Purpose
This guide shows how to configure a Huawei device with the following AP models running firmware FitAP_Model_V200R006C10SPC800:
- AP6010SN-GN
- AP6010DN-AGN
- AP6310SN-GN
- AP6510DN-AGN
- AP6610DN-AGN
- AP7110SN-GN
- AP7110DN-AGN
- AP5010SN-GN
- AP5010DN-AGN
- AP3010DN-AGN
- AP6510DN-AGN-US
- AP6610DN-AGN-US
- AP5030DN
- AP5130DN
- AP7030DE
- AP2010DN
- AP8130DN
- AP8030DN
- AP9330DN
- AP4030DN
- AP4130DN
- AP3030DN
- AP2030DN
- AP9131DN
- AP9132DN
- AP5030DN-S
- AP3010DN-V2
Please note that the images contained in this article may have outdated configuration data. Please check the data in the article "Parameters for the Solution" at the bottom of the page, as that information is up to date.
Prerequisites
The configuration procedure has been performed and tested on Huawei Access Controller AC6005-8-PWR running firmware VRP (R) software, Version 5.130 (AC6005 V200R006C10) and Access Point AP5030DN running firmware FitAP5X30XN_V200R006C10SPC800.
Before integrating the Access Controller with Cloud4Wi, it is necessary that it is connected to the Internet and reachable on the network and has open the UDP port 2000.
This guide will refer to the Access Controller AC6005 and the network architecture in the picture below.
In this case:
- Network 1 includes the Access Controller
- Network 2 includes the Access Points, any switch or any client
For all other network topologies. please contact Huawei support or read through the Huawei documentation available their site: http://support.huawei.com/.
Accessing the device
By default, the Access Controller has the following IP address: 169.254.1.1. You can manage and configure the AC by Telnet or by opening a web browser, visiting the following URL: http://169.254.1.1 and logging in as the admin user with a default password admin@huawei.com. This guide will drive the configuration based on CLI.
Network 1 (AC)
Ethernet interfaces and VLANs
- Configure a Service VLAN and the CapWap source IP address (in this example is the IP address configured in Vlan150) on the GigabitEthernet interface attached to your default gateway (GigabitEthernet0/0/1).
- Configure a management VLAN. (Management of APs - Vlan30).
- Configure the CapWap source to your public IP address of the AC 6005.
- Configure a tagged VLAN. (Service for the STAs - Vlan200)
In Telnet session, we start to configure the VLAN interface GigabitEthernet 0/0/1 as following:
<AC-6005>system-view
Enter system view, return user view with Ctrl+Z.
# Change the system name to the public IP address of the AC 6005. This is a mandatory step and the name of the controller needs to be its public IP address. If AC controller uses private IP address, then you need to provide public IP address after NATting.
[AC-6005]sysname 151.0.208.150
# VLAN / Capwap source (public IP address of the AC 6005)
[151.0.208.150]interface vlanif 150
[151.0.208.150-Vlanif150]description public-ip-AC
[151.0.208.150-Vlanif150]ip address 151.0.208.150 29
[151.0.208.150-Vlanif150]quit
# Service VLAN with the address pool of the STAs (Client devices will connect to AP)
[151.0.208.150]interface vlanif 200
[151.0.208.150-Vlanif200]description service-VLAN
[151.0.208.150-Vlanif200]ip address 192.168.50.1 24
[151.0.208.150-Vlanif200]quit
# Management VLAN (IP pool for APs)
[151.0.208.150]interface vlanif 30
[151.0.208.150-Vlanif30]description Management-VLAN
[151.0.208.150-Vlanif30]ip address 192.168.30.1 24
[151.0.208.150-Vlanif30]quit
# Associate the VLAN created to interface GigabitEthernet 0/0/1
[151.0.208.150]interface GigabitEthernet0/0/1
[151.0.208.150-GigabitEthernet0/0/1]port hybrid pvid vlan 150
[151.0.208.150-GigabitEthernet0/0/1]port hybrid tagged vlan 200
[151.0.208.150-GigabitEthernet0/0/1]port hybrid untagged vlan 30 150
[151.0.208.150-GigabitEthernet0/0/1]quit
[151.0.208.150]vlan batch 30, 150, 200
# Capwap source is the public IP address of the AC
[151.0.208.150]capwap source ip-address 151.0.208.150
# Add the default gateway of the AC. In this case 151.0.208.145
[151.0.208.150]ip route-static 0.0.0.0 0.0.0.0 151.0.208.145
[151.0.208.150]quit
<151.0.208.150>save
# Verify the portal version of the AC
[151.0.208.150]undo web-auth-server version
The Portal version on the AC should be set to Ver 1. If the AC is running on different version then you can execute the following command.
Configuring ACL and free-rules (Walled garden)
Security consideration. To permit the connections between the Portal Server and the Access Controller, it's necessary the AC is reachable from the Internet and have open the UDP port 2000 (check your firewall configuration guide).
# Free domains
[151.0.208.150]passthrough-domain name *.cloud4wi.com id 1
# Example to configure free domains for facebook login
[151.0.208.150]passthrough-domain name *.facebook.com id 2
[151.0.208.150]passthrough-domain name *.facebook.net id 3
[151.0.208.150]passthrough-domain name *.akamaihd.net id 4
[151.0.208.150]passthrough-domain name *.fcbn.net id 5
# ACL
[151.0.208.150]acl number 6000
[151.0.208.150]rule 4 permit ip destination 8.8.8.8 0
[151.0.208.150]rule 5 permit udp source 0.0.0.0 0 destination-port eq dns
# RADIUS server
[151.0.208.150]rule 6 permit ip destination 54.247.117.188 0
[151.0.208.150]rule 39 permit tcp destination passthrough-domain *.cloud4wi.com
[151.0.208.150]rule 40 permit tcp destination passthrough-domain *.facebook.com
[151.0.208.150]rule 41 permit tcp destination passthrough-domain *.facebook.net
[151.0.208.150]rule 42 permit tcp destination passthrough-domain *.fbcdn.net
# Create a free rule template
[151.0.208.150]free-rule-template name free1
[151.0.208.150-free-rule-free1]free-rule acl 6000
To configure the walled garden, please check the following articles:
- Walled garden for the Social Login (websites/domains to open)
- Walled garden for PayPal feature (websites/domains to open)
Configuring RADIUS server template
[151.0.208.150]radius-server template radius
# Cloud4Wi RADIUS server IP: 54.247.117.188 authentication port: 1812, accounting port:1813
[151.0.208.150-radius]radius-server shared-key cipher secret provided by cloud4wi
[151.0.208.150-radius]radius-server authentication 54.247.117.188 1812
[151.0.208.150-radius]radius-server accounting 54.247.117.188 1813
[151.0.208.150-radius]radius-server user-name domain-included
[151.0.208.150-radius]quit
[151.0.208.150]aaa
[151.0.208.150-aaa]authentication-scheme radius
[151.0.208.150-aaa-authen-radius]authentication-mode radius
[151.0.208.150-aaa-authen-radius]quit
[151.0.208.150-aaa]authorization-scheme radius
[151.0.208.150-aaa-author-radius]authorization-mode if-authenticated
[151.0.208.150-aaa-author-radius]quit
[151.0.208.150-aaa]accounting-scheme radius
[151.0.208.150-aaa-accounting-radius]accounting-mode radius
[151.0.208.150-aaa-accounting-radius]accounting realtime 900
[151.0.208.150-aaa-accounting-radius]quit
[151.0.208.150-aaa]domain d1
[151.0.208.150-aaa-domain-d1]authentication-scheme radius
[151.0.208.150-aaa-domain-d1]authorization-scheme radius
[151.0.208.150-aaa-domain-d1]accounting-scheme radius
[151.0.208.150-aaa-domain-d1]radius-server radius
Configuring URL template and authentication profile
[151.0.208.150]url-template name u1
[151.0.208.150-url-template-u1]url https://splashportal.cloud4wi.com
# Uam parameters
[151.0.208.150-url-template-u1]url-parameter user-ipaddress wlanuserip ac-ip wlanacip ac-mac wlanacmac ap-ip wlanapip ap-mac wlanapmac redirect-url wlanuserfirsturl ssid ssid sysname wlanacname user-mac wlanusermac
[151.0.208.150-url-template-u1]quit
[151.0.208.150]web-auth-server web
[151.0.208.150-web-auth-server-web]server-ip 54.247.117.188 (Cloud4wi splash portal ip)
[151.0.208.150-web-auth-server-web]port 50100 (default port communication between AC-Portal)
[151.0.208.150-web-auth-server-web]url-template u1
[151.0.208.150-web-auth-server-web]source-ip 151.0.208.150
[151.0.208.150-web-auth-server-web]quit
[151.0.208.150]portal-access-profile name portal
[151.0.208.150-portal-access-profile-portal]web-auth-server web direct
[151.0.208.150-portal-access-profile-portal]quit
[151.0.208.150]authentication-profile name portal
[151.0.208.150-authentication-profile-portal]portal-access-profile portal
[151.0.208.150-authentication-profile-portal]free-rule-template free1
[151.0.208.150-authentication-profile-portal]access-domain d1
[151.0.208.150-authentication-profile-portal]authentication roam-accounting
[151.0.208.150-authentication-profile-portal]update-session-mode
[151.0.208.150-authentication-profile-portal]authentication-scheme radius
[151.0.208.150-authentication-profile-portal]accounting-scheme radius
[151.0.208.150-authentication-profile-portal]authorization-scheme radius
[151.0.208.150-authentication-profile-portal]radius-server radius
Configuring WLAN, SSID profile, and VAP profile
# Create SSID Profile
[151.0.208.150]wlan
[151.0.208.150-wlan-view]ssid-profile name C4W-huawei
[151.0.208.150-C4W-huawei]ssid name_of_ssid
[151.0.208.150-C4W-huawei]quit
# Create VAP Profile and associate it with authentication profile
[151.0.208.150-wlan-view]vap-profile name C4W-huawei
[151.0.208.150-wlan-vap-prof-C4W-huawei]service-vlan vlan-id 200
[151.0.208.150-wlan-vap-prof-C4W-huawei]ssid-profile C4W-huawei
[151.0.208.150-wlan-vap-prof-C4W-huawei]security-profile C4W-huawei
[151.0.208.150-wlan-vap-prof-C4W-huawei]authentication-profile portal
Configuring AP group and setting the radio profile to vap-profile
The following schema defines the functional priorities of the operations necessary to configure AP groups, radio profile, and vap-profile.
# Create a new ap-group
[151.0.208.150-wlan-view]ap-group name default
[151.0.208.150-wlan-ap-group-default]vap-profile C4W-huawei wlan id_wlan radio all
# Change the AP update mode to ac-mode
[151.0.208.150-wlan-view]ap update mode ac-mode
[151.0.208.150-wlan-view]ap auth-mode no-auth
Creating a QoS profile and associate it to a user-group
For example, we'll configure a QoS profile to limit the bandwidth in Uplink and Downlink to 1Mb/s for a specific user group (group-1M).
The User-group name will represent the Filter-Id (In this case group-1M) to configure on Cloud4Wi. For further details, check the link: https://cloud4wi.zendesk.com/hc/en-us/articles/208554056-Setting-QoS-parameters-on-Internet-plans.
# Create a new QoS profile (example to limit a bandwidth in Uplink and downlink to 1 Mb/s)
[151.0.208.150]qos-profile name limit-1M
[151.0.208.150-qosprofile-limit-1M]car inbound cir 1024
[151.0.208.150-qosprofile-limit-1M]car outbound cir 1024
[151.0.208.150-qosprofile-limit-1M]quit
# Create a new User-Group and associate it with qos-profile
[151.0.208.150]user-group group-1M
[151.0.208.150]qos-profile limit-1M
Entering the device details into the Admin Panel
For Huawei devices, the Cloud4Wi platform requires only the MAC address. The Identifier field is not required.
Network 2 (APs and STAs)
It’s mandatory to configure the following VLAN on a local switch:
- The service VLAN with the same ID as the previously configured on the AC (Vlan200) with a DHCP server for the STAs (customer devices) will connect through the SSID. In this case, the address pool will be 192.168.50.1/24.
- The Management VLAN for the APs with the same ID and pool as the previously configured on the AC (Vlan30) with a DHCP server for the APs. In this case, the pool will be 192.168.30.1/24.
- We have 2 possibilities to configure the CapWap source IP address on APs.
- Recommended for a small number of APs
Enter for each AP via telnet or ssh with the default credentials admin/admin@huawei.com.
In this example AC_ip_address = 151.0.208.150 (Capwap source IP address)
[fce3-3ca3-c820]ap-address static ac-list ‘AC_ip_address’
Info: The configuration takes effect after the AP is restarted.[fce3-3ca3-c820]reboot
- Recommended for a large number of APs
In the DHCP server for management APs configure an option-43 with sub-option 2 ip-address ‘AC_ip_address’. In this specific example, we have option 43 sub-option 2 ip-address 151.0.208.150
- Recommended for a small number of APs
Parameters for the Solution
Network 1 (Access Controller)
- The system name of the AC has to set to a public IP address.
- Configure a service VLAN in tagged mode (Vlan200).
- Configure a management VLAN (to manage the APs) (Vlan30).
- Capwap source IP address has to be set to AC IP address.
- Configure ACL to permit navigation to *.cloud4wi.com domain and Cloud4Wi RADIUS IP address.
- RADIUS server primary(Authentication) → 54.247.117.188 on port 1812 secret provided by Cloud4Wi.
- RADIUS server primary(Accounting) → 54.247.117.188 on port 1813 secret provided by Cloud4Wi.
- RADIUS server secondary(Authentication) → 79.125.111.180 on port 1812 secret provided by Cloud4Wi.
- RADIUS server primary(Accounting) → 79.125.111.180 on port 1813 secret provided by Cloud4Wi.
- Configure the RADIUS server template:
radius-server shared-key cipher secret provided by cloud4wi
radius-server authentication 54.247.117.188 1812
radius-server accounting 54.247.117.188 1813
- Set URL to Cloud4Wi Splash portal
url https://splashportal.cloud4wi.com
url-parameter user-ipaddress wlanuserip user-mac wlanusermac ac-ip wlanapip sysname wlanacname ap-mac wlanapmac ssid redirect-url wlanuserfirsturl
- Set web auth-server to IP address of Splash Portal IP address:
server-ip 54.247.117.188 (Cloud4wi splash portal ip)
port 50100 (default port communication between AC and Portal)
url-template u1
source-ip 151.0.208.150 (ip address of the AC)
- Configure an authentication profile
authentication-profile name portal
- Configure a VAP profile and associate it with WLAN and SSID profile.
vap-profile name C4W-huawei
service-vlan vlan-id 200
ssid-profile C4W-huawei
security-profile C4W-huawei
authentication-profile portal
- Create an AP group and associate it with the VAP profile previously created.en
Network 2 (Switch, APs, and STAs)
- On the switch, create one service VLAN with the same ID configured on AC in tagged mode(Vlan200) and one for the AP management with the same ID and pool configured on the AC (Vlan30)
- Create one DHCP server for the STAs and one for the APs (eventually with the option 43 sub option 2) recommended for large networks.