【案例分享】EVE-NG中H3CvAC桥接物理AP进行无线portal测试
<p>1、网络拓扑</p><p>做这个实验有很多前置条件,需要大家先提前准备才能做。</p>
<p>(1)vAC使用R5482(最新的镜像有),was4300.ipe在5群里有,找不到可以问下版主。</p>
<p><img src="data/attachment/forum/202504/25/002506oj9a9xhjapqgeg9r.png" alt="图片.png" title="图片.png" /></p>
<p>(2)这里使用SW02是真机S5320,原因是该型号支持POE供电,如果有AP电源适配器,可以不用这样桥接</p>
<p>(3)本来也打算做一下本地转发的实验,结果发现本地网卡不支持透传<strong>带vlan tag</strong>的报文,最终以集中转发定稿,如果小伙伴们可以解决这个疑问问题,我可以再出一稿。</p>
<p><img src="data/attachment/forum/202504/25/001001rm8nfb1gmbgmnllm.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/070837h8nb3fta8unec8th.png" alt="图片.png" title="图片.png" /></p>
<p>2、设备配置</p>
<p>(1)PE01</p>
<pre><code>#
sysname PE01
#
ip unreachables enable
ip ttl-expires enable
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
interface GigabitEthernet1/0
port link-mode route
ip address 172.16.0.1 255.255.255.252
#
interface GigabitEthernet2/0
port link-mode route
ip address dhcp-alloc
nat outbound 2000
#
ip route-static 192.168.1.0 24 172.16.0.2
</code></pre>
<p>(2)AC01</p>
<pre><code>#
sysname AC01
#
wlan global-configuration
region-code CN
y
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
#
vlan 10 100
#
dhcp server ip-pool ap
gateway-list 172.16.100.254
network 172.16.100.0 mask 255.255.255.0
forbidden-ip 172.16.100.254
#
dhcp server ip-pool user
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
dns-list 218.85.152.99
forbidden-ip 192.168.1.254
#
radius session-control enable
#
radius scheme h3c
primary authentication 10.1.5.100 key cipher pass@800
primary accounting 10.1.5.100 key cipher pass@800
timer realtime-accounting 1
user-name-format without-domain
nas-ip 172.16.100.254
#
domain h3c
authorization-attribute idle-cut 2 1024
authentication portal radius-scheme h3c
authorization portal radius-scheme h3c
accounting portal radius-scheme h3c
#
portal free-rule 0 destination ip 10.1.5.100 255.255.255.255
portal free-rule 1 destination ip 218.85.152.99 255.255.255.255
#
portal web-server h3c
url http://10.1.5.100:8080/portal
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server h3c
ip 10.1.5.100 key cipher pass@800
service-type imc
#
wlan service-template h3c
ssid h3c-wifi
vlan 10
portal enable method direct
portal domain h3c
portal bas-ip 172.16.100.254
portal apply web-server h3c
service-template enable
#
wlan ap ap01 model WA4320-ACN-SI
mac-address 741f-4a36-c540
map-configuration flash:/apcfg.txt
vlan 1
radio 1
radio enable
service-template h3c
radio 2
radio enable
service-template h3c
#
interface Vlan-interface10
ip address 192.168.1.254 255.255.255.0
#
interface Vlan-interface100
ip address 172.16.100.254 255.255.255.0
#
interface GigabitEthernet1/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
interface GigabitEthernet2/0
port link-mode route
ip address 192.168.11.1 255.255.255.0
#
ip route-static 0.0.0.0 0 172.16.100.253
#
local-user admin class manage
password simple h3c@123456
service-type ssh telnet http https
authorization-attribute user-role network-admin
</code></pre>
<p>(3)SW01</p>
<pre><code>#
sysname SW01
#
interface Vlan-interface100
description thg
ip address 172.16.100.253 255.255.255.0
#
interface GigabitEthernet1/0
port link-mode route
ip address 172.16.0.2 255.255.255.252
#
interface GigabitEthernet2/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
interface GigabitEthernet3/0
port link-mode route
ip address 10.1.5.254 255.255.255.0
#
interface GigabitEthernet4/0
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 100
port trunk pvid vlan 100
#
ip route-static 0.0.0.0 0 172.16.0.1
ip route-static 192.168.1.0 24 172.16.100.254
</code></pre>
<p>(4)SW02</p>
<pre><code>#
sysname SW02
#
vlan 4001
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 4001
stp edged-port enable
#
interface GigabitEthernet0/0/20
port link-type access
port default vlan 4001
stp edged-port enable
</code></pre>
<p>3、Agile Controller配置略</p>
<p><img src="data/attachment/forum/202504/25/002912iccknm8kcx2mo2p1.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/002927nd2o2byyahfq2z57.png" alt="图片.png" title="图片.png" /></p>
<p>=============================================</p>
<p>认证规则</p>
<p><img src="data/attachment/forum/202504/25/002954a55dv4e30d3wdd1n.png" alt="图片.png" title="图片.png" /></p>
<p>授权结果</p>
<p><img src="data/attachment/forum/202504/25/003018xilyrhl4s04rllyy.png" alt="图片.png" title="图片.png" /></p>
<p>授权规则</p>
<p><img src="data/attachment/forum/202504/25/003106nuubu8bbafb58cc8.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/003121mbmwby9zm0xjp4wd.png" alt="图片.png" title="图片.png" /></p>
<p>4、实验结果</p>
<p>(1)AP正常上线。</p>
<p><img src="data/attachment/forum/202504/25/001437k9o4ao4x9loyqfo6.png" alt="图片.png" title="图片.png" /></p>
<p>(2)PC能够获取到正确的地址,且portal端口和DNS能通</p>
<p><img src="data/attachment/forum/202504/25/001542up1p3vz5p6r6b32w.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/001654r0t8gtg8tqcet45e.png" alt="图片.png" title="图片.png" /></p>
<p>(3)可以正常推送portal界面,且认证成功。</p>
<p><img src="data/attachment/forum/202504/25/001724wpopogocad7oludc.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/001752css8bk7vtzrqmvks.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/001850y8k8mzevo9powo8v.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/25/001956glo2w8ia5ae87c64.png" alt="图片.png" title="图片.png" /></p>
<p>5、视频演示一下portal第一次上线后,网卡异常断开,是否可以免认证直接上线。</p>
<video controls="controls" src="forum.php?mod=attachment&aid=2647"></video>
<p><img src="data/attachment/forum/202504/25/050444wa3crhzr99rrh55h.png" alt="image.png" title="image.png" /><br />
关于vmware环境桥接物理网卡后无法透传带tag报文的解决办法,EVE官方cookbook第9.5.2章节里有,但是需要物理网卡是intel网卡才行,需要修改对应注册表,具体参考以下链接:<br />
<a href="https://www.intel.com/content/www/us/en/support/articles/000005498/ethernet-products.html">https://www.intel.com/content/www/us/en/support/articles/000005498/ethernet-products.html</a></p>
<p>简单翻译如下:</p>
<h3>我的嗅探器无法检测到VLAN、802.1q或QoS标记帧</h3>
<p>2025-02-11 00:00:00</p>
<p>我的嗅探器无法检测到VLAN或QoS标记帧。</p>
<h3>如何解决?</h3>
<p><strong>注意</strong>:在Windows*系统中更改适配器注册表设置后,必须重启Windows才能使新的注册表设置生效。</p>
<p>标记帧会被驱动程序剥离,不过,可以通过更改注册表来检测到这些标记。在某些驱动程序中,注册表更改无法传递特定类型的标记。现在大多数驱动程序都具备此功能,我们建议使用最新版本的驱动程序。</p>
<h4>在Windows系统中</h4>
<p>为了让标记帧能够传递到数据包捕获软件,需要添加一个注册表双字节值(dword)及其数值,或者更改注册表项的值。所需的注册表更改取决于所使用的驱动程序:</p>
<table>
<thead>
<tr>
<th>适配器驱动程序</th>
<th>注册表项</th>
</tr>
</thead>
<tbody>
<tr>
<td>e1g、e1e、e1y</td>
<td>MonitorModeEnabled</td>
</tr>
<tr>
<td>e1c、e1d、e1k、e1q、e1r、ixe、ixn、ixt</td>
<td>MonitorMode</td>
</tr>
<tr>
<td><strong>注意</strong>:若要了解使用哪个驱动程序,请参阅“如何识别我的有线以太网适配器和驱动程序版本?”。Windows系统自带的驱动程序可能不支持混杂模式。此注册表项仅在英特尔驱动程序中受支持。</td>
<td></td>
</tr>
<tr>
<td>将新的键(双字节值)放置在:</td>
<td></td>
</tr>
<tr>
<td>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}\00nn</td>
<td></td>
</tr>
<tr>
<td>其中nn是你想要捕获VLAN标记的网络端口的物理实例编号。ControlSet001可能需要设置为“Current Control Set”或其他00x编号。</td>
<td></td>
</tr>
<tr>
<td><strong>注意</strong>:对注册表的更改可能会导致系统无法使用。应由技术熟练的人员进行注册表更改,且此更改仅用于混杂模式/嗅探用途。</td>
<td></td>
</tr>
</tbody>
</table>
<ul>
<li>创建或更改注册表双字节值MonitorModeEnabled时,将双字节值设置为以下其中一项:</li>
<li>0 - 禁用(不存储错误数据包,不存储循环冗余校验(CRC),剥离802.1Q VLAN标记)</li>
<li>1 - 启用(存储错误数据包,存储CRC,不剥离802.1Q VLAN标记)</li>
<li>创建或修改注册表双字节值MonitorMode时,将双字节值设置为以下选项之一:</li>
<li>0 - 禁用(不存储错误数据包,不存储CRC,剥离802.1Q VLAN标记)</li>
<li>1 - 启用(接收错误/短帧/无效CRC数据包,保留数据包上的CRC,不剥离VLAN标记,并按照正常操作忽略发送到其他VLAN的数据包)</li>
</ul>
<p><strong>注意</strong>:必须重启Windows才能使注册表更改生效。</p>
<h4>在Linux系统中</h4>
<p>默认情况下,处于混杂模式的驱动程序不会剥离VLAN标记。</p>
<ul>
<li>若要剥离VLAN标记:加载内核提供的802.1q模块。此步骤会自动启用英特尔网络硬件卸载功能,以卸载VLAN标记的剥离和插入操作。有关加载802.1q模块的支持和信息,请联系你的发行版供应商。</li>
<li>你的捕获软件负责在驱动程序中启用混杂模式。如果驱动程序未处于混杂模式,由于数据包的类型/长度字段错误,数据包会被丢弃或忽略。</li>
</ul>
<h3>总结</h3>
<p>该网页主要讨论了嗅探器无法检测到VLAN、802.1q或QoS标记帧的问题及解决方法。在Windows系统中,需根据不同的适配器驱动程序在注册表中添加或更改特定的双字节值,位置在HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}\00nn ,修改后需重启Windows;在Linux系统中,默认驱动在混杂模式下不剥离VLAN标记,若要剥离则需加载802.1q模块,同时捕获软件要负责启用驱动的混杂模式。</p>
你好,agile-controller是有可用镜像么?
luohb 发表于 2025-4-26 08:47
你好,agile-controller是有可用镜像么?
没有,我借别人的账号用的,群里的能用的只有freeradius+本地portal吧,这个没测试过呢。 <pre><code>#
sysname AC01
#
wlan global-configuration
region-code CN
y
#
ip unreachables enable
ip ttl-expires enable
#
</code></pre>
<pre><code>sssssssss
</code></pre>
<p>test</p>
本帖最后由 cfplzjc 于 2025-4-30 11:13 编辑
<p>上次遗留一个本地转发模型问题,因为这更贴近实际项目的做法,补充如下。</p>
<p><strong>1、网络拓扑</strong></p>
<p>为了拓扑更好看下,核心交换机由原来的VSR1000改为S9850</p>
<p><img src="data/attachment/forum/202504/30/104825p9bd99bpakli2mtt.png" alt="图片.png" title="图片.png" /></p>
<p>注:网卡缺省不透传带vlan tag报文,需要修改注册表,并重启,连接如下</p>
<p>https://blog.csdn.net/weixin_41666796/article/details/134974459</p>
<p><strong>2、设备配置</strong></p>
<p>(1)AC,变更点wlan服务模板的vlan去掉(集中转发才会用到),wlan ap的射频模板绑定vlan 10</p>
<pre><code>#
sysname AC01
#
wlan global-configuration
region-code CN
y
#
vlan 10
#
vlan 100
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
#
lldp global enable
#
dhcp server ip-pool ap
gateway-list 172.16.100.254
network 172.16.100.0 mask 255.255.255.0
forbidden-ip 172.16.100.254
#
radius session-control enable
#
radius scheme h3c
primary authentication 10.1.5.100 key cipher pass@800
primary accounting 10.1.5.100 key cipher pass@800
timer realtime-accounting 1
user-name-format without-domain
nas-ip 172.16.100.254
#
domain h3c
authorization-attribute idle-cut 2 1024
authentication portal radius-scheme h3c
authorization portal radius-scheme h3c
accounting portal radius-scheme h3c
#
portal free-rule 0 destination ip 10.1.5.100 255.255.255.255
portal free-rule 1 destination ip 218.85.152.99 255.255.255.255
#
portal web-server h3c
url http://10.1.5.100:8080/portal
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server h3c
ip 10.1.5.100 key cipher pass@800
#
wlan service-template h3c
ssid h3c-wifi
client forwarding-location ap
undo bss transition-management enable
portal enable method direct
portal domain h3c
portal bas-ip 172.16.100.254
portal apply web-server h3c
service-template enable
#
wlan ap ap01 model WA4320-ACN-SI
mac-address 741f-4a36-c540
map-configuration flash:/apcfg.txt
vlan 1
radio 1
radio enable
service-template h3c vlan 10
radio 2
radio enable
service-template h3c vlan 10
#
interface Vlan-interface100
ip address 172.16.100.254 255.255.255.0
#
interface GigabitEthernet2/0
port link-mode route
ip address 192.168.11.1 255.255.255.0
#
interface GigabitEthernet1/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
ip route-static 0.0.0.0 0 172.16.100.253
</code></pre>
<p>(2)S9850,用户地址池放在核心交换机上。</p>
<pre><code>#
sysname SW01
#
dhcp enable
#
lldp global enable
#
vlan 10
#
vlan 100
#
dhcp server ip-pool user
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
dns-list 218.85.152.99
forbidden-ip 192.168.1.254
#
interface Vlan-interface10
ip address 192.168.1.254 255.255.255.0
#
interface Vlan-interface100
description thg
ip address 172.16.100.253 255.255.255.0
#
interface Hge1/0/1
port link-mode route
ip address 172.16.0.2 255.255.255.252
#
interface Hge1/0/2
port link-mode bridge
y
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
interface Hge1/0/3
port link-mode route
ip address 10.1.5.254 255.255.255.0
#
interface Hge1/0/4
port link-mode bridge
y
port link-type trunk
port trunk permit vlan 1 10 100
#
ip route-static 0.0.0.0 0 172.16.0.1
</code></pre>
<p>(3)S5320,上行口、下行口允许vlan 10,100通过</p>
<pre><code>#
sysname Mgmt-S5320
#
interface GigabitEthernet0/0/19
port link-type trunk
port trunk allow-pass vlan 10 100
stp edged-port enable
#
interface GigabitEthernet0/0/20
port hybrid pvid vlan 100
port hybrid tagged vlan 10
port hybrid untagged vlan 100
stp edged-port enable
</code></pre>
<p><strong>3、实验结果</strong></p>
<p>(1)PC能正常获取地址,并且触发portal认证</p>
<p><img src="data/attachment/forum/202504/30/110437me1g11o1eechz88y.png" alt="图片.png" title="图片.png" /></p>
<p>(2)tracert路径符合预期</p>
<p><img src="data/attachment/forum/202504/30/110646l78no14ennze5qz1.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202504/30/110757u2q2233ffq6wfoze.png" alt="图片.png" title="图片.png" /></p>
<p>(3)在HGE1/0/4进行抓包,只有携带一层用户vlan tag,符合预期</p>
<p><img src="data/attachment/forum/202504/30/110932e94sxjccxjjzxjjl.png" alt="图片.png" title="图片.png" /></p>
<p>1、有些童靴没有Agile Controller这样的外置radius,这里介绍一下使用H3C CloudLab Server作为Radius+H3C vAC 1000自带Portal进行实验。并且只需要配置几条命令就可以web管理</p>
<pre><code>#
local-user admin class manage
password simple h3c@123456
service-type ssh telnet http https
authorization-attribute user-role network-admin
</code></pre>
<p><img src="data/attachment/forum/202505/01/235841yqib2qnzmz6k6mik.png" alt="图片.png" title="图片.png" /></p>
<p>2、实验拓扑</p>
<p><img src="data/attachment/forum/202505/01/235930gpp6w6dz1c2wllhl.png" alt="图片.png" title="图片.png" /></p>
<p>3、设备配置</p>
<p>(1)AC01</p>
<pre><code>#
sysname AC01
#
wlan global-configuration
region-code CN
y
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
#
vlan 10
#
vlan 100
#
dhcp server ip-pool ap
gateway-list 172.16.100.254
network 172.16.100.0 mask 255.255.255.0
forbidden-ip 172.16.100.254
#
radius session-control enable
#
radius scheme h3c
primary authentication 192.168.11.200 key cipher pass@800
primary accounting 192.168.11.200 key cipher pass@800
timer realtime-accounting 1
user-name-format without-domain
nas-ip 172.16.100.254
#
domain h3c
authorization-attribute idle-cut 2 1024
authentication portal radius-scheme h3c
authorization portal radius-scheme h3c
accounting portal radius-scheme h3c
#
portal free-rule 0 destination ip 192.168.11.200 255.255.255.255
portal free-rule 1 destination ip 218.85.152.99 255.255.255.255
#
portal web-server h3c
url http://172.16.100.254/portal
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal local-web-server http
default-logon-page defaultfile.zip
#
wlan service-template h3c
ssid h3c-wifi
client forwarding-location ap
undo bss transition-management enable
portal enable method direct
portal domain h3c
portal bas-ip 172.16.100.254
portal apply web-server h3c
service-template enable
#
interface Vlan-interface100
ip address 172.16.100.254 255.255.255.0
#
interface GigabitEthernet1/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
ip route-static 0.0.0.0 0 172.16.100.253
#
wlan ap ap01 model WA4320-ACN-SI
mac-address 741f-4a36-c540
map-configuration flash:/apcfg.txt
vlan 1
radio 1
radio enable
service-template h3c vlan 10
radio 2
radio enable
service-template h3c vlan 10
</code></pre>
<p>(2)SW01</p>
<pre><code>#
sysname SW01
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
#
vlan 10
#
vlan 100
#
dhcp server ip-pool user
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
dns-list 218.85.152.99
forbidden-ip 192.168.1.254
#
interface Vlan-interface10
ip address 192.168.1.254 255.255.255.0
#
interface Vlan-interface100
description thg
ip address 172.16.100.253 255.255.255.0
#
interface HundredGigE1/0/1
port link-mode route
ip address 172.16.0.2 255.255.255.252
#
interface HundredGigE1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
interface HundredGigE1/0/3
port link-mode route
ip address 192.168.11.1 255.255.255.0
#
interface HundredGigE1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 100
#
ip route-static 0.0.0.0 0 172.16.0.1
</code></pre>
<p>(3)HCL Server,直接输入ip地址=192.168.11.200,输入其它可能跳转不成功,用户名:root,密码:123456,如果觉得管理地址不方便,最好进web进行修改,否则容易引起关联错误。</p>
<p><img src="data/attachment/forum/202505/02/001706fgq3g2wagaat52if.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202505/02/001901x21n2oo2dz2rnnix.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202505/02/001929j949hi8z08rpr8ha.png" alt="图片.png" title="图片.png" /></p>
<p>4、实验结果</p>
<p>(1)PC弹出登录页面,可以认证成功</p>
<p><img src="data/attachment/forum/202505/02/002029qq6bckvp6r2twzq6.png" alt="图片.png" title="图片.png" /></p>
<p><img src="data/attachment/forum/202505/02/002053qxllqagghiww8sqq.png" alt="图片.png" title="图片.png" /></p>
<p>(2)AC上可以查看protal用户信息</p>
<p><img src="data/attachment/forum/202505/02/002137oljzl9tx4514xz5s.png" alt="图片.png" title="图片.png" /></p>
<p>(3)HCL Server貌似看不到radius用户认证上线等交互过程,有知道的小伙伴可以帮忙补充一下~~</p>
页:
[1]