802.1x身份验证
要求:
1. 交换机支持802.1X协议。
2. 有一台RADIUS服务器。
3. 一台客户端。
网络拓扑:
验证方式:
PEAP验证:使用证书+AD用户集成认证;
环境:
Operation System: Windows 2003 enterprise edition
Radius Server: windows IAS(Internet 验证服务,windows组件中安装)
CA Server: Windows CA证书服务(windows组件中安装)
Radius Client: Windows自带。(网络连接->属性->验证),如果没有“验证”选项卡,则是相关服务没有启用。(开始->运行->services.msc->启动” Wireless Zero Configuration”服务)
配置:
1. 安装域,域名暂时定为:test.com。过程略,查看相关文档
2. 安装IIS(Internet信息服务),IAS,CA:控制面板->添加/删除程序->安装windows组件,如图:
注意先安装IIS->CA->IAS,顺序不能乱了.
3. 配置CA:配置过程略,参考相关资料.
4. CISCO 2950G-48-EI交换机配置:
Building configuration...
Current configuration : 4944 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Layer_4_2
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip subnet-zero
!
!
!
spanning-tree mode mst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport access vlan 6
!
interface FastEthernet0/1.1
!
interface FastEthernet0/2
switchport access vlan 6
!
interface FastEthernet0/3
switchport access vlan 6
!
interface FastEthernet0/4
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 6
!
interface FastEthernet0/21
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/25
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/26
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/27
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/28
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/29
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/30
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/31
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/32
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/33
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/34
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/35
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/36
switchport mode access
dot1x port-control auto
dot1x guest-vlan 21
spanning-tree portfast
!
interface FastEthernet0/37
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/38
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/39
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/40
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/41
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/42
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/43
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/44
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/45
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/46
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/47
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/48
switchport access vlan 7
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
no ip route-cache
!
interface Vlan6
ip address 192.168.1.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan7
ip address 192.168.2.1 255.255.255.0
no ip route-cache
shutdown
!
ip http server
radius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key test
radius-server retransmit 3
radius-server vsa send authentication
!
line con 0
line vty 0 4
!
!
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/43
end
Layer_4_2#
5. 配置IAS:
a) 打开IAS:
b) 新建立”RADIUS客户端”:
c) 新建访问策略
d) 修改策略属性
6. 客户端设置:
a) 配置网络连接
b) 设置为自动获取IP
7. 基本上,已经设置完毕.用户加入域后,登录域时自动下载证书.
a) 如果有证书,则将获取相应VLAN的IP.
b) 如果没有IP,将获取guest-vlan的IP.
8. 一些配置步骤都已经省去,对于做网络的人来说,那些步骤应该不是什么问题吧.呵呵.有问题,有时再联系.
我的邮件:define.chang@gmail.com
MSN:fandy-zhang@hotmail.com
发表于 @ 2007年10月12日 15:08:00|评论(loading...)|编辑