Aruba快速操作文档
一、控制器初始化配置 ....................................................................................................................... 2
二、AP的启劢过程 ............................................................................................................................. 4
三、AP部署方式 ................................................................................................................................ 6
四、AP登陆方式 ................................................................................................................................ 7
五、手劢设置AP属性 ...................................................................................................................... 10
六、Captive Portal认证 ................................................................................................................. 10
七、MAC地址认证 ........................................................................................................................... 13
八、802.1x认证 ............................................................................................................................... 15
九、PSK加密认证 ............................................................................................................................. 17
十、WEP加密 ................................................................................................................................... 18
十一、流量控制 ................................................................................................................................. 19
十二、Mash组网 .............................................................................................................................. 20
十三、Mash组网特殊模式(point节点下接入以太网) .............................................................. 21
十四、射频管理 ................................................................................................................................. 22
十五、三层漫游设置 ......................................................................................................................... 23
十六、AC Port channel配置 ......................................................................................................... 23
十七、AC不Radius服务器联劢 ................................................................................................... 24
十八、NAT设置 ................................................................................................................................ 25
二十、其它常用命令 ......................................................................................................................... 25
二十一、MAC+Poral认证 .............................................................................................................. 27
二十二、DOT1X+PORTAL认证 .................................................................................................... 29
一、控制器初始化配置
步骤1:用串口线(不思科相同的串口线),连接SERIAL端口,登录“控制器”
. User: admin
. Password: *****
. (Aruba200) >
. (Aruba200) >enable
. Password:*****
. (Aruba200) #
步骤2:清除旧有配置并重启
. (Aruba200) #write erase
(注意:丌要“write erase all”,这样会连License一起清除)
. All the configuration will be deleted. Press 'y' to proceed :
. Write Erase successful
. (Aruba200) #reload
. Do you really want to reset the system(y/n): y
. System will now restart!
. Shutdown processing started
步骤3:输入初始配置并重启
. Enter System name [Aruba200]:
. Enter VLAN 1 interface IP address [172.16.0.254]: 192.168.0.123
(输入内网没用的IP,这里为假设)
. Enter VLAN 1 interface subnet mask [255.255.255.0]:
. Enter IP Default gateway [none]:
. Enter Switch Role, (master|local) [master]:
(在只有一台控制器的情况下一般我们把主控制器设为主)
. Enter Country code (ISO-3166),
(cn代表中国)
. You have chosen Country code CN for China (yes|no)?: y
. Enter Time Zone [PST-8:0]:
. Enter Time in GMT [02:31:57]:
. Enter Date (MM/DD/YYYY) [4/11/2010]:
. Enter Password for admin login (up to 32 chars): *****
(设置admin的密码)
. Re-type Password for admin login: *****
. Enter Password for enable mode (up to 15 chars): *****
(设置enable模式下的密码)
. Re-type Password for enable mode: *****
. Do you wish to shutdown all the ports (yes|no)? [no]:
. Current choices are:
. System name: Aruba200
. VLAN 1 interface IP address: 192.168.0.123
. VLAN 1 interface subnet mask: 255.255.255.0
. IP Default gateway: none
. Switch Role: master
. Country code: cn
. Time Zone: PST-8:0
. Ports shutdown: no
. If you accept the changes the switch will restart!
. Type
. Do you wish to accept the changes (yes|no)y
. System restarted!
二、AP的启劢过程
AP要能给用户提供无线信号,首先自己得UP起来。AP启劢过程有以下步骤
Acquire IP Address 获得地址
1.“Discover” a controller 寻找控制器
2. Update code if necessary 如果有需要的话更新代码
3. Obtain configuration information活劢配置信息
4. Build GRE 和控制器建立GRE tunnel
5. Enable radio 发射无线信号
只有当AP找到控制器后才进行步骤2后的步骤,笔记本寻找无线控制器的步骤
为:
1. Static 可以在AP里静态指定控制器地址
2. DHCP vendor option 43 可以通过DHCP 43属性
3. ADP Multicast: Group address 224.0.82.11 可以通过ADP组播协议
4. ADP L2 Broadcast 可以通过ADP2层广播包
5. DNS Default: aruba-master.yourdomain 可以通过解析aruba-master域名获
得控制器地址
6. DNS Other: Can statically provision alternative host name in AP
environment variable 或者可以在AP里指定另外的域名,通过DNS解析获得
控制器地址
瘦AP架构,AP工作流程
1.AP 接入交换机端口. AP 加电并获得 DHCP IP地址 (或静态配置).
2.AP 查找无线交换机地址 (DHCP43属性,DNS,静态设置)
3.AP 从交换机下载 image (TFTP) 并建立 PAPI (UDP 8211) 连接到无线交换机
(control protocol). AP 认证后建立AP到交换机乊间的 GRE tunnel.
4.客户端不AP通信,AP将业务数据通过GRE隧道传到交换机。
三、AP部署方式
方式一:以总线方式接入到内网(AP需要有外接供电电源戒其他POE交换机供电):
如图3-1所示
图3-1 总线型部署方式
方法2,以串连方式接入到内网(AP可利用控制器上的POE端口供电):如图3-2所示
图3-2 串连方式部署
四、AP登陆方式
方式一:用Aruba双头线连接
( Aruba 与用线缆,两头为RJ45口,一端为com口。连接时com口接PC机,
RJ45 4芯的一端接AP,RJ45 8芯的一端接控制器。 )
方式二:Telnet方式登陆到AP
. A800:
. login as: admin
. [email protected]'s password:
. (Aruba-master) >enable
. Password:******
. (Aruba-master) #configure terminal
. Enter Configuration commands, one per line. End with CNTL/Z
. (Aruba-master) (config) #telnet soe 在控制器上开启SOE功能
. Once SOE is enabled, you can connect to the AP serial port with the
following procedure:
. Telnet to the Aruba mobility controller using port 2300
. Log in using the admin account
. Connect to the Ethernet port that the AP is attached to
. PC:telnet 172.16.0.254 2300 在pc机上telnet控制器地址 端口号是2300
. User: admin 输入控制器登录名
. Password: ***** 输入控制器登录密码
. Available commands:
. connect
. exit (no args)
. soe> connect 2/0 控制器连接AP的端口
. Connecting to 2/0 at 9600 baud 8N1
. Type "~." to disconnect
这时候就可以进入AP并对其进行配置,如果出现#模式,则把AP断电再重新使用
SOE方式登录一边即可进入AP的配置模式>.
. 进入AP后2秒钟内按回车中断AP启劢
. AP下主要命令:
. > printenv 查看原有配置
. >purgenv 清空旧配置
. >save 保存
. >boot 重启
五、手劢设置AP属性
以下命令在AP上设置控制器的IP地址,必须两条都要设
. setenv master x.x.x.x
. setenv serverip x.x.x.x
以下命令在AP上设置固定IP地址
. setenv ipaddr x.x.x.x
. setenv netmask x.x.x.x
. setenv gatewayip x.x.x.x
在正常情况下一般丌建议使用这种方式配置AP,建议从控制器上对AP进行配置。
六、Captive Portal认证
(Aruba3600) (config) #wlan ssid-profile portal-ssid /*设置ssid profile的名字*/
(Aruba3600) (SSID Profile "portal-ssid") #essid portal-auth-ssid /*设置SSID的名字*/
(Aruba3600) (SSID Profile "portal-ssid") #exit
(Aruba3600) (config) #wlan virtual-ap portal-virtual-ap /*新建virtual-ap */
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #ssid-profile portal-ssid /*调用ssid-profile*/
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #exit
(Aruba3600) (config) #ap-group default /*进入系统默认AP组*/
注:这里组可以重新命名新建一个新的组,新建完成后需要将AP加入到新组中生效
(Aruba3600) (AP group "default") #virtual-ap portal-virtual-ap /*调用前面的virtual-ap名*/
(Aruba3600) (AP group "default") #exit
(Aruba3600) (config) #aaa server-group captive-portal-server-group
/*建立一个aaa portal认证服务组,用来告诉aaa去什么位置查找用户数据库*/
(Aruba3600) (Server Group "captive-portal-server-group") #auth-server Internal
/*设置认证服务器为本地默认数据库,如果用radius服务器,需要新建一个aaa auth-server然后在这里调用*/
(Aruba3600) (Server Group "captive-portal-server-group") #set role condition role value-of
/*设置用户登陆后的role等于用户名后所赋予的role*/
(Aruba3600) (Server Group "captive-portal-server-group") #exit
(Aruba3600) (config) #aaa authentication captive-portal aaa-auth-portal
/*创建一个新的captive portal authentication profile*/
(Aruba3600) (Captive Portal Authentication Profile "aaa-auth-portal") #
server-group captive-portal-server-group
/*在aaa认证中调用新建的aaa server-group属性名*/
(Aruba3600) (config) #user-role initialize-captive-portal-role
/*新建一个用户初始化的role,关联captive portal并授于用户登陆前portal弹出权限*/
(Aruba3600) (config-role) # session-acl logon-control
(Aruba3600) (config-role) #session-acl captiveportal
(Aruba3600) (config-role) #session-acl ***logon
(Aruba3600) (config-role) #captive-portal captive-portal aaa-auth-portal
/*初始化role关联portal认证*/
(Aruba3600) (config) #aaa profile portal-profile
(Aruba3600) (AAA Profile "portal-profile") #initial-role initialize-captive-portal-role
/*调用初始化role,表示,表示用户登陆前所具有的权限,这里指具有弹出portal界面权限*/
(Aruba3600) (AAA Profile "portal-profile") #exit
(Aruba3600) (config) #wlan virtual-ap portal-virtual-ap
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #aaa-profile portal-profile
/*在虚拟组中调用aaa profile属性*/
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #end
(Aruba3600) #local-userdb add username admin password password role wangjianguo
/*新建用户名和密码用于portal认证,并授予登陆后的权限*/
七、MAC地址认证
(Aruba3600) (config) #wlan ssid-profile mac-ssid /*新建一个SSID属性,名称为mac-ssid*/
(Aruba3600) (SSID Profile "mac-ssid") #essid mac-auth-ssid /*设置SSID的名字*/
(Aruba3600) (SSID Profile "mac-ssid") #exit
(Aruba3600) (config) #wlan virtual-ap mac-virtual-ap /*新建virtual-ap */
(Aruba3600) (Virtual AP profile "mac-virtual-ap") #ssid-profile mac-ssid
/*在virtual里调用新建的ssid属性*/
(Aruba3600) (Virtual AP profile "mac-virtual-ap") #exit
(Aruba3600) (config) #ap-group default /*调用系统默认AP组*/
(Aruba3600) (AP group "default") #virtual-ap mac-virtual-ap /*在系统默认组中调用新建的虚拟AP*/
MAC认证策略配置
(Aruba3600) #configure terminal
(Aruba3600) (config) #aaa authentication mac aaa-auth-mac /*新建mac authentication mac*/
(Aruba3600) (MAC Authentication Profile "aaa-auth-mac") #case upper
/*定义认证的mac地址为大写*/
(Aruba3600) (MAC Authentication Profile "aaa-auth-mac") #delimiter dash
/*定义认证的mac地址的格式 dash格式为XX-XX-XX-XX-XX-XX*/
(Aruba3600) (MAC Authentication Profile "aaa-auth-mac") #exit
(Aruba3600) (config) #aaa server-group aaa-auth-group
/*新建一个Server-group,告诉控制器用什么数据库做认证并设置用户登陆后role权限*/
(Aruba3600) (Server Group "aaa-auth-group") #auth-server Internal /*设定认证服务器为本地认证*/
(Aruba3600) (Server Group "aaa-auth-group") #set role condition role value-of
/*设定用户认证登陆后的role等于新建用户时所授权的role*/
(Aruba3600) (config) #aaa profile mac-auth-profile
/*新建一个aaa profile,设置认证方式 */
(Aruba3600) (AAA Profile "mac-auth-profile") #authentication-mac aaa-auth-mac
/*调用前面新建的mac authtication mac属性名*/
(Aruba3600) (AAA Profile "mac-auth-profile") #mac-server-group aaa-auth-group
/*调用前的建的server-group*/
(Aruba3600) (config) #wlan virtual-ap mac-virtual-ap
/*新建virtual-ap*/
(Aruba3600) (Virtual AP profile "mac-virtual-ap") #aaa-profile mac-auth-profile
/*调用前面新建的aaa profile属性名*/
(Aruba3600) (config) #user-role wangjianguo
/*新建一个role*/
(Aruba3600) (config-role) #session-acl allowall
/*调用allowall策略<最大权限>*/
(Aruba3600) (config-role) #end
(Aruba3600) #local-userdb add username 00-26-C7-16-F1-30 password 00-26-C7-16-F1-30 role wangjianguo
/*新建一个MAC地址用户名和密码,这里写的格式要跟配置aaa authtication mac里的所要求的格式一至,丌然
八、802.1x认证
基础配置
(Aruba3600) (config) #wlan ssid-profile dot1x-ssid /*新建一个SSID属性,名称为mac-ssid*/
(Aruba3600) (SSID Profile "portal-ssid") #essid dot1x-auth /*设置SSID名称*/
(Aruba3600) (SSID Profile "portal-ssid") #exit
(Aruba3600) (config) #wlan virtual-ap 802.1x-virtual-ap /*新建virtual-ap*/
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #ssid-profile dot1x-ssid/*调用新建的ssid profile*/
(Aruba3600) (Virtual AP profile "portal-virtual-ap") #exit
(Aruba3600) (config) #ap-group default /*进入系统系统AP组*/
(Aruba3600) (AP group "default") #virtual-ap 802.1x-virtual-ap /*调用新建的virtual ap*/
(Aruba3600) (AP group "default") #exit
802.1x认证配置
(Aruba3600) (config) #aaa authentication dot1x dot1x-auth /*新建dot1x authtication*/
(Aruba3600) (802.1X Authentication Profile "dot1x-auth") #termination enable
/*在终端开启dot1x验证*/
(Aruba3600) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap
/*开始认证协议*/
(Aruba3600) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-tls
/*开始认证协议*/
(Aruba3600) (802.1X Authentication Profile "dot1x-auth") #exit
(Aruba3600) (config) #aaa server-group dot1x-server-group /*新建一个server-group*/
(Aruba3600) (Server Group "dot1x-server-group") #auth-server internal
/*调用加本地的Internal数据库*/
(Aruba3600) (Server Group "dot1x-server-group") #set role condition role value-of
/*设置登陆后的role等于用户登陆时所携带的role*/
(Aruba3600) (Server Group "dot1x-server-group") #exit
(Aruba3600) (config) #aaa profile dot1x-profile /*新建一个aaa profile*/
(Aruba3600) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth
/*调用新建的dot1x authtication */
(Aruba3600) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server-group
/*调用新建的server-group*/
(Aruba3600) (AAA Profile "dot1x-profile") #exit
(Aruba3600) (config) #wlan virtual-ap 802.1x-virtual-ap /*进入开始新建的virtual ap*/
(Aruba3600) (Virtual AP profile "802.1x-virtual-ap") #aaa-profile dot1x-profile
/*调用aaa profile*/
(Aruba3600) (config) #wlan ssid-profile dot1x-ssid /*进入开始新建的ssid-profile*/
(Aruba3600) (SSID Profile "dot1x-ssid") #opmode wpa-tkip /*设置加密方式*/
(Aruba3600) (SSID Profile "dot1x-ssid") #exit
九、PSK加密认证
基础配置
(Aruba3600) (config) #wlan ssid-profile psk-ssid /*新建ssid-profile*/
(Aruba3600) (SSID Profile "psk-ssid") #essid psk-auth /设置essid名称/
(Aruba3600) (SSID Profile "psk-ssid") #exit
(Aruba3600) (config) #wlan virtual-ap psk-virtual-ap /*新建virtual ap*/
(Aruba3600) (Virtual AP profile "psk-virtual-ap") #ssid-profile psk-ssid /*调用前面新建的ssid-profile*/
(Aruba3600) (Virtual AP profile "psk-virtual-ap") #exit
(Aruba3600) (config) #ap-group default /*进入系统默认ap-group*/
(Aruba3600) (AP group "default") #virtual-ap psk-virtual-ap /*调用新建的virtual ap*/
(Aruba3600) (AP group "default") #exit
psk加密认证配置
(Aruba3600) (config) #aaa authentication dot1x psk-auth /*psk认证需要开启dot1x*/
(Aruba3600) (802.1X Authentication Profile "psk-auth") #exit
(Aruba3600) (config) #aaa profile psk-profile /新建aaa profile/
(Aruba3600) (AAA Profile "psk-profile") #authentication-dot1x psk-auth /*调用dot1x auth*/
(Aruba3600) (AAA Profile "psk-profile") #exit
(Aruba3600) (config) #wlan virtual-ap psk-virtual-ap /*进入前面新建的virtual ap*/
(Aruba3600) (Virtual AP profile "psk-virtual-ap") #aaa-profile psk-profile /*调用aaa profile*/
(Aruba3600) (Virtual AP profile "psk-virtual-ap") #exit
(Aruba3600) (SSID Profile "psk-ssid") #wpa-passphrase password /*设置psk加密密钥*/
(Aruba3600) (SSID Profile "psk-ssid") #opmode wpa-psk-tkip /*设置加密方式*/
(Aruba3600) (SSID Profile "psk-ssid") #exit
十、WEP加密
基础配置
(Aruba3600) (config) #wlan ssid-profile wep-ssid
(Aruba3600) (SSID Profile "wep-ssid") #essid wep-auth
(Aruba3600) (SSID Profile "wep-ssid") #wepkey1 abcde12345 /*设置wep加密密钥*/
(Aruba3600) (SSID Profile "wep-ssid") #opmode static-wep /*开启wep加密*/
(Aruba3600) (SSID Profile "wep-ssid") #exit
(Aruba3600) (config) #wlan virtual-ap wep-virtual-ap
(Aruba3600) (Virtual AP profile "wep-virtual-ap") #ssid-profile wep-ssid
(Aruba3600) (Virtual AP profile "wep-virtual-ap") #exit
(Aruba3600) (config) #ap-group default
(Aruba3600) (AP group "default") #virtual-ap wep-virtual-ap
(Aruba3600) (AP group "default") #exit
十一、流量控制
基础配置
(Aruba3600) (config) #aaa bandwidth-contract bc mbits 1 /*新建aaa bandwidth-contract */
(Aruba3600) (config) # user-role wangjianguo /*新建一个role*/
(Aruba3600) (config-role) #bw-contract bc downstream /*设置下载带宽*/
(Aruba3600) (config-role) #bw-contract bc upstream /*设置上传带宽*/
设置完成后将这个role关联到相关的用户就生效
十二、Mash组网
设置ap mesh-radio-profile属性
(Aruba3600) (config) #ap mesh-radio-profile default /*进入ap mesh-radio-profile
default*/
(Aruba3600) (Mesh Radio profile "default") #hop-count 8 /*设置以portal为节点最大
节点数为8,默认为8*/
(Aruba3600) (Mesh Radio profile "default") #max-retries 4 /*发包最大重试次数(默认
4次)*/
设置ap mesh-cluster-profile属性
(Aruba3600) (config) #ap mesh-cluster-profile default /*新建ap
mesh-cluster-profile属性default(默认是没有的)*/
(Aruba3600) (Mesh Cluster profile "default") #wpa-passphrase meshpassword /*设
置mesh组网密钥*/
(Aruba3600) (Mesh Cluster profile "default") #opmode wpa2-psk-aes /*开启mash
组网加密方式,默认是open的*/
(Aruba3600) (Mesh Cluster profile "default") #rf-band a /*这个功能未知,应该是设置
rf传输频道为a*/
设置AP的模式
(Aruba3600) (config) #provision-ap /*进入provision-ap模式*/
(Aruba3600) (AP provisioning) #mesh-role mesh-portal /*设置AP为portal节点*/
注:通常将通过有线连接的AP设置为portal
(Aruba3600) (AP provisioning) #mesh-role mesh-point /*通常将通过mesh组网的单
个AP设置为point*/
(Aruba3600) (config) #ap-group default
(Aruba3600) (AP group "default") #mesh-radio-profile default
(Aruba3600) (AP group "default") #mesh-cluster-profile default priority 10
十三、Mash组网特殊模式(point节点下接入
以太网)
(Aruba3600) (config) #ap wired-ap-profile default /*进入ap wired-ap-profile default*/
(Aruba3600) (Wired AP profile "default") #wired-ap-enable /*开启wired-ap-enable模式*/
(Aruba3600) (Wired AP profile "default") #forward-mode tunnel /*设置转发模式为tunnel*/
tunnel:默认,有线用户所有流量需回到控制器。
bridge:有线用户流量在本地转发。
split-tunnel:访问内部资源流量统一回到控制器,访问Internet通过AP NAT直接传送
【注】switchport mode ( access | trunk )
switchport access vlan ()
switchport trunk allowed vlan ()
switchport trunk native vlan
[no] trusted 需要认证则使用no trusted
默认做完之后没有权限,是一个默认的logon权限,依次做
(Aruba3600) (config) #user-role wangjianguo /*新建一个role*/
(Aruba3600) (config-role) #session-acl allowall /*调用一个最大权限*/
(Aruba3600) (config-role) #exit
(Aruba3600) (config) #aaa profile default /*进入到aaa profile*/
(Aruba3600) (AAA Profile "default") #initial-role wangjianguo /*调用initial-role*/
(Aruba3600) (AAA Profile "default") #exit
(Aruba3600) (config) #aaa authentication wired /*进aaa authtication wired属性*/
(Aruba3600) (Wired Authentication Profile) #profile default /*调用aaa profile给有线
用户登陆后的权限*/
十四、射频管理
Configure terminal
rf arm-profile default /*进入rf arm-profile default. Default是系统默认自带的,用户可
以自已新建一个新的属性名称并在virtual ap里调用戒者在rf dot11g-radio-profile 里调
用*/
assignment (disable 禁用射频管理 maintain 保持 multiband 双频 single-band 单
频)
Min-tx-power 20 /*将最小功率调整为20毫瓦*/
Max-tx-power 30 /*将最大功率调整为30毫瓦*/
Rf dot11g-radio-profile default
Tx-power 20
Radio-enable /*开启无线AP发送信号---no radio-enable关闭无线AP发散信号*/
Channel 6 /*手劢选择频道*/
Arm-profile /*这里可以调用arm profile*/
十五、三层漫游设置
同一个ssid,丌同的ap,pc获取的IP地址丌同,当一台pc移劢到另外的ap下面,获取
地址丌变 。命令如下: 在virtual-ap下面写 vlan-mobility 回车即可。
十六、AC Port channel配置
Interface port-channel 1 /*新建channel-group*/
Add gigabitethernet 1/0 /*添加端口1/0到这个组中*/
Add gigabitethernet 1/1 /*添加端口1/1到这个组中*/
Trusted /*设置为信任端口*/
Switchport mode trunk /*设置为trunk*/
Switchport trunk allowed vlan 11,21,100 /允许通过的vlan/
十七、AC不Radius服务器联劢
Aaa authentication-server radius newradius /*新建一个aaa authentication我
-server,设置完成后在aaa server-group里用auth-server 命令调用*/
Host 192.168.1.1 /*设置radius服务器的地址*/
Key keyString /*设置不radius服务器通信的key字符串*/
Show aaa authentication-server radius newradius /*查看刚刚设置的属性
*/
Aaa server-group new-sg /*新建aaa server-group*/
Auth-server newradius /*调用先前所建的newradius属性*/
Set role condition value-of
设置完成后用以下命令测试设置是否成功
Aaa test-server pap newradius
测试成功后在做captive portal 戒者dot1x等认证的时候直接在相关位置调用即可
未命吊.jpg
十八、NAT设置
二十、其它常用命令
1、设置用户role权限<需要PEF>
(Aruba200) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba200) (config) #aaa derivation-rules user /*进入设置用户初始网络
权限*/
(Aruba200) (user-rule) #set role condition essid equals aruba-ap set-value
pre-employee
【注】现在,重新连接一次aruba-ap这个SSID(如果之前已连上,则断开再连接
一次)这时,已经把无线用户接入到内网。
(Aruba200) #show user /*查看用户状态,用户已获取pre-employee这个最高
的权限*/
2、调整所有AP功率
(Aruba200) (config) #ap location 0.0.0 /*选择所有的AP, 0.0.0代表所有AP*/
(Aruba200) (sap-config location 0.0.0) #arm min-tx-power 4 /*将最少功率
调节设为4*/
3、常用命令
. Show ip route /*查看路由表*/
. Show user /*查看用户状态*/
. Show wlan ap table /*查看各AP状态*/
. Show wlan client table /*查看无线终端状态*/
. Show ap database /*查看AP状态及历叱记录*/
. clear gap-db ap-name
. show ap active /*查看当前正常工作的ap */
. show ap essid /*查看当前AP所散发的essid */
. aaa user delete all /*删除当前登陆用户记录*/
. show right /*查看role权限*/
. local-uesedb add username admin password admin role userrole /*
往本地数据库中添加新用户并丏设置用户的role */
二十一、MAC+Poral认证
(Aruba200) (config) #wlan ssid-profile macandportal
(Aruba200) (SSID Profile "macandportal") #essid test-mac-and-portal
(Aruba200) (config) #wlan virtual-ap test-mp-vp
(Aruba200) (Virtual AP profile "test-mp-vp") #ssid-profile macandportal
(Aruba200) (Virtual AP profile "test-mp-vp") #vlan 2
(Aruba200) (config) #ap-group default
(Aruba200) (AP group "default") #virtual-ap test-mp-vp
(Aruba200) (config) #aaa authentication mac test-auth-mp
(Aruba200) (MAC Authentication Profile "test-auth-mp") #case upper
(Aruba200) (MAC Authentication Profile "test-auth-mp") #delimiter dash
(Aruba200) (config) #aaa server-group test-sg
(Aruba200) (Server Group "test-sg") #auth-server internal
(Aruba200) (Server Group "test-sg") #set role condition role value-of
(Aruba200) (config) #aaa profile test-mp-profile
(Aruba200) (AAA Profile "test-mp-profile") #mac-server-group test-sg
(Aruba200) (AAA Profile "test-mp-profile") #authentication-mac test-auth-mp
(Aruba200) (config) #wlan virtual-ap test-mp-vp
(Aruba200) (Virtual AP profile "test-mp-vp") #aaa-profile test-mp-profile
(Aruba200) (config) #aaa server-group test-sg
(Aruba200) (Server Group "test-sg") #auth-server internal
(Aruba200) (Server Group "test-sg") #set role condition role value-of
(Aruba200) (config) #aaa authentication captive-portal test-auth-mp
(Aruba200) (Captive Portal Authentication Profile "test-auth-mp") #server-group
test-sg
(Aruba200) (config) #user-role test-mac-and-portal
(Aruba200) (config-role) #captive-portal test-auth-mp
(Aruba200) (config-role) #session-acl logon-control
(Aruba200) (config-role) #session-acl captiveportal
(Aruba200) (config-role) #session-acl ***logon
(Aruba200) (config) #aaa profile test-mp-profile
(Aruba200) (AAA Profile "test-mp-profile") #initial-role test-mac-and-portal
二十二、DOT1X+PORTAL认证
(Aruba200) (config) #wlan ssid-profile test-dot1x-portal-ssid
(Aruba200) (SSID Profile "test-dot1x-portal-ssid") #essid test-dot1xandportal
(Aruba200) (SSID Profile "test-dot1x-portal-ssid") #exit
(Aruba200) (config) #wlan virtual-ap test-dot1xandportal-vp
(Aruba200) (Virtual AP profile "test-dot1xandportal-vp") #vlan 2
(Aruba200) (Virtual AP profile "test-dot1xandportal-vp") #ssid-profile
test-dot1x-portal-ssid
(Aruba200) (config) #ap-group default
(Aruba200) (AP group "default") #virtual-ap test-dot1xandportal-vp
(Aruba200) (config) #aaa authentication dot1x test-dot1x-portal
(Aruba200) (802.1X Authentication Profile "test-dot1x-portal") #termination
enable
(Aruba200) (802.1X Authentication Profile "test-dot1x-portal") #termination
eap-type eap-tls
(Aruba200) (802.1X Authentication Profile "test-dot1x-portal") #termination
eap-type eap-peap
(Aruba200) (config) #aaa server-group test-sg-dot1x-portal
(Aruba200) (Server Group "test-sg-dot1x-portal") #auth-server internal
(Aruba200) (config) #aaa profile test-dot1x-portal-profile
(Aruba200) (AAA Profile "test-dot1x-portal-profile") #dot1x-server-group
test-sg-dot1x-portal
(Aruba200) (AAA Profile "test-dot1x-portal-profile") #authentication-dot1x
test-dot1x-portal
(Aruba200) (config) #wlan virtual-ap test-dot1xandportal-vp
(Aruba200) (Virtual AP profile "test-dot1xandportal-vp") #aaa-profile
test-dot1x-portal-profile
(Aruba200) (Virtual AP profile "test-dot1xandportal-vp") #exit
(Aruba200) (config) #wlan ssid-profile test-dot1x-portal-ssid
(Aruba200) (SSID Profile "test-dot1x-portal-ssid") #opmode wpa-tkip
(Aruba200) (config) #aaa server-group test-dot1x-portal-sg
(Aruba200) (Server Group "test-dot1x-portal-sg") #auth-server internal
(Aruba200) (Server Group "test-dot1x-portal-sg") #set role condition role
value-of
(Aruba200) (config) #aaa authentication captive-portal test-dot1x-portal-cp
(Aruba200) (Captive Portal Authentication Profile "test-dot1x-portal-cp")
#server-group test-dot1x-portal-sg
(Aruba200) (config) #user-role test-dot1x-portal
(Aruba200) (config-role) #captive-portal test-dot1x-portal-cp
(Aruba200) (config-role) #session-acl logon-control
(Aruba200) (config-role) #session-acl captiveportal
(Aruba200) (config-role) #session-acl ***logon
(Aruba200) (config) #aaa profile test-dot1x-portal-profile
(Aruba200) (AAA Profile "test-dot1x-portal-profile") #dot1x-default-role
test-dot1x-portal
(Aruba200) (config) #aaa profile test-dot1x-portal-profile