目录
1. Windows配置
1.1 NSP配置
1.2 CA配置及证书自动注册
1.3 802.1x域策略配置
这部分按需配置
2. 交换机配置
2.1 华为
------传统模式------
---radius模板配置
[SwitchA] radius-server template dot1x
[SwitchA-radius-dot1x] radius-server authentication 10.130.16.42 1812
[SwitchA-radius-dot1x] radius-server shared-key cipher admin@123
[SwitchA-radius-dot1x] undo radius-server user-name domain-included
---创建AAA认证方案“dot1x”,并配置认证方式为RADIUS。
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit
---创建AAA认证方案“abc”并配置认证方式为RADIUS。
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit
---认证域"dot1x"配置
[SwitchA-aaa] domain dot1x
[SwitchA-aaa-domain-dot1x] authentication-scheme dot1x
[SwitchA-aaa-domain-dot1x] radius-server dot1x
[SwitchA-aaa-domain-dot1x] quit
[SwitchA-aaa] quit
---NAC配置模式为传统模式
[SwitchA] undo authentication unified-mode
---全局开启
[SwitchA] dot1x enable
[SwitchA] dot1x authentication-method eap
---下接接口配置
[SwitchA-GigabitEthernet0/0/1] dot1x enable
[SwitchA-GigabitEthernet0/0/1] dot1x domain dot1x
------统一模式------
---radius模板配置
[SwitchA] radius-server template dot1x
[SwitchA-radius-dot1x] radius-server authentication 10.130.16.42 1812
[SwitchA-radius-dot1x] radius-server shared-key cipher admin@123
[SwitchA-radius-dot1x] undo radius-server user-name domain-included
---配置自动探测功能
[SwitchA-radius-dot1x] radius-server testuser username admin password cipher admin@123
[SwitchA-radius-dot1x] quit
---创建AAA认证方案“abc”并配置认证方式为RADIUS。
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit
---认证域配置
[SwitchA-aaa] domain dot1x
[SwitchA-aaa-domain-dot1x] authentication-scheme dot1x
[SwitchA-aaa-domain-dot1x] radius-server dot1x
[SwitchA-aaa-domain-dot1x] quit
[SwitchA-aaa] quit
---去使能预连接
[SwitchA] undo authentication pre-authen-access enable
---接入模板配置,DHCP触发802.1X认证、认证模式、认证超时
[SwitchA] dot1x-access-profile name dot1x
[SwitchA-dot1x-access-profile-dot1x] authentication trigger-condition dhcp
[SwitchA-dot1x-access-profile-dot1x] dot1x authentication-method eap
[SwitchA-dot1x-access-profile-dot1x] quit
---认证模板配置
[SwitchA] authentication-profile name dot1x
[SwitchA-authen-profile- dot1x] dot1x-access-profile dot1x
[SwitchA-authen-profile- dot1x] access-domain dot1x force
[SwitchA-authen-profile- dot1x] quit
---接入口配置
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] authentication-profile dot1x
//查看用户上线信息
display access-user
2.2 华三
#
radius scheme dot1x
primary authentication 10.130.16.42
key authentication simple admin@123
user-name-format without-domain
#
domain dot1x
authentication lan-access radius-scheme dot1x
authorization lan-access none
accounting lan-access none
#
dot1x
dot1x authentication-method eap
//接入端口上配置
#
interface GigabitEthernet1/0/2
port access vlan 10
dot1x
undo dot1x handshake
dot1x mandatory-domain dot1x
//查看用户上线信息
display dot1x connection