您所在位置：网站首页 > 高等教育 > 研究生课件 > CISCO无线AP配置手册

CISCO无线AP配置手册.ppt

109页

卖家[上传人]：hs****ma

文档编号：587899059

上传时间：2024-09-06

文档格式：PPT

文档大小：4.97MB

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

20金贝

下载

/ 109 举报版权申诉马上下载

文本预览

下载提示

常见问题

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID1无线控制器配置基础无线控制器配置基础Xiaogang Wu2008.10© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID2基本配置任务及过程基本配置任务及过程§准备工作1.控制器启动配置和升级控制器软件版本控制器启动配置和升级控制器软件版本2.熟悉控制器配置界面熟悉控制器配置界面3. 连接连接AP到控制器上到控制器上§配置任务1.思科思科CSSC无线客户端的安装和简单配置无线客户端的安装和简单配置2.构建一个构建一个OPEN和一个和一个WEP的无线网络的无线网络3.构建一个简单构建一个简单WEB认证的无线网络认证的无线网络4.构建一个支持本地构建一个支持本地EAP认证的无线网络认证的无线网络5.构建一个用构建一个用ACS做做AAA认证的无线网络认证的无线网络© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID3Presentation Title Size 30PTOption 2: Live准备工作© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID4基本设备基本设备§控制器 4400或者2100系列§AP：1130或者1240系列§交换机：最好是3560 POE交换机© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID52100系列无线控制器系列无线控制器§支持支持802.11a/b/g/n§支持支持PCI认证认证§WLC2100 硬件硬件8个FE口，2个上联口，6个下联口其中2个FE口有以太网供电§未使用端口未使用端口2个USB端口和一个扩展槽留作将来扩展用*2106和2006不能作为guest access的anchor controller*不支持Link Aggregation*不能通过软件升级AP容量AIR-WLC2125-K92100 Series WLAN Controller for up to 25 Lightweight APs$18,890AIR-WLC2112-K92100 Series WLAN Controller for up to 12 Lightweight APs$10,070AIR-WLC2106-K92100 Series WLAN Controller for up to 6 Lightweight APs$4,875© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID64400系列无线控制器系列无线控制器§1 RU 高度2口或者 4口千兆上联§支持 12, 25, 50 or 100 AP§支持 5000 MAC地址转发表 §10/100Base-TX 以太网 Service Port§9 pin 串口Console口§2 扩展槽和1个utility port目前未使用§2 热插拔电源模块插槽44xx WLAN Controller§型号 4402 支持 12, 25, 和50 AP§型号 4404支持100 APs*不能通过软件升级AP容量*4400系列使用SFP光纤模块*4400系列每port支持50个AP© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID7准备工作准备工作§网线和Console线。

如果是4400，需要两头是DB9接口的线，如果是2106或者ISR，需要DB9+RJ45的线§如果是4400，需要GLC光纤模块和光纤§确认控制器版本是否需要升级 (用命令show sysinfo查看系统版本)§是否需要将胖AP升级到瘦AP1200/1100/1300需要upgrade tool做升级，1250不需要工具，直接在图形化界面上升级© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID8实验拓扑示例实验拓扑示例TRUNKVLAN1/20/30/40fa0/1port 1WLC说明：说明：1、VLAN1用于连接控制器、AP和ACS；2、VLAN20用于WPA/WPA2认证，认证服务器用ACS3、VLAN30用作OPEN/WEP/GUEST客户接入3、VLAN40用作WPA/WPA2认证，认证用本地EAPSSID:VLAN20SSID:VLAN30PC//AAA服务器服务器VLAN1所有3层网关设置在3层交换机上，地址254© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID9启动选项启动选项The controller boot sequence will always have these option available since this is set in PROM to ensure controller recovery options按5清空配置© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID10系统启动界面和配置系统启动界面和配置 (OS 5.1)§Would you like to terminate autoinstall? [yes]: §System Name [Cisco_51:2b:60] (31 characters max): 2106-demo§AUTO-INSTALL: process terminated -- no configuration loaded§Enter Administrative User Name (24 characters max): cisco§Enter Administrative Password (24 characters max): cisco§Re-enter Administrative Password : cisco§Management Interface IP Address: 192.168.10.1§Management Interface Netmask: 255.255.255.0§Management Interface Default Router: 192.168.10.254§Management Interface VLAN Identifier (0 = untagged): §Management Interface Port Num [1 to 8]: 1§Management Interface DHCP Server IP Address: 192.168.10.254§AP Manager Interface IP Address: 192.168.10.2§AP-Manager is on Management subnet, using same values§AP Manager Interface DHCP Server (192.168.10.254): §Virtual Gateway IP Address: 1.1.1.1§Mobility/RF Group Name: demo© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID11系统启动界面（续）系统启动界面（续）§Enable Symmetric Mobility Tunneling [yes][NO]: yes§Network Name (SSID): open §Allow Static IP Addresses [YES][no]: §Configure a RADIUS Server now? [YES][no]: no§Warning! The default WLAN security policy requires a RADIUS server.§Please see documentation for more details.§Enter Country Code list (enter 'help' for a list of countries) [US]: CN§Enable 802.11b Network [YES][no]: §Enable 802.11a Network [YES][no]: §Enable 802.11g Network [YES][no]: §Enable Auto-RF [YES][no]: §Configure a NTP server now? [YES][no]: no§Configure the system time now? [YES][no]: §Enter the date in MM/DD/YY format: 09/28/08§Enter the time in HH:MM:SS format: 17:11:00§Configuration correct? If yes, system will save it and reset. [yes][NO]: yes§Configuration saved!§Resetting system with new configuration...非常重要，非常重要，Controller的的wireless的的domain要和要和AP一致。

一致© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID12配置配置3层交换机层交换机§p dhcp excluded-address 192.168.10.1§ip dhcp excluded-address 192.168.10.254§ip dhcp excluded-address 192.168.10.2§!§ip dhcp pool AP§ network 192.168.10.0 255.255.255.0§ default-router 192.168.10.254 §!§interface FastEthernet0/1§ switchport trunk encapsulation dot1q§ switchport mode trunk§……§interface Vlan1§ ip address 192.168.10.254 255.255.255.0§!§interface Vlan20§ ip address 192.168.20.254 255.255.255.0§! §interface Vlan30§ ip address 192.168.30.254 255.255.255.0§!§interface Vlan40§ ip address 192.168.40.254 255.255.255.0§……§line vty 0 4§ privilege level 15§ password cisco§ login© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID13配置配置WEB访问访问1、使用直通网线，连接交换机的trunk接口到控制器端口12、配置PC机的IP地址 192.168.10.100/24或者DHCP，网关192.168.10.2543、测试PC能否Ping 通Controller的地址：192.168.10.13、用访问控制器，如果要开启http访问，需要在系统里打开。

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID14使用使用IE浏览器进行浏览器进行WEB访问访问© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID15如果要升级控制器系统软件如果要升级控制器系统软件§tftp 服务器推荐t§§支持64M以上文件传输© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID16在在CCO上下载新版本上下载新版本支持室内室外 mesh 版本支持802.11n和其他新功能的普通版本© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID17Upgrade Path to Controller Software Release 5.0.148.0 or aboveCurrent Software Release Upgrade Path to 5.0.148.0 Software 3.2.78.0 or later 3.2 release Upgrade to a 4.1 release before upgrading to 5.0.148.0. 4.0.155.5 or later 4.0 release Upgrade to a 4.1 or 4.2 release before upgrading to 5.0.148.0 4.1.171.0 or later 4.1 release You can upgrade directly to 5.0.148.0. 4.2.61.0 or later 4.2 release You can upgrade directly to 5.0.148.0. 注意：由于配置存储格式不同，从3.x-4.x 升级到5.x后，原来的部分配置可能丢失© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID18Upgrade Path to Controller Software Release 4.1.171.0 Current Software Release Upgrade Path to 4.1.171.0 Software 3.2.78.0 Upgrade to 4.0.206.0 or a later 4.0 release before upgrading to 4.1.171.0. 3.2.116.21 3.2.150.10 3.2.171.6 3.2.193.5 If your controller is configured with the new J3 country code, upgrade to 3.2.195.10 or a later 3.2 release. If your controller is not configured for the new J3 country code, you can upgrade to 3.2.195.10 or a later 3.2 release or to 4.0.206.0 or a later 4.0 release. 3.2.195.10 or later 3.2 release You can upgrade directly to 4.1.171.0. 4.0.155.5 Upgrade to 4.0.206.0 or a later 4.0 release before upgrading to 4.1.171.0. 4.0.179.11 4.0.206.0 or later 4.0 release You can upgrade directly to 4.1.171.0. © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID19控制器软件升级控制器软件升级 —— 命令行方式命令行方式§Step1. ping server-ip-address 测试控制器与T的连通性§Step2. transfer download mode tftp 设置传输使用的协议：tftp§Step3. transfer download datatype code 设置传输的数据类型§Step4. transfer download serverip server-ip-address 指定t的IP地址§Step5. transfer download 制定Image的文件名§Step6. transfer download start 开始传输文件，确认时如果回答No,则显示TFTP的参数设置§Step7. reset system WLC的系统重新启动注：TFTP服务器软件推荐t，可以在网上免费下载，支持64M以上大文件传输© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID20控制器软件升级控制器软件升级 —— 图形界面图形界面电脑上设置好Tftp软件；填入Tftp地址和文件名后，选择右侧的 download 按钮开始。

完成后按提示reboot© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID21Presentation Title Size 30PTOption 2: Live熟悉无线控制器Controller配置界面© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID22命令行命令行 (CLI)基本命令基本命令cisco© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID23命令行命令行 (CLI) “clear” Commands© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID24命令行命令行 (CLI) “config” Commands…… and more© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID25命令行命令行 (CLI) “debug” Command© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID26命令行命令行 (CLI) “help” Commands© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID27命令行命令行 (CLI) “show” Commands© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID28命令行命令行 (CLI) “transfer” Commands© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID29使用使用IE浏览器进行浏览器进行WEB访问访问© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID30控制器上查看和设置无线网络控制器上查看和设置无线网络SSID© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID31控制器配置页面控制器配置页面配置接口配置接口配置控制器配置控制器做做DHCP服务服务器器定义无线组定义无线组参看和配置参看和配置端口端口© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID32配置接口页面配置接口页面© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID33设置控制器做设置控制器做DHCP服务器服务器© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID34定义移动组定义移动组© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID35设置端口页面设置端口页面© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID36多个控制器时，设定主控制器多个控制器时，设定主控制器© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID37点击点击WIRELESS/ALL APs© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID38安全页面安全页面Radius服务器配置服务器配置本地用户数据库本地用户数据库MAC地址过滤地址过滤WEB认证相关认证相关配置配置本地本地EAP© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID39管理界面管理界面定义能够进行定义能够进行Controller管管理的管理用户理的管理用户© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID40控制器维护管理界面控制器维护管理界面系统和配置文系统和配置文件的上传、下件的上传、下载配置载配置控制器软重启控制器软重启© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID41AP射频模块配置界面射频模块配置界面© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID42AP发射功率调节发射功率调节(AP1131)§ Tx Power § Num Of Supported Power Levels ............. 6§ Tx Power Level 1 .......................... 14 dBm§ Tx Power Level 2 .......................... 11 dBm§ Tx Power Level 3 .......................... 8 dBm§ Tx Power Level 4 .......................... 5 dBm§ Tx Power Level 5 .......................... 2 dBm§ Tx Power Level 6 .......................... -1 dBmAP1242的level 1 是 17dBm© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID435.1版本对版本对HA的增强的增强Failover等级全局HA配置© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID44Presentation Title Size 30PTOption 2: Live连接AP到控制器© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID45Controller里的里的Port还有还有Vlan以及以及Interface的对应关系的对应关系§Controller必需配置的接口带内管理接口—“Management Interface”LWAPP Tunnel 终结接口—“AP Manager Interface”桥接的无线客户端接口—“Dynamic Interfaces”. 二三层漫游而设的虚拟接口—“Virtual Interface”§可选接口:服务接口—带外管理接口带外管理接口*2100系列和WLCM没有service port© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID46确认控制器国家版本与确认控制器国家版本与AP一致一致目前版本支持同时支持多国家© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID47确认时间配置无误确认时间配置无误© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID48在路由器或者在路由器或者3层交换机设置层交换机设置DHCP在在AP和控制器不在同一网段的情况下，建立和控制器不在同一网段的情况下，建立AP能够获取能够获取IP Address 的地址池，加上的地址池，加上Option 43WLC-router(config)#ip dhcp pool LWLC-router(dhcp-config)#network 192.168.10.0 255.255.255.0WLC-router(dhcp-config)#default-router 192.168.0.254WLC-router(dhcp-config)#option 43 ascii "192.168.10.1“//很重要！通过很重要！通过Option 43 可以让可以让AP在获取和控制器不同网段在获取和控制器不同网段IP Address的时候，能够知道的时候，能够知道Controller的所在。

的所在如果如果AP和控制器在一个网段和广播域，则可以不配置和控制器在一个网段和广播域，则可以不配置option 43WLC-router(dhcp-config)#exitWLC-router(config)#ip dhcp excluded-address 192.168.0.254© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID49在在IOS设备配置设备配置Option 43§对于1000/1500系列，直接写option 43 ascii “192.168.10.5,129.168.10.20“§对于1100和1200，需要写option 60和option 43§假设要连接1240，控制器地址为192.168.10.5和192.168.10.20ip dhcp pool APnetwork 192.168.10.0 /24default-router 192.168.10.254dns-server 192.168.10.100option 60 ascii “Cisco AP c1240 “option 43 hex f108c0a80a05c0a80a14 option 43的配置详见VCI String1130的是Cisco AP c1130 类型= f1长度 = 2 x 4 = 08192.168.10.5192.168.10.20© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID50可以在可以在console上打开上打开debug观察观察AP加入情况加入情况§(Cisco Controller) >debug lwapp events enable §(Cisco Controller) >*Oct 04 19:20:19.154: 00:1a:e3:d0:19:50 Received LWAPP DISCOVERY REQUEST from AP 00:1a:e3:d0:19:50 to 00:1e:13:51:2b:60 on port '8'§*Oct 04 19:20:19.154: Received a packet which is a (type = DISCOVERY_REQUEST) with session id 0§*Oct 04 19:20:19.154: Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 6,joined Aps =0§*Oct 04 19:20:19.155: 00:1a:e3:d0:19:50 Successful transmission of LWAPP Discovery Response to AP 00:1a:e3:d0:19:50 on port 8§*Oct 04 19:20:19.156: 00:1a:e3:d0:19:50 Received LWAPP DISCOVERY REQUEST from AP 00:1a:e3:d0:19:50 to ff:ff:ff:ff:ff:ff on port '8'§*Oct 04 19:20:19.156: Received a packet which is a (type = DISCOVERY_REQUEST) with session id 0§*Oct 04 19:20:19.156: Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 6,joined Aps =0§*Oct 04 19:20:19.156: 00:1a:e3:d0:19:50 Successful transmission of LWAPP Discovery Response to AP 00:1a:e3:d0:19:50 on port 8§*Oct 04 19:20:31.162: 00:1a:e3:d0:19:50 Received LWAPP JOIN REQUEST from AP 00:1a:e3:d0:19:50 to 00:1e:13:51:2b:67 on port '8'§*Oct 04 19:20:31.162: Received a packet which is a (type = JOIN_REQUEST) with session id 0§*Oct 04 19:20:31.177: 00:1a:e3:d0:19:50 AP AP001b.5302.28f8: txNonce 00:1E:13:51:2B:60 rxNonce 00:1A:E3:D0:19:50 §*Oct 04 19:20:31.177: 00:1a:e3:d0:19:50 LWAPP Join Request MTU path from AP 00:1a:e3:d0:19:50 is 1500, remote debug mode is 0§*Oct 04 19:20:31.177: DTL Adding AP 1 - 192.168.10.10§*Oct 04 19:20:31.177: 00:1a:e3:d0:19:50 Successfully added NPU Entry for AP 00:1a:e3:d0:19:50 (index 1)§Switch IP: 192.168.10.2, Switch Port: 12223, intIfNum 8, vlanId 0§AP IP: 192.168.10.10, AP Port: 8847, nex§*Oct 04 19:20:31.911: 00:1a:e3:d0:19:50 Successful transmission of LWAPP Join Reply to AP 00:1a:e3:d0:19:50§*Oct 04 19:20:31.912: 00:1a:e3:d0:19:50 spam_lrad.c:1589 - Operation State 0 ===> 4§*Oct 04 19:20:31.913: 00:1a:e3:d0:19:50 Register LWAPP event for AP 00:1a:e3:d0:19:50 slot 0§*Oct 04 19:20:31.914: 00:1a:e3:d0:19:50 Register LWAPP event for AP 00:1a:e3:d0:19:50 slot 1§*Oct 04 19:20:33.192: 00:1a:e3:d0:19:50 Received LWAPP CONFIGURE REQUEST from AP 00:1a:e3:d0:19:50 to 00:1e:13:51:2b:67§*Oct 04 19:20:33.194: 00:1a:e3:d0:19:50 Updating IP info for AP 00:1a:e3:d0:19:50 -- static 0, 192.168.10.10/255.255.255.0, gtw 192.168.10.254§*Oct 04 19:20:33.194: 00:1a:e3:d0:19:50 Updating IP 192.168.10.10 ===> 192.168.10.10 for AP 00:1a:e3:d0:19:50§*Oct 04 19:20:33.194: 00:1b:53:02:28:f8 Building Config Response Msg for 00:1b:53:02:28:f8© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID51确认确认AP连接到控制器连接到控制器图形界面命令行© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID52Presentation Title Size 30PTOption 2: LiveCSSC无线客户端© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID53802.11 无线客户端概述无线客户端概述WLAN 特性CSSCMicrosoftCisco ACU/ADU多 WLAN Profile（不同的SSID，不同的安去策略）支持YesYesYesActive Probe (hidden SSID support)YesNoYes部署工具YesNoYesWPA/WPA2YesYesPartialWPA2 PMK cachingYesYesPartialEAP-FASTYesNoPartialWPA-PSKYesYesPartialStatic WEP (40/128 bit)YesYesYesNAC/CTA（网络准入支持）YesNoNo© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID54无线客户端建议无线客户端建议§由于企业内笔记本电脑牌子比较多，建议客户端使用由于企业内笔记本电脑牌子比较多，建议客户端使用Cisco CSSC软件，使用软件，使用CSSC软件的软件的好处如下：好处如下：§ 1.整个公司笔记本电脑统一的平台，方便管理和下发策略。

CSSC带有部署工具，制订好策略后容易部署（如果是Windows平台的话，还要配置相关的参数）§ 3. CSSC软件支持Cisco NAC网络准入控制技术.§ 4. 建议新购买的笔记本电脑采用统一的品牌（方便管理），旧的笔记本电脑如果没有无线网卡的话，建议统一使用Cisco的CB21AG（支持AES强加密）,Cisco还提供专门为台式机使用的无线网卡：AIR-PI21AG§5.Cisco倡导了CCX（各厂家笔记本电脑和Cisco AP兼容性测试）计划，可以从下面的链接知道哪些笔记本电脑的型号是CCX计划里面的成员 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID55Cisco SSC客户端软件的安装客户端软件的安装© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID56CSSC连接的简单设置连接的简单设置© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID57Presentation Title Size 30PTOption 2: Live构建一个构建一个OPEN和一个和一个WEP的无线网的无线网络络© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID58配置一个无线业务的基本步骤配置一个无线业务的基本步骤§配置无线客户端的DHCP服务器§配置一个无线网络接口 dynamic interface§配置一个无线业务 WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID601、为客户端建立、为客户端建立DHCP服务器服务器© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID612、为无线客户端建立一个无线接口、为无线客户端建立一个无线接口点击点击APPLY© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID622、建立、建立Guest无线接口无线接口:VLAN20© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID63查看建立的接口查看建立的接口点击可以进行VLAN20接口的参数修改如果想建立更多的接口，可以继续点击NEW设置新接口点击可以删除© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID643、建立一个、建立一个open的访客的访客 WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID653、建立一个、建立一个open的访客的访客 WLAN很重要！很容易被忘记© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID663、建立一个、建立一个open的访客的访客 WLAN选择None，不对无线网络有任何加密和限制© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID67WLAN增强特性配置增强特性配置© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID68无线客户端连接测试无线客户端连接测试© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID69更改刚才的更改刚才的WLAN为为WEP加密加密40位WEP要求5位ASCII字符密码104位WEP要求13位ASCII字符密码Cisco Aironet 1100/1200/1300不支持128位WEP© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID70无线连接验证无线连接验证© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID71Presentation Title Size 30PTOption 2: Live构建一个简单WEB认证的无线接入网络© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID72构建一个简单构建一个简单WEB认证的无线网络认证的无线网络1.增加一个新的地址池增加一个新的地址池2.增加一个新的接口增加一个新的接口3.配置配置web页面认证的本地页面页面认证的本地页面4.增加增加web认证的认证的WLAN5.建立本地用户认证数据库建立本地用户认证数据库© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID731、新建一个用于、新建一个用于WEB 认证用户的地址池认证用户的地址池© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID742、控制器添加一个、控制器添加一个VLAN30接口接口© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID753、配置、配置web页面认证的本地页面页面认证的本地页面© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID764、新建一个、新建一个WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID774、新建一个、新建一个WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID785、定义内部认证用户数据库、定义内部认证用户数据库© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID79验证验证WEB认证认证跟前面一样，在跟前面一样，在CSSC的的Manage Network中，选择并激活中，选择并激活web-auth© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID80web界面认证的验证界面认证的验证§在浏览器里输入类似地址（因为没有DNS，所以不能输入网址）© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID81web界面认证的验证界面认证的验证© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID82Presentation Title Size 30PTOption 2: Live构建一个支持本地EAP认证的无线接入网络© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID83构建一个支持构建一个支持WPA认证的网络认证的网络1.增加一个新的地址池增加一个新的地址池2.增加一个新的动态接口增加一个新的动态接口3.添加本地添加本地EAP支持或者支持或者AAA服务器（服务器（Radius服务器）服务器）4.建立一个新的建立一个新的WLAN SSID5.配置配置WPA/WPA2认证认证6.设置设置CSSC客户端软件客户端软件© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID841、新建一个地址池、新建一个地址池© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID852、控制器添加一个、控制器添加一个VLAN40接口接口© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID863、增加本地、增加本地EAP支持支持© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID873、本地、本地EAP的的profile配置配置© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID884、新建一个、新建一个WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID894、新建一个、新建一个WLAN© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID905、配置、配置WPA/WPA2© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID915、配置本地、配置本地EAP认证支持认证支持© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID926、设置、设置CSSC软件，添加软件，添加SSID© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID93Presentation Title Size 30PTOption 2: Live构建一个用ACS做AAA认证的无线接入网络© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID94ACS相关配置名词解释相关配置名词解释§Posture§ACS – Access Control Server§NAP – Network Access Profile§NAF – Network Access Filter§NAD – Network Access Device§NDG – Network Device Group§PA – Posture Agent§PV – Posture Validation§RAC – Radius Authorization Component§DACL – Dynamic Access Control List§ADF – Attribute Definition File© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID95ACS各部件逻辑关系各部件逻辑关系NAPAuthenticationAuthorizationPostureValidationAuthentication DBGlobal Auth SetupInternal DBExternal DBRule 1Rule NPolicy 1Internal Posture ValidationExternal Posture ValidationExternal Posture Validation AuditRACDACLNAFNAD + AAANDGSwitchesRoutersVPN GWFWPolicy Nororor通过认证后检查状态检查状态后指示设备配置关联组成下载至设备组成引用引用© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID96添加添加Radius服务器服务器Security－aaa－radius authentication© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID97EAP AuthenticationCisco的自适应WPA或者WPA2© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID98EAP Authentication配置radius© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID99ACS配置配置-----增加增加AAA client增加 AAA client© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID100增加AAA serverACS配置配置-----增加增加 AAA server© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID101ACS配置配置-----显示的显示的AAA client和和Server© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID102ACS配置配置-----产生证书产生证书© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID103配置AAA需要返回的参数ACS配置配置-----AAA能够返回的参数能够返回的参数© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID104ACS配置配置-----选择各种选择各种EAP© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID105ACS配置配置-----EAP Fast配置配置不要选择这个© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID106ACS配置配置-----增加一个增加一个group© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID107ACS配置配置-----增加一个增加一个user加入加入group© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID108EAP Authentication---funk software on PCPEAPPC 端配置不要选不要选© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID109配置配置CSSC© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID110。

点击阅读更多内容