Cisco Cisco 5760 Wireless LAN Controller 故障排查指南
service-policy type control subscriber WEBAUTH
ip dhcp snooping trust
end
Configure the radius and the parameter map.
policy-map type control subscriber WEBAUTH
event session-started match-all
1 class always do-until-failure
2 activate service-template SERV-TEMP3-WEBAUTH
3 authorize
interface po1
switchport trunk allowed vlan 19,137
switchport mode trunk
ip arp inspection trust
access-session port-control auto
service-policy type control subscriber WEBAUTH
ip dhcp snooping trust
end
4.
The WEBAUTH policy is referred to sequentially, which in this case points to a service. The
template named SERV-TEMP3 WEBAUTH as defined here.
template named SERV-TEMP3 WEBAUTH as defined here.
service-template SERV-TEMP3-
WEBAUTH
tunnel type capwap name GUEST_LAN_WEBAUTH
5.
The service template contains a reference to the tunnel type and name. Client VLAN 75 only
needs to exist on the guest anchor since it is responsible for handling client traffic.
needs to exist on the guest anchor since it is responsible for handling client traffic.
guest-lan
GUEST_LAN_WEBAUTH
3
client vlan 75
mobility anchor 9.7.104.62
security web-auth authentication-list default
security web-auth parameter-map webparalocal
no shutdown
6.
The tunnel request is initiated from the foreign to the guest anchor for the wired client and a
‘tunneladdsuccess’ indicates that the tunnel build up process completed. On the ACCESS-
SWITCH1 a Wired client connects to the Ethernet port that is set to access mode by the
network administrator. It is port GigabitEthernet1/0/11 in this example.
‘tunneladdsuccess’ indicates that the tunnel build up process completed. On the ACCESS-
SWITCH1 a Wired client connects to the Ethernet port that is set to access mode by the
network administrator. It is port GigabitEthernet1/0/11 in this example.
guest-lan
GUEST_LAN_WEBAUTH
3
client vlan 75
mobility anchor 9.7.104.62
security web-auth authentication-list default
security web-auth parameter-map webparalocal
no shutdown
7.
Configure OPENAUTH and WEBAUTH in Parallel
In order to have two guest LANS and assign them to different clients, you have to base them on
the VLANs on which the clients are learned.
the VLANs on which the clients are learned.
Guest Anchor Configuration
Enable IPDT and DHCP snooping on the client VLAN(s), in this case VLAN 75. The client
VLAN needs to be created on the guest anchor.
VLAN needs to be created on the guest anchor.
guest-lan GUEST_LAN_WEBAUTH 3
client vlan 75
mobility anchor 9.7.104.62
security web-auth authentication-list default
security web-auth parameter-map webparalocal
no shutdown
1.
Create VLAN 75 and the L3 VLAN interface.
guest-lan GUEST_LAN_WEBAUTH 3
client vlan 75
2.