP 1 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.
AP 1 AP 2
Client
AC 1
1. Associated with old AP
3. FT authentication request4. FT authentication response5. Reassociation request6. Reassociation response
AC 2
2. Synchronizing PMK for the client
7. Roaming to AP 2
3
Figure 3 Intra-AC roaming through over-the-DS FT
Inter-AC roaming through over-the-DS FT As shown in Figure 4, the client is associated with AP 1. Inter-AC roaming through over-the-DS FT uses the following process: 1. After the client comes online, AC 1 sends roaming information for the client to AC 2. Roaming
information includes the PMK and the client VLAN. 2. The client sends an FT authentication request to AP 1. 3. AP 1 sends an FT authentication response to the client. 4. The client sends a reassociation request to AP 2. 5. AP 2 sends a reassociation response to the client. 6. The client roams to AP 2.
Figure 4 Inter-AC roaming through over-the-DS FT
AP 1 AP 2
Client
AC
1. Associated with old AP
3. Action frame FT request
5. Reassociation request6. Reassociation response
2. Preroam
4. Action frame FT response
7. Roaming to AP 2
Client
1. Associated with old AP
3. Action frame FT request
5. Reassociation request6. Reassociation response
4. Action frame FT response
AP 1 AP 2
AC 1 AC 2
2. Synchronizing PMK for the client
7. Roaming to AP 2
4
Protocols and standards 802.11r IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
Restrictions and guidelines: 802.11r configuration When you configure 802.11r, follow these restrictions and guidelines: • To enable a client that does not support FT to access the WLAN, create two service templates
using the same SSID: one enabled with FT and the other not. • To prevent a client from coming online every time the periodic re-authentication timer expires,
do not enable FT and 802.1X periodic re-authentication for the same service template. For more information about 802.1X periodic re-authentication, see User Access and Authentication Configuration Guide.
• PTK updates are not supported for clients that have been associated with a WLAN through FT. For more information about PTK updates, see WLAN Security Configuration Guide.
Configuring 802.11r 1. Enter system view.
system-view 2. Enter service template view.
wlan service-template service-template-name 3. Enable FT.
ft enable By default, FT is disabled.
4. (Optional.) Set the FT method. ft method { over-the-air | over-the-ds } By default, the FT method is over-the-air.
5. (Optional.) Set the reassociation timeout timer. ft reassociation-timeout timeout By default, the association timeout timer is 20 seconds. The roaming process is terminated if a client does not send any reassociation requests before the timeout timer expires.
802.11r configuration examples (intra-AC) The AP models and serial numbers in this document are used only as examples. Support for AP models and serial numbers depends on the AC model.
Example: Configuring over-the-DS FT and PSK authentication Network configuration
As shown in Figure 5, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.
5
Figure 5 Network diagram
Procedure # Create service template acstname. <AC> system-view
[AC] wlan service-template acstname
# Set the SSID to service. [AC-wlan-st-acstname] ssid service
# Set the authentication and key management mode to PSK, and configure simple string 12345678 as the PSK. [AC-wlan-st-acstname] akm mode psk
[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678
# Set the CCMP cipher suite and enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp
[AC-wlan-st-acstname] security-ie rsn
# Enable FT. [AC-wlan-st-acstname] ft enable
# Set the reassociation timeout timer to 50 seconds. [AC-wlan-st-acstname] ft reassociation-timeout 50
# Set the FT method to over-the-DS. [AC-wlan-st-acstname] ft method over-the-ds
# Enable the service template. [AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# Create AP 1, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
AC
AP 1 AP 2
Client
6
# Create AP 2, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
Verifying the configuration # Verify that the service template is correctly configured. [AC] display wlan service-template acstname verbose
Service template name : acstname
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless-roam status : Disabled
Seamless-roam RSSI threshold : 50
Seamless-roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0 sec
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Disabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users : 4096
Max MAC-auth users : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
7
Key derivation : SHA1
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT Status : Enable
FT Method : over-the-ds
FT Reassociation Deadline : 50 sec
QoS trust : Port
QoS priority : 0
# Verify that the roaming status is N/A and the FT status is Active. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
8
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# Move the client to the coverage of AP 2. (Details not shown.)
# Verify that the authentication method is FT and the roaming status is Intra-AC roam. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
9
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
Example: Configuring over-the-air FT and PSK authentication Network configuration
As shown in Figure 5, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.
Procedure # Create service template acstname. <AC> system-view
[AC] wlan service-template acstname
# Set the SSID to service. [AC-wlan-st-acstname] ssid service
# Set the authentication and key management mode to PSK, and configure simple string 12345678 as the PSK. [AC-wlan-st-acstname] akm mode psk
[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678
# Enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp
10
[AC-wlan-st-acstname] security-ie rsn
# Enable FT. [AC-wlan-st-acstname] ft enable
# Set the reassociation timeout timer to 50 seconds. [AC-wlan-st-acstname] ft reassociation-timeout 50
# Enable the service template. [AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# Create AP 1, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# Create AP 2, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
Verifying the configuration # Verify the following information: • RSN IE is enabled. • The AKM mode is PSK. • The cipher suite is CCMP. • The FT status is Active. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
11
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# Move the client to the coverage of AP 2. (Details not shown.)
# Verify that the authentication method is FT and the roaming status is Intra-AC roam. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
12
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
13
Example: Configuring over-the-DS FT and 802.1X authentication Network configuration
As shown in Figure 5, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.
Procedure # Create service template acstname. <AC> system-view
[AC] wlan service-template acstname
# Set the SSID to service. [AC-wlan-st-acstname] ssid service
# Set the AKM mode to 802.1X. [AC-wlan-st-acstname] akm mode dot1x
# Enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp
[AC-wlan-st-acstname] security-ie rsn
# Set the authentication mode to 802.1X for clients. [AC-wlan-st-acstname] client-security authentication-mode dot1x
[AC-wlan-st-acstname] dot1x domain imc
# Enable FT. [AC-wlan-st-acstname] ft enable
# Set the FT method to over-the-DS. [AC-wlan-st-acstname] ft method over-the-ds
# Enable the service template. [AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# Set the 802.1X authentication mode to EAP. [AC] dot1x authentication-method eap
# Create RADIUS scheme imcc. [AC] radius scheme imcc
# Set the IP address of the primary authentication and accounting servers to 10.1.1.3. [AC-radius-imcc] primary authentication 10.1.1.3
[AC-radius-imcc] primary accounting 10.1.1.3
# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678. [AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server. [AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
# Create ISP domain imc, and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting. [AC] domain imc
14
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
# Create AP 1, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# Create AP 2, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
Verifying the configuration # Verify that the service template is correctly configured. [AC] display wlan service-template acstname verbose
Service template name : acstname
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless-roam status : Disabled
Seamless-roam RSSI threshold : 50
Seamless-roam RSSI gap : 20
VLAN ID : 1
AKM mode : 802.1X
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0 sec
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Disabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
15
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : imc
MAC-auth domain : Not configured
Max 802.1X users : 4096
Max MAC-auth users : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT Status : Enable
FT Method : over-the-ds
FT Reassociation Deadline : 20 sec
QoS trust : Port
QoS priority : 0
# Verify that the roaming status is N/A and the FT status is Active. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
16
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# Move the client to the coverage of AP 2. (Details not shown.)
# Verify that the authentication method is FT and the roaming status is Intra-AC roam. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
17
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active
Example: Configuring over-the-air FT and 802.1X authentication Network configuration
As shown in Figure 5, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.
18
Procedure # Create service template acstname. <AC> system-view
[AC] wlan service-template acstname
# Set the SSID to service. [AC-wlan-st-acstname] ssid service
# Set the AKM mode to 802.1X. [AC-wlan-st-acstname] akm mode dot1x
# Enable the RSN IE in the beacon and probe responses. [AC-wlan-st-acstname] cipher-suite ccmp
[AC-wlan-st-acstname] security-ie rsn
# Set the authentication mode to 802.1X for clients. [AC-wlan-st-acstname] client-security authentication-mode dot1x
[AC-wlan-st-acstname] dot1x domain imc
# Enable FT. [AC-wlan-st-acstname] ft enable
# Enable the service template. [AC-wlan-st-acstname] service-template enable
[AC-wlan-st-acstname] quit
# Set the 802.1X authentication mode to EAP. [AC] dot1x authentication-method eap
# Create RADIUS scheme imcc. [AC] radius scheme imcc
# Set the IP address of the primary authentication and accounting servers to 10.1.1.3. [AC-radius-imcc] primary authentication 10.1.1.3
[AC-radius-imcc] primary accounting 10.1.1.3
# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678. [AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server. [AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
# Create ISP domain imc, and configure the domain to use RADIUS scheme imcc for authentication, authorization, and accounting. [AC] domain imc
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
# Create AP 1, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 1 model WA4320i-ACN
[AC-wlan-ap-1] serial-id 210235A1BSC123000050
[AC-wlan-ap-1] radio 1
[AC-wlan-ap-1-radio-1] service-template acstname
19
[AC-wlan-ap-1-radio-1] radio enable
[AC-wlan-ap-1-radio-1] quit
[AC-wlan-ap-1] quit
# Create AP 2, and bind service template acstname to radio 1 of the AP. [AC] wlan ap 2 model WA4320i-ACN
[AC-wlan-ap-2] serial-id 210235A1BSC123000055
[AC-wlan-ap-2] radio 1
[AC-wlan-ap-2-radio-1] service-template acstname
[AC-wlan-ap-2-radio-1] radio enable
[AC-wlan-ap-2-radio-1] quit
[AC-wlan-ap-2] quit
Verifying the configuration # Verify the following information: • RSN IE is enabled. • The AKM mode is 802.1X. • The cipher suite is CCMP. • The FT status is Active. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : 1
Radio ID : 1
SSID : service
BSSID : 000f-e266-7788
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
20
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Active
# Move the client to the coverage of AP 2. (Details not shown.)
# Verify that the authentication method is FT and the roaming status is Intra-AC roam. [AC] display wlan client verbose
Total number of clients: 1
MAC address : fc25-3f03-8361
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : 2
Radio ID : 1
SSID : service
BSSID : 000f-e211-2233
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
21
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : FT
Security mode : RSN
AKM mode : 802.1X
Encryption cipher : CCMP
User authentication mode : 802.1X
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Active