...
Создаем белый список URL, он будет содержать URL и RegExp, доступ к этим адресам будет разрешён
Блок кода object-group url white_url url eltex-co.ru regexp '(.+\.)eltex-co\.com' exit
Создаем белый список IP адресов, доступ к этим адресам будет разрешён
Блок кода object-group network white_ip ip prefix 192.168.0.0/24 ip prefix 192.168.1.0/24 ip prefix 100.110.0.0/23 exit
Создаем portal-profile
Описание параметров:
redirect-url – aдрес портала;
age-timeout – временной интервал в течении которого точка доступа "помнит" клиента;
verification-mode – режим работы портала;
white-list – белый список URL;
white_ip – белый список IP адресов.Блок кода wlc portal-profile portal-pr redirect-url https://eltex-co.ru age-timeout 10 verification-mode external-portal white-list domain white_url white-list address white_ip exit exit
Создаем radius-profile
Блок кода wlc radius-profile portal_radius auth-address 192.168.4.5 auth-password ascii-text encrypted 92BB3C7EB50C5AFE80 auth-acct-id-send acct-enable acct-address 192.168.4.5 acct-password ascii-text encrypted 92BB3C7EB50C5AFE80 acct-periodic acct-interval 300 exit exit
Создаем ssid-profile
Блок кода wlc ssid-profile portal_test ssid portal_test portal-enable portal-profile portal-pr vlan-id 3 band 5g enable exit exit
Добавляем ssid-profile в ap-location
Блок кода wlc ap-location default-location description default-location mode tunnel ap-profile default-ap ssid-profile portal_test exit exit
Конфигурация устройства
| Блок кода | ||||
|---|---|---|---|---|
| ||||
#!/usr/bin/clish
#260
#1.26.1
#02/07/2024
#21:56:21
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service web
port-range 443
exit
object-group network white_ip
ip prefix 192.168.0.0/24
ip prefix 192.168.1.0/24
ip prefix 100.110.0.0/23
exit
object-group url white_url
url eltex-co.ru
regexp '(.+\.)eltex-co\.com'
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$mxcmBjMFhD3le5vZ$3qVKBN4Y6Uh126nuH/9VWOiH5m1pMWI1KvRTrrie5ZgmKaYxxZgeinS6Y210.3P2n.ZhlVHbaCcLKlfbOJzEG.
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 1
security-zone trusted
ip address 192.168.1.1/24
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.1/24
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
rule 120
action permit
match protocol tcp
match destination-port object-group web
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.2-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.2-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
softgre-controller
nas-ip-address 127.0.0.1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
ssid-profile default-ssid
ssid-profile portal_test
exit
airtune-profile default_airtune
description default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ssid-profile portal_test
ssid portal_test
portal-enable
portal-profile portal-pr
vlan-id 3
band 5g
enable
exit
radio-2g-profile default_2g
description default_2g
exit
radio-5g-profile default_5g
description default_5g
exit
ap-profile default-ap
description default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
portal-profile portal-pr
redirect-url https://eltex-co.ru
age-timeout 10
verification-mode external-portal
white-list domain white_url
white-list address white_ip
exit
radius-profile default-radius
description default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
radius-profile portal_radius
auth-address 192.168.4.5
auth-password ascii-text encrypted 92BB3C7EB50C5AFE80
auth-acct-id-send
acct-enable
acct-address 192.168.4.5
acct-password ascii-text encrypted 92BB3C7EB50C5AFE80
acct-periodic
acct-interval 300
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
wlc-journal all
limit days 365
exit
ip ssh server
ntp enable
ntp broadcast-client enable
ip https server |
Диаграмма подключения
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...