Wireless access is provided by APs deployed at the edge of a wired network. The APs connect to the uplink through wired connections and provide wireless access services to downlink clients.

WLAN access process

A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.

For more information about data link layer authentication, see "Configuring WLAN security."

Figure 1 WLAN access process

‌

A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:

· Active scanning of all wireless networks.

As shown in Figure 2, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information. The client associates with the optimal AP.

Figure 2 Scanning all wireless networks

‌

· Active scanning of a specific wireless network.

As shown in Figure 3, the client periodically sends a probe request carrying the specified SSID or the SSID of the wireless network it has been associated with. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.

Figure 3 Scanning a specific wireless network

‌

Passive scanning

As shown in Figure 4, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.

Figure 4 Passive scanning

‌

Association

A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.

Client access control

The following client access control methods are available:

· AP group-based access control—Allows clients associated with APs in the specified AP group to access the WLAN.

· SSID-based access control—Allows clients associated with the specified SSID to access the WLAN.

· Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control client access.

· ACL-based access control—Uses ACL rules bound to APs or service templates to control client access.

AP group-based access control

As shown in Figure 5, for AP group-based access control, configure AP group 1 as the permitted AP group for Client 1 and Client 2, and configure AP group 2 as the permitted AP group for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the AP with which the client associates is in the permitted AP group. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 5 AP group-based access control

‌

SSID-based access control

As shown in Figure 6, for SSID-based access control, configure ssida as the permitted SSID for Client 1 and Client 2, and configure ssidb as the permitted SSID for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the associated SSID of the client is the permitted SSID. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 6 SSID-based access control

‌

Whitelist- and blacklist-based access control

You can configure the whitelist or blacklists to filter frames from clients for client access control.

Whitelist-based access control

The whitelist contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.

Blacklist-based access control

The following blacklists are available for access control:

· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging time expires. The dynamic blacklist can take effect on the AC or on APs, depending on the configuration. For more information about WIPS, see "Configuring WIPS." For more information about WLAN MAC authentication, see "Configuring WLAN authentication."

Working mechanism

When an AP receives an association request and sends an Add Mobile message to the AC, the AC performs the following operations to determine whether to permit the client:

1. Searches the whitelist:

¡ If the client MAC address does not match any entry in the whitelist, the client is rejected.

¡ If a match is found, the client is permitted.

2. Searches the static and dynamic blacklists if no whitelist entries exist:

¡ If the client MAC address matches an entry in either blacklist, the client is rejected.

¡ If no match is found, or no blacklist entries exist, the client is permitted.

Figure 7 Whitelist- and blacklist-based access control

‌

ACL-based access control

This feature controls client access by using ACL rules bound to an AP or a service template.

Upon receiving an association request from a client, the device performs the following actions:

· Allows the client to access the WLAN if a match is found and the rule action is permit.

· Denies the client's access to the WLAN if no match is found or the matched rule has a deny statement.

Restrictions and guidelines: WLAN access configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

WLAN access tasks at a glance

To configure WLAN access, perform the following tasks:

1. Configuring wireless services

¡ Configuring a service template

¡ (Optional.) Configuring a description for a service template

¡ Setting an SSID

¡ (Optional.) Setting the maximum number of associated clients on a radio for a service template

¡ Enabling a service template

¡ Binding a service template to a radio

2. (Optional.) Configuring client data forwarding

¡ Specifying the client traffic forwarder

¡ Setting the encapsulation format for client data frames

¡ Specifying the method for APs to process traffic from unknown clients

3. (Optional.) Configuring client management

¡ Enabling client association at the AC or APs

¡ Setting the VLAN allocation method for clients

¡ Configuring clients to prefer the authorization VLAN after roaming

¡ Enabling immediate client association upon successful local authentication

¡ Setting the idle period before client reauthentication

¡ Configuring differentiated accounting of client traffic

4. (Optional.) Configuring client maintenance

¡ Setting the client idle timeout

¡ Configuring client keepalive

¡ Performing a wireless link quality test

¡ Configuring client statistics reporting

¡ Enabling client O&M statistics reporting

¡ Setting the NAS ID

¡ Setting the NAS port type

¡ Enabling beacon frames and probe responses to carry BSS Load IEs

5. (Optional.) Configuring VIP clients

¡ Configuring the VIP client group

¡ Configuring VIP client rate limit

¡ Configuring non-VIP client rate limit

6. (Optional.) Configuring policy-based forwarding

7. (Optional.) Configuring client access control

¡ Specifying a permitted AP group for client association

¡ Specifying a permitted SSID for client association

¡ Adding a client to the whitelist

¡ Adding a client to the static blacklist

¡ Configuring the dynamic blacklist

¡ Configuring ACL-based access control

8. (Optional.) Enabling an AP to respond to specific broadcast probe requests

9. (Optional.) Enabling SNMP notifications for WLAN access

Configuring wireless services

Configuring a service template

About service templates

A service template defines a set of wireless service attributes, such as SSID and authentication method.

Procedure

1. Enter system view.

system-view

2. Create a service template.

wlan service-template service-template-name

By default, no service template exists.

3. (Optional.) Assign clients coming online through the service template to the specified VLAN.

vlan vlan-id

By default, clients are assigned VLAN 1 after coming online through a service template.

Configuring a description for a service template

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Configure a description for the service template.

description text

By default, no description is configured for a service template.

Setting an SSID

About this task

APs broadcast SSIDs in beacon frames for clients to discover them. When a BSS is unavailable or when you do not want clients to discover the BSS, you can enable SSID-hidden. With SSID-hidden enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.

When the number of clients associated with an AP reaches the upper limit, the AP automatically hides its SSIDs in beacon frames, and other clients cannot discover and associate with the AP. For these clients to discover the AP, you can configure the SSID broadcast feature. However, these clients still cannot associate with the AP.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Set an SSID for the service template.

ssid ssid-name

By default, no SSID is set for a service template.

4. (Optional.) Enable SSID-hidden in beacon frames.

beacon ssid-hide

By default, beacon frames carry SSIDs.

5. (Optional.) Enable SSID broadcast in beacon frames.

beacon ssid-advertise

By default, an AP hides SSIDs in beacon frames when the maximum number of associated clients is reached.

Setting the maximum number of associated clients on a radio for a service template

About this task

Perform this task to limit the associated client quantity on a radio to avoid overload. With this feature configured, new clients cannot access the WLAN and the SSID is hidden when the maximum number is reached on a radio.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Set the maximum number of associated clients on a radio for the service template.

client max-count max-number

By default, the number of associated clients on a radio for a service template is not limited.

Enabling a service template

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Enable the service template.

service-template enable

By default, a service template is disabled.

Binding a service template to a radio

About service template binding

If you bind a service template to a radio, the AP creates a BSS that can provide wireless services defined in the service template.

You can perform the following tasks when binding a service template to a radio:

· Bind a VLAN group to the radio so that clients associated with the BSS will be assigned evenly to all VLANs in the VLAN group.

· Bind the NAS port ID or the NAS ID to the radio to identify the network access server.

· Enable the AP to hide SSIDs in beacon frames.

Restrictions and guidelines

You can bind a maximum of 16 service templates to a radio.

Procedure

1. Enter system view.

system-view

2. Enter AP view/an AP group's AP model view/virtual AP view/virtual AP group's AP model view.

¡ Enter AP view.

wlan ap ap-name

¡ Execute the following commands in sequence to enter an AP group's AP model view:

wlan ap-group group-name

ap-model ap-model

¡ Enter virtual AP view.

wlan virtual-ap ap-name

¡ Execute the following commands in sequence to enter a virtual AP group's AP model view:

wlan virtual-ap-group group-name

ap-model ap-model

3. Enter radio view.

radio radio-id

4. Bind a service template to the radio.

service-template service-template-name [ vlan vlan-id | vlan-group vlan-group-name ] [ ssid-hide ] [ nas-port-id nas-port-id ] [ nas-id nas-id ]

By default:

¡ In radio view, the configuration in an AP group's radio view is used.

¡ In an AP group's radio view, no service template is bound to a radio.

¡ In a virtual AP's radio view, the configuration in a virtual AP group's radio view is used.

¡ In a virtual AP group's radio view, no service template is bound to a radio.

Configuring client data forwarding

Specifying the client traffic forwarder

About this task

The AC (centralized forwarding) or APs (local forwarding) can forward client traffic. Using APs to forward client traffic releases the forwarding burden on the AC.

You can configure VLAN-based client traffic forwarding for the AC or APs to forward only traffic from the specified VLANs. Traffic from the other VLANs are forwarded by APs or the AC instead.

Restrictions and guidelines

Before specifying the traffic forwarder, make sure the service template is disabled.

For the configuration of using the AC to forward client traffic to take effect, make sure client traffic forwarding has been enabled.

If you specify the AC as the traffic forwarder, make sure client association is enabled at the AC.

If you execute this command multiple times, the most recent configuration takes effect.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Configure APs to forward client traffic.

client forwarding-location { ac | ap | hybrid { ac-vlan | ap-vlan } vlan [ to end-vlan ] }

For information about the default setting, see the command reference for the device.

Setting the encapsulation format for client data frames

About this task

In a centralized forwarding infrastructure, an AP sends data frames from clients to the AC over the CAPWAP tunnel. You can set the encapsulation format for the client data frames to 802.3 or 802.11. As a best practice, set the format to 802.3 so the AC does not need to perform frame format conversion.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Set the encapsulation format for client data frames.

client frame-format { dot3 | dot11 }

By default, client data frames are encapsulated in the 802.3 format.

Specifying the method for APs to process traffic from unknown clients

About this task

Perform this task to configure APs using the specified service template to drop data packets from unknown clients and deauthenticate these clients or to drop the packets only.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Specify the method for APs to process traffic from unknown clients.

unknown-client [ deauthenticate | drop ]

By default, APs drop packets from unknown clients and deauthenticate these clients.

Configuring client management

Enabling client association at the AC or APs

About this task

If you enable client association at the AC, management frames are sent to the AC over the CAPWAP tunnel. This ensures security and facilitates management. As a best practice, enable client association at the APs when the network between AC and APs is complicated.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Enable client association at the AC or APs.

client association-location { ac | ap }

By default, client association is performed at the AC.

Setting the VLAN allocation method for clients

About this task

When a client comes online for the first time, the associated AP assigns a random VLAN to it. When the client comes online again, the VLAN assigned to the client depends on the allocation method.

· Static allocation—The client inherits the VLAN that has been assigned to it. If the IP address lease has not expired, the client will use the same IP address. This method helps save IP addresses.

· Dynamic allocation—The AP re-assigns a VLAN to the client. This method balances clients in all VLANs.

· Compatible static allocation—The client inherits the VLAN that has been assigned to it when roaming between Comware 5 and Comware 7 ACs.

Restrictions and guidelines

After a client goes offline and comes online again, its VLAN might change in the following situations:

· In static or compatible static allocation mode, the AP will assign a new VLAN to the client if its original VLAN has been removed from the VLAN group.

· If you change the VLAN allocation method from dynamic to static or compatible static, the AP might assign the clients a different VLAN after they come online again.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Set the VLAN allocation method for clients.

client vlan-alloc { dynamic | static | static-compatible }

By default, the VLAN allocation method for clients is dynamic.

Setting the VLAN allocation method for clients

About this task

When a client comes online for the first time, the associated AP assigns a random VLAN to it. When the client comes online again, the VLAN assigned to the client depends on the allocation method.

· Dynamic allocation—The AP re-assigns a VLAN to the client. This method balances clients in all VLANs.

· Compatible static allocation—The client inherits the VLAN that has been assigned to it when roaming between Comware 5 and Comware 7 ACs.

Restrictions and guidelines

After a client goes offline and comes online again, its VLAN might change in the following situations:

· In static or compatible static allocation mode, the AP will assign a new VLAN to the client if its original VLAN has been removed from the VLAN group.

· If you change the VLAN allocation method from dynamic to static or compatible static, the AP might assign the clients a different VLAN after they come online again.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Set the VLAN allocation method for clients.

client vlan-alloc { dynamic | static | static-compatible }

By default, the VLAN allocation method for clients is dynamic.

Configuring clients to prefer the authorization VLAN after roaming

About this task

Typically, the VLAN of a client remains unchanged after client roaming. However, if the client triggers a security alert configured on IMC after roams to another AP, the issued authorization VLAN for user isolation takes effect.

Restrictions and guidelines

As a best practice, configure this feature on all ACs in a mobility group.

This feature takes effect only on 802.1X and MAC authentication clients.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Configure clients to prefer the authorization VLAN after roaming.

client preferred-vlan authorized

By default, clients prefer the authorization VLAN after roaming.

Enabling immediate client association upon successful local authentication

About this task

By default, an AP reports information about locally authenticated clients that pass authentication to the AC, and the AC creates client entries and informs the AP to get the clients online. If the CAPWAP tunnel between the AC and the AP operates incorrectly, clients might fail to come online and are reauthenticated repeatedly.

To avoid this problem, you can allow clients to come online immediately after successful local authentication so that the AP can forward client traffic when the AC cannot be reached. The AP synchronizes client information to the AC when the tunnel recovers.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Enable clients to come online immediately upon successful local authentication.

undo client report-mandatory

By default, locally authenticated clients come online after successful client information reporting.

Setting the idle period before client reauthentication

About this task

When URL redirection for WLAN MAC authentication is enabled, an AP redirects clients whose information is not recorded on the RADIUS server to the specified URL for Web authentication. Clients passing Web authentication are logged off and must perform MAC reauthentication to come online. However, MAC reauthentication fails if the IP addresses assigned to the clients have not expired.

Perform this task to add these clients to the dynamic blacklist for the specified idle period after they pass Web authentication to reduce reauthentication failures.

Procedure

1. Enter system view.

system-view

2. Set the idle period before client reauthentication.

wlan client reauthentication-period [ period-value ]

By default, the idle period is 10 seconds.

Configuring differentiated accounting of client traffic

About this task

This feature enables APs to perform differentiated accounting of client traffic based on the accounting policy applied to each user profile.

Upon client association, the authentication server deploys the user profile bound to the client account to the client authenticator (AC or AP). If the AC is the authenticator, it deploys the user profile to the AP.

If no accounting policy is applied to a user profile, the system performs AAA accounting.

Restrictions and guidelines

You can specify multiple traffic levels for an accounting policy. The number of accounting policies that can be created varies by device model.

Accounting policy changes, including deletion, for a user profile do not affect online clients.

The traffic level change takes effect only on clients coming online afterwards. Clients that have come online are not affected.

Prerequisites

On the authentication server, bind user profiles to clients.

Procedure

1. Enter system view.

system-view

2. Create an accounting policy and enter its view or enter the view of an existing accounting policy.

wlan accounting-policy policy-name

3. Specify a traffic level for ACL-based accounting.

accounting-level level acl { acl-number | ipv6 ipv6-acl-number }

By default, no traffic levels are specified for ACL-based accounting.

4. Return to system view.

quit

5. Enter user profile view.

user-profile profile-name

6. Apply an accounting policy to the user profile.

wlan apply accounting-policy policy-name

By default, no accounting policy is applied.

Configuring client maintenance

Setting the client idle timeout

About the client idle timeout

If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.

Procedure

1. Enter system view.

system-view

2. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

3. Set the client idle timeout.

client idle-timeout timeout

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the client idle timeout is 300 seconds.

Configuring client keepalive

About this task

This feature enables an AP to send keepalive packets to clients at the specified interval to determine whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.

Procedure

1. Enter system view.

system-view

2. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

3. Enable client keepalive.

client keep-alive enable

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, client keepalive is disabled.

4. (Optional.) Set the client keepalive interval.

client keep-alive interval interval

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, the client keepalive interval is 300 seconds.

Performing a wireless link quality test

About this task

This feature enables an AP to test the quality of the link to a wireless client. The AP sends empty data frames to the client at each supported rate. Then it calculates link quality information such as RSSI, packet retransmissions, and RTT based on the responses from the client.

The timeout for a wireless link quality test is 10 seconds. If the wireless link test is not completed before the timeout expires, test results cannot be obtained.

Procedure

To perform a wireless link quality test, execute the wlan link-test mac-address command in user view.

Configuring client statistics reporting

About client statistics reporting

This feature enables an AP to report client statistics to the AC at the specified intervals for client entry update. The AC informs the AP to log off a client if the client's information does not exist in the saved entries.

To avoid frequent client re-association, disable this feature when the network is in a bad condition.

Procedure

1. Enter system view.

system-view

2. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

3. Configure client statistics reporting.

client-statistics-report { disable | enable [ interval interval ] }

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, client statistics reporting is enabled.

Enabling client O&M statistics reporting

About this task

This feature enables an AP to report client O&M statistics to the AC at the interval specified by the client-statistics-report command. Then, the AC will report the statistics to the cloud platform.

As a best practice, disable this feature when the network is in a bad condition.

Procedure

1. Enter system view.

system-view

2. Enter AP view.

wlan ap ap-name

3. Enable client O&M statistics reporting.

client-statistics-report smart-maintenance enable

By default, client O&M statistics reporting is enabled.

Setting the NAS ID

About this task

A network access server identifier (NAS ID) and network access server port identifier (NAS port ID) identify the network access server of a client and differentiates the source of client traffic.

Restrictions and guidelines

If you specify a NAS ID or NAS port ID when binding a service template to a radio, the radio uses the NAS ID or NAS port ID specified for the service template.

You can specify a NAS-IN in the following methods:

· Specify a NAS-ID when you bind a service template.

· Specify a NAS-ID in AP view.

· Specify a NAS-ID in AP group view.

· Specify a NAS-ID in global configuration view.

· Specify a NAS-ID in multi-instance backup view.

· Specify a NAS-ID in the NAS-ID profile bound to the user access VLAN.

· Specify a NAS-ID in ISP domain view.

The priorities of the NAS-IDs mentioned above are in descending order.

If no NAS-ID configuration exists, the device uses the device name configured by using the sysname command as the NAS-ID.

Procedure

1. Enter system view.

system-view

2. Set the format of NAS port IDs for clients.

wlan nas-port-id format { 2 | 4 }

By default, clients use format 2 to generate NAS port IDs.

3. Set the NAS ID.

nas-id nas-id

By default:

¡ In AP view, an AP uses the configuration in AP group view. If no NAS ID is set in AP group view, the AP uses the configuration in global configuration view.

¡ In AP group view, an AP uses the configuration in global configuration view.

¡ In global configuration view, no NAS ID is set.

Setting the NAS port type

About this task

RADIUS requests carry the NAS port type attribute to indicate type of the access port for 802.1X and MAC authentication clients.

Restrictions and guidelines

Make sure the service template has been disabled before you perform this task.

Procedure

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template

3. Set the NAS port type.

nas-port-type value

By default, the NAS port type is WLAN-IEEE 802.11 with a code value of 19.

Enabling beacon frames and probe responses to carry BSS Load IEs

About this task

This feature enables beacon frames and probe responses to carry BSS Load IEs. A BSS Load IE contains information such as associated client quantity, channel usage, and remaining available media time.

Restrictions and guidelines

As a best practice, enable this feature in Hotspot 2.0 networks or networks where client roaming is required. This helps clients identify the optimal WLAN.

Procedure

1. Enter system view.

system-view

2. Enable beacon frames and probe responses to carry BSS Load IEs.

wlan client bss-load-ie enable [ update-interval interval ]

By default, beacon frames and probe responses do not carry BSS Load IEs.

Configuring VIP clients

Configuring the VIP client group

About this task

The VIP client group contains a group of VIP clients associated with the same radio. You can view information about online VIP clients in the VIP client group from the cloud platform.

Restrictions and guidelines

The maximum number of clients that can be added to the VIP client group is the maximum number of clients supported by the device.

The VIP client feature takes effect only on clients associated with the AC.

Procedure

1. Enter system view.

system-view

2. Create the VIP client group and enter its view.

wlan vip-client-group

3. Add a client to the VIP client group.

client-mac mac-address [ level level ]

By default, no clients exist in the VIP client group.

4. (Optional.) Set the interval at which an AP reports VIP client statistics to the AC.

report-interval interval

By default, an AP reports VIP client statistics to the AC at intervals of 20 seconds.

Configuring VIP client rate limit

About this task

If a large number of VIP clients are online, you can perform this task to rate limit VIP clients to guarantee bandwidth for each client and ensure good user experience.

Restrictions and guidelines

You can configure VIP client rate limit in both the inbound and outbound directions.

If you configure both VIP client rate limit and radio-based client rate limit, the configuration that takes effect depends on the rate limit modes (static or dynamic):

· If different rate limit modes are configured, VIP client rate limit takes effect.

· If the static mode is configured, the smaller CIR takes effect.

· If the dynamic mode is configured, VIP client rate limit takes effect.

Procedure

1. Enter system view.

system-view

2. Enter VIP client group view.

wlan vip-client-group

3. Configure VIP client rate limit.

vip limit rate level level { inbound | outbound } mode { dynamic [ min min-cir ] [ max max-cir ] | static } cir cir

By default, VIP client rate limit is disabled.

Configuring non-VIP client rate limit

About this task

With non-VIP client rate limit configured, all non-VIP clients associated with a radio are rate limited when the radio has associated VIP clients. When all VIP clients associated with the radio go offline or if the radio does not have associated VIP clients, non-VIP clients are not rate limited.

Restrictions and guidelines

You can rate limit both inbound and outbound traffic.

If you configure both radio-based client rate limit and non-VIP client rate limit, only non-VIP clients are rate limited and the VIP clients are not rate limited.

Procedure

1. Enter system view.

system-view

2. Create the VIP client group and enter its view.

wlan vip-client-group

3. Configure non-VIP client rate limit.

non-vip limit rate { inbound | outbound } [ mode { dynamic [ min min-cir ] [ max max-cir ] | static } ] cir cir

By default, non-VIP client rate limit is configured.

Configuring policy-based forwarding

Restrictions and guidelines for policy-based forwarding

Make sure the AC and its associated APs are in different network segments.

You can apply a forwarding policy to a service template or user profile. The AC preferentially uses the forwarding policy applied to a user profile to direct client traffic forwarding. If the user profile of a client does not have a forwarding policy, the AC uses the forwarding policy applied to the service template.

Prerequisites for policy-based forwarding

Before configuring policy-based forwarding, you must specify the AC to perform authentication for clients. For more information about specifying the authentication location, see "Configuring WLAN authentication."

Configuring a forwarding policy

About this task

A forwarding policy contains one or multiple forwarding rules. Each forwarding rule specifies a traffic match criterion and the forwarding mode for matching traffic. The traffic match criterion can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The forwarding mode can be local forwarding or centralized forwarding.

Actions defined in ACL rules do not take effect in wireless packet forwarding. All matched packets are forwarded based on the forwarding mode.

For more information about ACLs, see ACL and QoS Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Create a forwarding policy and enter its view.

wlan forwarding-policy policy-name

3. Configure a forwarding rule.

classifier acl { acl-number | ipv6 ipv6-acl-number } behavior { local | remote }

Repeat this command to configure more forwarding rules.

Enabling traffic forwarding to the external network in local forwarding mode

About this task

When local forwarding is enabled, APs drop client packets destined to the external network. This feature enables an AP to replace the destination MAC address of a client packet destined to the external network with the AP's MAC address. Through NAT, the packet's source IP address is converted to an IP address in the same network segment as the AP. This enables APs to forward client traffic to an external network correctly.

Restrictions and guidelines

This feature is supported only on APs that support NAT.

Procedure

1. Enter system view.

system-view

2. Enter WLAN forwarding policy view.

wlan forwarding-policy policy-name

3. Enable traffic forwarding to the external network when local forwarding is enabled.

client behavior-local network-flow-forwarding enable

By default, APs drop client packets destined to the external network when local forwarding is enabled.

Applying a forwarding policy to a service template

1. Enter system view.

system-view

2. Enter service template view.

wlan service-template service-template-name

3. Apply a forwarding policy to the service template.

client forwarding-policy-name policy-name

By default, no forwarding policy is applied to a service template.

For the forwarding policy to take effect, you must enable policy-based forwarding for the service template.

4. Enable policy-based forwarding.

client forwarding-policy enable

By default, policy-based forwarding is disabled for a service template.

Applying a forwarding policy to a user profile

About this task

For the AC to perform policy-based forwarding for clients that use a user profile, apply a forwarding policy to the user profile. After a client passes authentication, the authentication server sends the user profile name specified for the client to the AC. The AC will forward traffic of the client based on the forwarding policy applied to the user profile.

Restrictions and guidelines

If you modify or delete the applied forwarding policy, the change takes effect when the client comes online again.

Procedure

1. Enter system view.

system-view

2. Enter user profile view.

user-profile profile-name

3. Apply a forwarding policy to the user profile.

wlan client forwarding-policy-name policy-name

By default, no forwarding policy is applied to a user profile.

For the forwarding policy applied to the user profile to take effect, you must enable policy-based forwarding for the service template that the user profile uses.

4. Return to system view.

quit

5. Enter service template view.

wlan service-template service-template-name

6. Enable policy-based forwarding.

client forwarding-policy enable

By default, policy-based forwarding is disabled for a service template.

Configuring client access control

Specifying a permitted AP group for client association

About this task

Perform this task to enable clients to associate with APs in the specified AP group.

Procedure

1. Enter system view.

system-view

2. Enter user profile view.

user-profile profile-name

3. Specify a permitted AP group for client association.

wlan permit-ap-group ap-group-name

By default, no permitted AP group is specified for client association.

Specifying a permitted SSID for client association

About this task

Perform this task to allow clients to associate with a WLAN through the specified SSID.

Procedure

1. Enter system view.

system-view

2. Enter user profile view.

user-profile profile-name

3. Specify a permitted SSID for client association.

wlan permit-ssid ssid-name

By default, no permitted SSID is specified for client association.

Adding a client to the whitelist

Restrictions and guidelines

When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.

Procedure

1. Enter system view.

system-view

2. Add a client to the whitelist.

wlan whitelist mac-address mac-address

Adding a client to the static blacklist

Restrictions and guidelines

You cannot add a client to both the whitelist and the static blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

1. Enter system view.

system-view

2. Add a client to the static blacklist.

wlan static-blacklist mac-address mac-address

Configuring the dynamic blacklist

About this task

You can configure the dynamic blacklist to take effect on the AC or on APs.

If you configure the dynamic blacklist to take effect on the AC, all APs connected to the AC will reject the clients in the dynamic blacklist. If you configure the dynamic blacklist to take effect on APs, the AP associated with the clients in the dynamic blacklist will reject the clients, but the clients can still associate with other APs connected to the AC.

Entries in the dynamic blacklist are removed when the aging timer expires.

Restrictions and guidelines

As a best practice, configure the dynamic blacklist to take effect on the AC in high-density environments.

The configured aging timer takes effect only on entries newly added to the dynamic blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

1. Enter system view.

system-view

2. Choose one option as needed:

¡ Configure the dynamic blacklist to take effect on APs.

wlan dynamic-blacklist active-on-ap

¡ Configure the dynamic blacklist to take effect on the AC.

undo wlan dynamic-blacklist active-on-ap

By default, the dynamic blacklist takes effect on APs.

3. (Optional.) Set the aging timer for dynamic blacklist entries.

wlan dynamic-blacklist lifetime lifetime

By default, the aging timer is 300 seconds.

Configuring ACL-based access control

Restrictions and guidelines

The ACL-based access control configuration takes precedence over the whitelist and blacklist configuration. As a best practice, do not configure both ACL-based access control and whitelist- and blacklist-based access control on the same device.

If the specified ACL contains a deny statement, configure a permit statement for the ACL to permit all clients. If you do not do so, no clients can come online.

The configuration in AP view takes precedence over the configuration in service template view.

This feature supports only Layer 2 ACLs and can only use source MAC address as the match criterion. If you specify an ACL of another type, the configuration does not take effect.

If you specify the permit-remote-ap keyword and enable the remote AP feature, the AC will synchronize the cached client entries that match the permit rule to APs. The APs allow only clients in the cached entries to associate with them after they enter remote AP mode.

Procedure

1. Enter system view.

system-view

2. Enter service template view or AP view.

¡ Enter service template view.

wlan service-template service-template-name

¡ Enter AP view.

wlan ap ap-name

3. Specify an ACL.

access-control acl acl-number [ permit-remote-ap ]

The permit-remote-ap keyword is available only in service template view.

By default, no ACL is specified.

Enabling an AP to respond to specific broadcast probe requests

About this task

Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.

By default, an AP responds to all broadcast probe requests, which might threat network security and decrease AP performance. However, disabling responding to broadcast probe requests might forbid clients from roaming to the optimal AP in time, affecting client access.

You can perform this task to enable an AP to respond to broadcast requests from a specific frequency band with strong signal strength.

Procedure

1. Enter system view.

system-view

2. Enter AP view or AP group view.

¡ Enter AP view.

wlan ap ap-name

¡ Enter AP group view.

wlan ap-group group-name

3. Enable the AP to respond to specific broadcast probe requests.

broadcast-probe reply { disable | enable [ rssi-threshold rssi-value ] } [ frequency-band { 2.4 | 5 } ]

By default:

¡ In AP view, an AP uses the configuration in AP group view.

¡ In AP group view, an AP responds to all broadcast probe requests.

Enabling SNMP notifications for WLAN access

About this task

To report critical WLAN access events to an NMS, enable SNMP notifications for WLAN access. For WLAN access event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enable SNMP notifications for client access.

snmp-agent trap enable wlan client

By default, SNMP notifications are disabled.

Verifying and maintaining WLAN access

Verifying WLAN access running status

Perform display tasks in any view.

· Display uplink client rate limit settings.

display uplink client-rate-limit

· Display the number of online clients at both 2.4 GHz and 5 GHz bands.

display wlan ap all client-number

· Display the number of online clients and channel information for each radio.

display wlan ap all radio client-number

· Display the number of online clients in each AP group.

display wlan ap-group all client-number

· Display blacklist entries.

display wlan blacklist { dynamic | static }

· Display basic service set (BSS) information.

display wlan bss { all | ap ap-name | bssid bssid } [ verbose ]

display wlan bss { all | ap ap-name | bssid bssid } [ slot slot-number ] [ verbose ]

· Display client information.

display wlan client [ ap ap-name [ radio radio-id ] | mac-address mac-address | service-template service-template-name | frequency-band { 2.4 | 5 } | vlan vlan-id ] [ verbose ]

· Display client IPv6 information.

display wlan client ipv6

· Display client online duration.

display wlan client online-duration [ ap ap-name ] [ verbose ]

· Display client status information.

display wlan client status [ mac-address mac-address ] [ verbose ]

· Display forwarding policy information.

display wlan forwarding-policy [ policy-name ]

· Display the status of the lite control mode.

display wlan lite-control-mode status

· Display service template information.

display wlan service-template [ service-template-name ] [ verbose ]

· Display client statistics.

display wlan statistics client [ mac-address mac-address ]

· Display client connection history.

display wlan statistics connect-history service-template service-template-name }

· Display service template statistics

display wlan statistics service-template service-template-name

· Display VIP client statistics that an AP reports to the AC.

display wlan statistics vip-client

· Display the number of online clients in each virtual AP group.

display wlan virtual-ap-group all client-number

Logging off clients and clearing WLAN access statistics

Perform removal, logoff, and clear tasks in any view.

· Remove the specified client or all clients from the dynamic blacklist.

reset wlan dynamic-blacklist [ mac-address mac-address ]

· Log off the specified client or all clients.

reset wlan client { all | mac-address mac-address }

· Clear client statistics.

reset wlan statistics client { all | mac-address mac-address }

· Clear service template statistics.

reset wlan statistics service-template service-template-name

WLAN access configuration examples

Example: Configuring WLAN access

Network configuration

As shown in Figure 8, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with the SSID trade-off.

Figure 8 Network diagram

‌

Procedure

1. Create VLAN 100, and assign an IP address to VLAN-interface 100.

<AC> system-view

[AC] vlan 100

[AC-vlan100]quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.1.9.58 16

2. Create the manual AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

3. Configure a service template and bind it to the AP radio:

# Create the service template service1, set the SSID to trade-off, assign clients coming online through the service template to VLAN 100, and enable the service template.

<AC> system-view

[AC] wlan service-template service1

[AC-wlan-st-service1] ssid trade-off

[AC-wlan-st-service1] vlan 100

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Bind the service template service1 to radio 1.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service1

Verifying the configuration

# Verify that the SSID is trade-off, and the service template is enabled.

[AC] display wlan service-template verbose

Service template name : service1

Description : Not configured

SSID : trade-off

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 100

AKM mode : Not configured

Security IE : Not configured

Cipher suite : Not configured

TKIP countermeasure time : 0 sec

PTK life time : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Disabled

WPA3 status : Disabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : 1

Critical VLAN ID : Not configured

802.1X handshake : Enabled

802.1X handshake secure : Disabled

802.1X domain : my-domain

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Enabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

BTM status : Disabled

# Associate the client with the AP. (Details not shown.)

# Verify that the client can access the WLAN.

[AC] display wlan client service-template service1

Total number of clients: 1

MAC address Username AP name RID IP address VLAN

0023-8933-223b N/A ap1 1 3.0.0.3 100

Example: Configuring whitelist-based access control

Network configuration

As shown in Figure 9, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 9 Network diagram

‌

Procedure

# Add the MAC address 0000-000f-1211 to the whitelist.

<AC> system-view

[AC] wlan whitelist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the whitelist.

[AC] display wlan whitelist

Total number of clients: 1

MAC addresses:

0000-000f-1211

Example: Configuring static blacklist-based access control

Network configuration

As shown in Figure 10, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 10 Network diagram

‌

Procedure

# Add the MAC address 0000-000f-1211 to the static blacklist.

<AC> system-view

[AC] wlan static-blacklist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the static blacklist.

[AC] display wlan blacklist static

Total number of clients: 1

MAC addresses:

0000-000f-1211

Example: Configuring ACL-based access control

Network configuration

As shown in Figure 11, configure ACL-based access control to allow Client 1 and clients with the same OUI as Client 2 to access the WLAN.

Figure 11 Network diagram

‌

Procedure

# Create Layer 2 ACL 4000, and create ACL rules to permit Client 1 and clients with the same OUI as Client 2.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname-acl-mac-4000] rule 0 permit source-mac 0000-000f-1121 ffff-ffff-ffff

[Sysname-acl-mac-4000] rule 1 permit source-mac 000e-35b2-000e ffff-ff00-0000

[Sysname-acl-mac-4000] quit

# Bind ACL 4000 to service template service1.

[Sysname] wlan service service1

[Sysname-wlan-st-service1] access-control acl 4000

Verifying the configuration

# Execute the display wlan client command to verify that only Client 1 and clients with the same OUI as Client 2 (including Client 2) can access the WLAN.

[AC] display wlan client

Total number of clients: 2

MAC address Username AP name RID IPv4 address VLAN

0000-000f-1121 N/A ap 1 192.168.100.12 1

000e-35b2-000e N/A ap 1 192.168.100.13 1

27-WLAN Configuration Guide (AC)

Active scanning

Passive scanning

Whitelist-based access control

Blacklist-based access control

Working mechanism

About service templates

Procedure

About this task

Procedure

About this task

Procedure

About service template binding

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Prerequisites

Procedure

About the client idle timeout

Procedure

About this task

Procedure

About this task

Procedure

About client statistics reporting

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Enabling traffic forwarding to the external network in local forwarding mode

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure