一、组网拓扑图

3


组网需求:如图所示,ap与ac相连,ac与认证服务器相连。

CA证书(EccCA.cer)、AE证书(EccAP.cer)可以通过TFTP导入到AC中。

启用wapi安全模式,Wapi终端设备能正确关联。

二、服务器及证书准备

2.1 服务器启动asu.exe

启动后,界面如下

2.2 上传AE和CA证书(EccAP.cer和EccCA.cer)到AC的flash:/data目录下

Ruijie#run-system-shell

~ #cd data

/data # tftp 192.168.1.2 -r EccAP.cer -g 192.168.1.2

/data # tftp 192.168.1.2 -r EccCA.cer -g 192.168.1.2

三、配置开启wapi

#配置VLAN,WLAN,IP地址。

Ruijie# configure terminal

Ruijie(config)#vlan 1

Ruijie(config-vlan)#exit

Ruijie(config)#ip dhcp pool pool

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0

Ruijie(dhcp-config)#exit

Ruijie(config)#wlan-config 1 wapitest

Ruijie(config-wlan)#exit

Ruijie(config)#

Ruijie(config)#ap-group test

Ruijie(config-group)#interface-mapping 1 1

Ruijie(config-group)#exit

Ruijie(config)#

Ruijie(config)#ap-config 5869.6cc4.98e2

You are going to config AP(5869.6cc4.98e2), which is online now.

Ruijie(config-ap)#ap-group test

Ruijie(config-ap)#end

Ruijie#


配置该WLAN的无线安全模式,启用WAPI。

# 进入wlan 1的无线安全模式

Ruijie# configure terminal

Ruijie(config)# wlansec 1

# 使能wapi安全模式

Ruijie(wlansec)# security wapi enable


配置WAPI二证书认证(颁发者与认证服务器为同一实体)

# 使能二证书模式

Ruijie(wlansec)# security wapi 2-cert enable

# 配置ASU地址

Ruijie(wlansec)# security wapi asu address 192.168.1.2

# 配置CA证书

Ruijie(wlansec)# security wapi ca cert EccCA.cer

# 配置AE地址

Ruijie(wlansec)# security wapi ae cert EccAP.cer


运行show running-config,检查配置结果

Ruijie#sh run

Building configuration...

Current configuration: 1686 bytes

version AC_RGOS 11.1(5)B80P3, Release(04131821)

!

wlan-config 1 wapitest

!

ap-group default

!

ap-group test

interface-mapping 1 1 ap-wlan-id 1

!

ap-config all

!

ac-controller

capwap ctrl-ip 192.168.1.1

country CN

802.11g network rate 1 disabled

802.11g network rate 2 disabled

802.11g network rate 5 disabled

802.11g network rate 6 supported

802.11g network rate 9 supported

802.11g network rate 11 mandatory

802.11g network rate 12 supported

802.11g network rate 18 supported

802.11g network rate 24 supported

802.11g network rate 36 supported

802.11g network rate 48 supported

802.11g network rate 54 supported

802.11b network rate 1 disabled

802.11b network rate 2 disabled

802.11b network rate 5 disabled

802.11b network rate 11 mandatory

802.11a network rate 6 mandatory

802.11a network rate 9 supported

802.11a network rate 12 mandatory

802.11a network rate 18 supported

802.11a network rate 24 mandatory

802.11a network rate 36 supported

802.11a network rate 48 supported

802.11a network rate 54 supported

!

cwmp

!

service dhcp

!

ip dhcp pool pool

network 192.168.1.0 255.255.255.0

!

no service password-encryption

!

tftp-server enable

!

link-check disable

!

nfpp

!

wids

!

vlan 1

!

interface GigabitEthernet 0/1

!

interface GigabitEthernet 0/2

!

interface Loopback 1

ip address 1.1.1.1 255.255.255.255

!

interface VLAN 1

ip address 192.168.1.1 255.255.255.0

!

wlansec 1

security wapi enable

security wapi asu address 192.168.1.2

security wapi ca cert EccCA.cer

security wapi ae cert EccAP.cer

security wapi 2-cert enable

!

line console 0

line vty 0 4

login

!

end

四、终端导入并安装证书

将下面两个证书发送到手机

分别点击EccCA.cer和EccUsr.cer即可安装证书。安装时凭据用途选择WLAN。

然后在关联wifi的界面选择刚刚安装的证书,AS认证选择EccCA.cer安装时的命名,用户证书选择EccUsr.cer安装时的命名。之后就可以正常连接wifi。

认证时,服务器窗口会打印认证信息。