Начиная с версии 1.4.1345 система WNAM поддерживает взаимодействие с шлюзами унифицированного доступа Zyxel UAG. Шлюз является маршрутизатором сети Интернет и контроллером точек доступа, имеет в себе встроенный хотспот (портал перехвата), с которым взаимодействует система WNAM.
Настройка шлюза в целом повторяет настройку контроллера NXC. Настройка системы WNAM такая же (выберите Zyxel NXC в качестве типа сервера доступа).
В приведенном ниже примере используются следующие начальные данные:
- сервер WNAM имеет адрес 10.8.8.189;
- контроллер имеет адрес 10.8.8.11;
- беспроводные абоненты имеют адреса в сети 172.16.0.0/16.
Настройку контроллера необходимо произвести в соответствии с рисунками, представленными ниже.
Конфигурационный файл контроллера будет выглядеть следующим образом:
! saved at 2017-09-18 12:12:41
! model: UAG5100
! firmware version: 4.18(AAPN.0)
!
interface-name ge1 wan1
interface-name ge2 wan2
interface-name ge3 lan1
interface-name ge4 lan2
interface-name ge5 dmz
!
aaa group server radius wnam
server encrypted-key $4$...
server acct-interim-interval 5
server acct-retry-count 3
server group-attribute 11
server timeout 5
server nas-ip 10.8.8.11
case-sensitive
server acct-secret ...
server acct-interim activate
server host 10.8.8.189 auth-port 1812
server acct-address 10.8.8.189 acct-port 1813
!
username admin encrypted-password $4... user-type admin
username radius-users user-type ext-user
username radius-users logon-re-auth-time 10
username radius-users logon-time-setting default
!
aaa authentication WNAM local group wnam
!
port-grouping lan1
port 3
!
port-grouping lan2
port 4
!
port-grouping dmz
port 5
!
account pppoe WAN1_PPPoE_ACCOUNT
!
account pppoe WAN2_PPPoE_ACCOUNT
!
ip dhcp pool Network_Pool_LAN1
network 172.16.0.0 255.255.0.0
default-router 172.16.0.1
first-dns-server Device
starting-address 172.16.0.20 pool-size 4096
lease 1 0 0
!
ip dhcp pool Network_Pool_LAN2
network 172.17.0.0 255.255.0.0
default-router 172.17.0.1
first-dns-server Device
starting-address 172.17.1.1 pool-size 4096
lease 1
!
ip dhcp pool Network_Pool_DMZ
network 172.18.0.0 255.255.0.0
default-router 172.18.0.1
first-dns-server Device
starting-address 172.18.1.1 pool-size 4096
lease 1
!
interface wan1
ip address 10.8.8.11 255.255.255.0
type external
ip gateway 10.8.8.254 metric 0
upstream 1048576
downstream 1048576
mtu 1500
!
interface wan2
ip address dhcp
type external
shutdown
!
interface lan1
ip address 172.16.0.1 255.255.0.0
ip dhcp-pool Network_Pool_LAN1
type internal
!
interface lan2
ip address 172.17.0.1 255.255.0.0
ip dhcp-pool Network_Pool_LAN2
type internal
shutdown
!
interface dmz
ip address 172.18.0.1 255.255.0.0
ip dhcp-pool Network_Pool_DMZ
type internal
shutdown
!
interface wan1_ppp
account WAN1_PPPoE_ACCOUNT
!
interface wan2_ppp
account WAN2_PPPoE_ACCOUNT
!
address-object LAN1_SUBNET interface-subnet lan1
address-object LAN2_SUBNET interface-subnet lan2
address-object DMZ_SUBNET interface-subnet dmz
address-object wnam 10.8.8.189
address-object Wan_subnet 172.16.0.0/16
!
object-group address WNAM_Group
address-object wnam
address-object Wan_subnet
!
service-object Any_UDP udp range 1 65535
service-object Any_TCP tcp range 1 65535
service-object AH protocol 51
service-object AIM tcp eq 5190
service-object NEW_ICQ tcp eq 5190
service-object AUTH tcp eq 113
service-object BGP tcp eq 179
service-object BOOTP_CLIENT udp eq 68
service-object BOOTP_SERVER udp eq 67
service-object CAPWAP-CONTROL udp eq 5246
service-object CAPWAP-DATA udp eq 5247
service-object CU_SEEME_TCP1 tcp eq 7648
service-object CU_SEEME_TCP2 tcp eq 24032
service-object CU_SEEME_UDP1 udp eq 7648
service-object CU_SEEME_UDP2 udp eq 24032
service-object DNS_TCP tcp eq 53
service-object DNS_UDP udp eq 53
service-object ESP protocol 50
service-object FINGER tcp eq 79
service-object FTP tcp range 20 21
service-object GRE protocol 47
service-object H323 tcp eq 1720
service-object HTTP tcp eq 80
service-object HTTPS tcp eq 443
service-object ICQ udp eq 4000
service-object IKE udp eq 500
service-object IMAP4 tcp eq 143
service-object IMAP4S tcp eq 993
service-object IP6to4 protocol 41
service-object IRC_TCP tcp eq 6667
service-object IRC_UDP udp eq 6667
service-object MSN tcp eq 1863
service-object MULTICAST protocol 2
service-object NEWS tcp eq 144
service-object NetBIOS_TCP1 tcp range 137 139
service-object NetBIOS_TCP2 tcp eq 445
service-object NetBIOS_UDP1 udp range 137 139
service-object NetBIOS_UDP2 udp eq 445
service-object NFS udp eq 2049
service-object NNTP tcp eq 119
service-object NTP udp eq 123
service-object PING icmp echo
service-object POP3 tcp eq 110
service-object POP3S tcp eq 995
service-object PPTP tcp eq 1723
service-object PPTP_TUNNEL protocol 47
service-object RCMD tcp eq 512
service-object RDP tcp eq 3389
service-object REAL-AUDIO tcp eq 7070
service-object REXEC tcp eq 514
service-object RLOGIN tcp eq 513
service-object ROADRUNNER_TCP tcp eq 1026
service-object ROADRUNNER_UDP udp eq 1026
service-object RTELNET tcp eq 107
service-object RTSP_TCP tcp eq 554
service-object RTSP_UDP udp eq 554
service-object SFTP tcp eq 115
service-object SMTP tcp eq 25
service-object SMTPS tcp eq 465
service-object SNMP_TCP tcp eq 161
service-object SNMP_UDP udp eq 161
service-object SNMP-TRAPS_TCP tcp eq 162
service-object SNMP-TRAPS_UDP udp eq 162
service-object SQL-NET tcp eq 1521
service-object SSDP udp eq 1900
service-object SSH_TCP tcp eq 22
service-object SSH_UDP udp eq 22
service-object STRMWORKS udp eq 1558
service-object SYSLOG udp eq 514
service-object TACACS udp eq 49
service-object TELNET tcp eq 23
service-object TFTP udp eq 69
service-object VDOLIVE tcp eq 7000
service-object VRRP protocol 112
service-object NATT udp eq 4500
service-object RIP udp eq 520
service-object OSPF protocol 89
service-object SIP udp eq 5060
service-object Kerberos-TCP tcp eq 88
service-object MS-RPC tcp eq 135
service-object LDAP-TCP tcp eq 389
service-object LPR tcp eq 515
service-object LDAPS-TCP tcp eq 636
service-object VNC5800 tcp eq 5800
service-object VNC5900 tcp eq 5900
service-object Kerberos-UDP udp eq 88
service-object LDAP-UDP udp eq 389
service-object LDAPS-UDP udp eq 636
service-object L2TP-UDP udp eq 1701
service-object RADIUS-AUTH udp eq 1812
service-object RADIUS-ACCT udp eq 1813
service-object BONJOUR udp eq 5353
service-object PRINTER_DISCOVER udp eq 8000
!
object-group service CU-SEEME
service-object CU_SEEME_TCP1
service-object CU_SEEME_TCP2
service-object CU_SEEME_UDP1
service-object CU_SEEME_UDP2
!
object-group service DNS
service-object DNS_TCP
service-object DNS_UDP
!
object-group service IRC
service-object IRC_TCP
service-object IRC_UDP
!
object-group service NetBIOS
service-object NetBIOS_TCP1
service-object NetBIOS_TCP2
service-object NetBIOS_UDP1
service-object NetBIOS_UDP2
!
object-group service ROADRUNNER
service-object ROADRUNNER_TCP
service-object ROADRUNNER_UDP
!
object-group service RTSP
service-object RTSP_TCP
service-object RTSP_UDP
!
object-group service SNMP
service-object SNMP_TCP
service-object SNMP_UDP
!
object-group service SNMP-TRAPS
service-object SNMP-TRAPS_TCP
service-object SNMP-TRAPS_UDP
!
object-group service SSH
service-object SSH_TCP
service-object SSH_UDP
!
object-group service Default_Allow_WAN_To_Device
description System Default Allow From WAN To Device
service-object AH
service-object ESP
service-object HTTPS
service-object IKE
service-object NATT
service-object GRE
service-object VRRP
!
object-group service Default_Allow_DMZ_To_Device
description System Default Allow From DMZ To Device
object-group DNS
object-group NetBIOS
service-object PRINTER_DISCOVER
!
wlan-security-profile default
mode none
eap internal default
server-auth 1 activate
server-auth 1 ip address 10.8.8.189 port 1812 secret f...
mac-auth auth-method default
wpa-psk-encrypted $4$...
!
wlan-ssid-profile default
ssid WNAM
qos wmm
security default
bandselect mode disable
bandselect drop-probe-request 8
bandselect drop-authentication 3
bandselect time-out-period 120
bandselect check-sta-interval 600
bandselect min-sort-interval 300
!
wlan-monitor-profile default
activate
scan-method auto
scan-dwell 100
!
wlan-radio-profile default
role ap
band 2.4G band-mode bgn
2g-channel 6
ch-width 20/40
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
rssi-kickout -105
rssi-interval 2
rssi-optype 3
rssi-retrycount 6
rssi-verifytime 10
rssi-privilegetime 300
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
dcs time-interval 720
dcs sensitivity-level high
dcs client-aware enable
dcs dcs-2g-method auto
dcs channel-deployment 3-channel
dcs dcs-5g-method auto
dcs dfs-aware enable
activate
dcs activate
!
wlan-radio-profile default2
role ap
band 5G band-mode an
2g-channel 6
ch-width 20/40
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
rssi-kickout -105
rssi-interval 2
rssi-optype 3
rssi-retrycount 6
rssi-verifytime 10
rssi-privilegetime 300
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
dcs time-interval 720
dcs sensitivity-level high
dcs client-aware enable
dcs dcs-2g-method auto
dcs channel-deployment 3-channel
dcs dcs-5g-method auto
dcs dfs-aware enable
!
wlan-radio-profile Disabled-2G
role ap
band 2.4G band-mode bgn
2g-channel 6
ch-width 20
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
rssi-kickout -105
rssi-interval 2
rssi-optype 3
rssi-retrycount 6
rssi-verifytime 10
rssi-privilegetime 300
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
dcs time-interval 720
dcs sensitivity-level high
dcs client-aware enable
dcs dcs-2g-method auto
dcs channel-deployment 3-channel
dcs dcs-5g-method auto
dcs dfs-aware enable
!
wlan-radio-profile Disabled-5G
role ap
band 5G band-mode an
2g-channel 6
ch-width 20/40
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
rssi-kickout -105
rssi-interval 2
rssi-optype 3
rssi-retrycount 6
rssi-verifytime 10
rssi-privilegetime 300
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
dcs time-interval 720
dcs sensitivity-level high
dcs client-aware enable
dcs dcs-2g-method auto
dcs channel-deployment 3-channel
dcs dcs-5g-method auto
dcs dfs-aware enable
!
ap-group-profile default
lan-provision model nwa5301-nj lan1 activate pvid 1
lan-provision model nwa5301-nj lan2 activate pvid 1
lan-provision model nwa5301-nj lan3 activate pvid 1
lan-provision model nwa5301-nj vlan0 activate vid 1 join lan1 untag lan2 untag lan3 untag
lan-provision model wac6502d-e lan1 activate pvid 1
lan-provision model wac6502d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6502d-s lan1 activate pvid 1
lan-provision model wac6502d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6503d-s lan1 activate pvid 1
lan-provision model wac6503d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6553d-e lan1 activate pvid 1
lan-provision model wac6553d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6103d-i lan1 activate pvid 1
lan-provision model wac6103d-i vlan0 activate vid 1 join lan1 untag
slot1 ap-profile default
slot1 ssid-profile 1 default
slot2 ap-profile default2
slot2 ssid-profile 1 default
load-balancing mode station
load-balancing max sta 10
load-balancing traffic level high
load-balancing alpha 5
load-balancing beta 10
load-balancing sigma 60
load-balancing timeout 20
load-balancing liInterval 10
load-balancing kickInterval 20
!
ap-group-profile Unclassified
lan-provision model nwa5301-nj lan1 activate pvid 1
lan-provision model nwa5301-nj lan2 activate pvid 1
lan-provision model nwa5301-nj lan3 activate pvid 1
lan-provision model nwa5301-nj vlan0 activate vid 1 join lan1 untag lan2 untag lan3 untag
lan-provision model wac6502d-e lan1 activate pvid 1
lan-provision model wac6502d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6502d-s lan1 activate pvid 1
lan-provision model wac6502d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6503d-s lan1 activate pvid 1
lan-provision model wac6503d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6553d-e lan1 activate pvid 1
lan-provision model wac6553d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6103d-i lan1 activate pvid 1
lan-provision model wac6103d-i vlan0 activate vid 1 join lan1 untag
slot1 ap-profile Disabled-2G
slot2 ap-profile Disabled-5G
load-balancing mode station
load-balancing max sta 10
load-balancing traffic level high
load-balancing alpha 5
load-balancing beta 10
load-balancing sigma 60
load-balancing timeout 20
load-balancing liInterval 10
load-balancing kickInterval 20
!
ap-group-profile wnam
lan-provision model nwa5301-nj lan1 activate pvid 1
lan-provision model nwa5301-nj lan2 activate pvid 1
lan-provision model nwa5301-nj lan3 activate pvid 1
lan-provision model nwa5301-nj vlan0 activate vid 1 join lan1 untag lan2 untag lan3 untag
lan-provision model wac6502d-e lan1 activate pvid 1
lan-provision model wac6502d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6502d-s lan1 activate pvid 1
lan-provision model wac6502d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6503d-s lan1 activate pvid 1
lan-provision model wac6503d-s vlan0 activate vid 1 join lan1 untag
lan-provision model wac6553d-e lan1 activate pvid 1
lan-provision model wac6553d-e vlan0 activate vid 1 join lan1 untag
lan-provision model wac6103d-i lan1 activate pvid 1
lan-provision model wac6103d-i vlan0 activate vid 1 join lan1 untag
slot2 ap-profile default2
slot1 output-power 30dBm
slot2 output-power 30dBm
slot1 ssid-profile 1 default
slot2 ssid-profile 1 default
slot1 ap-profile default
!
ap-group first-priority wnam
!
rogue-ap detection
activate
!
rogue-ap containment
no activate
!
no auto-healing activate
auto-healing healing-interval 10
auto-healing power-threshold -70
auto-healing healing-threshold -85
auto-healing margin 2
auto-healing healing-margin 10
!
capwap ap add EC:43:F6:FD:29:1C
!
ap-group-member default member EC:43:F6:FD:29:1C
!
capwap manual-add enable
capwap ap fallback disable
capwap ap fallback interval 30
!
capwap ap EC:43:F6:FD:29:1C
!
zone LAN1
interface lan1
!
zone LAN2
interface lan2
!
zone WAN
interface wan1
interface wan1_ppp
interface wan2
interface wan2_ppp
!
zone DMZ
interface dmz
!
zone IPSec_VPN
!
ip dns security-options 1
name Customize
address-object-group any
!
ip dns security-options default
name Default
address-object-group any
!
ip http server
ip http authentication WNAM
!
ip http secure-server cert default
!
hostname uag5100
!
ip ssh server cert default
ip ssh server
!
console baud 115200
!
ip ftp server cert default
ip ftp server
!
ntp
!
snmp-server
!
package site official
!
session-limit activate
session-limit limit 256
!
auth-server authentication WNAM
!
idp signature update auto
!
idp signature update weekly sun 0
!
no bwm activate
!
no secure-policy activate
!
secure-policy 1
from LAN1
action allow
name LAN1_Outgoing
!
secure-policy 2
from LAN1
to Device
action allow
name LAN1_to_Device
!
secure-policy 3
from LAN2
action allow
name LAN2_Outgoing
!
secure-policy 4
from LAN2
to Device
action allow
name LAN2_to_Device
!
secure-policy 5
from IPSec_VPN
action allow
name IPSec_VPN_Outgoing
!
secure-policy 6
from IPSec_VPN
to Device
action allow
name IPSec_VPN_to_Device
!
secure-policy 7
from DMZ
to Device
action allow
service Default_Allow_DMZ_To_Device
name DMZ_to_Device
!
secure-policy 8
from DMZ
to WAN
action allow
name DMZ_to_WAN
!
secure-policy 9
service Default_Allow_WAN_To_Device
action allow
from WAN
to Device
name WAN_to_Device
!
secure-policy default-rule action deny log
!
bwm 1
no activate
type per-user
incoming-interface interface lan2
outgoing-interface trunk SYSTEM_DEFAULT_WAN_TRUNK
inbound guarantee-bandwidth 512 priority 4
outbound guarantee-bandwidth 512 priority 4
!
alg ftp
alg ftp transformation
!
users retry-limit
users retry-count 5
users lockout-period 30
!
users update-lease automation
!
app-watch-dog activate
!
app-watch-dog interval 300
!
htm phase 1 add all
!
web-auth login setting
logout-ip 1.1.1.1
!
web-auth type default-web-portal
!
web-auth type default-user-agreement
!
web-auth type profile WNAM
type web-portal external
web-portal login-url http://10.8.8.189/cp/zyxel
web-portal welcome-url http://ya.ru
web-portal session-url http://ya.ru
!
web-auth activate
!
web-auth exceptional-service DNS
!
web-auth policy 1
activate
authentication force
authentication-type WNAM
source Wan_subnet
!
web-auth policy 2
activate
authentication-type WNAM
destination wnam
!
web-auth default-rule authentication required no log
!
ip ipnp activate
!
ip ipnp config
interface lan2
!
walled-garden activate
!
walled-garden domain-ip rule 1
activate
type ip
name wnam
ip-address 10.8.8.189/24
!
billing wlan-ssid-profile default
!
billing profile billing_30mins
price 0
time-period minute 30
!
printer-manager button a billing_30mins
printer-manager button b billing_30mins
printer-manager button c billing_30mins
!
ip upnp
upnp-igd activate
listen-interface lan2
!
payment-service account-delivery onscreen activate
!
sms-service provider-select vianett
!
l2-isolation activate
!
l2-isolation
interface lan2
!
free-time reset-register 00:00
free-time time-period 30
!
wtp-logging system-log suppression
!
wtp-logging mail 1 category all level all
wtp-logging mail 2 category all level all
!
no usb-storage activate
no diag-info copy usb-storage
!
no logging usb-storage
!
logging system-log suppression
!
logging mail 1 category all level all
!
logging mail 2 category all level all
!