通过Windows NPS，配置有线802.1x认证

目录

1. Windows配置

1.1 NSP配置

1.2 CA配置及证书自动注册

1.3 802.1x域策略配置

2. 交换机配置 

2.1 华为

2.2 华三

---

1. Windows配置

1.1 NSP配置

 

 

1.2 CA配置及证书自动注册

见CA配置证书自动注册_夜邢的博客-CSDN博客

1.3 802.1x域策略配置

这部分按需配置

 

 

 

 

 

2. 交换机配置 

2.1 华为

------传统模式------
---radius模板配置
[SwitchA] radius-server template dot1x
[SwitchA-radius-dot1x] radius-server authentication 10.130.16.42 1812
[SwitchA-radius-dot1x] radius-server shared-key cipher admin@123
[SwitchA-radius-dot1x] undo radius-server user-name domain-included

---创建AAA认证方案“dot1x”,并配置认证方式为RADIUS。
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit

---创建AAA认证方案“abc”并配置认证方式为RADIUS。
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit

---认证域"dot1x"配置
[SwitchA-aaa] domain dot1x
[SwitchA-aaa-domain-dot1x] authentication-scheme dot1x
[SwitchA-aaa-domain-dot1x] radius-server dot1x
[SwitchA-aaa-domain-dot1x] quit
[SwitchA-aaa] quit

---NAC配置模式为传统模式
[SwitchA] undo authentication unified-mode

---全局开启
[SwitchA] dot1x enable
[SwitchA] dot1x authentication-method eap

---下接接口配置
[SwitchA-GigabitEthernet0/0/1] dot1x enable
[SwitchA-GigabitEthernet0/0/1] dot1x domain dot1x

------统一模式------
---radius模板配置
[SwitchA] radius-server template dot1x
[SwitchA-radius-dot1x] radius-server authentication 10.130.16.42 1812
[SwitchA-radius-dot1x] radius-server shared-key cipher admin@123
[SwitchA-radius-dot1x] undo radius-server user-name domain-included

---配置自动探测功能
[SwitchA-radius-dot1x] radius-server testuser username admin password cipher admin@123
[SwitchA-radius-dot1x] quit

---创建AAA认证方案“abc”并配置认证方式为RADIUS。
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme dot1x
[SwitchA-aaa-authen-dot1x] authentication-mode radius
[SwitchA-aaa-authen-dot1x] quit

---认证域配置
[SwitchA-aaa] domain dot1x
[SwitchA-aaa-domain-dot1x] authentication-scheme dot1x
[SwitchA-aaa-domain-dot1x] radius-server dot1x
[SwitchA-aaa-domain-dot1x] quit
[SwitchA-aaa] quit

---去使能预连接
[SwitchA] undo authentication pre-authen-access enable

---接入模板配置,DHCP触发802.1X认证、认证模式、认证超时
[SwitchA] dot1x-access-profile name dot1x
[SwitchA-dot1x-access-profile-dot1x] authentication trigger-condition dhcp
[SwitchA-dot1x-access-profile-dot1x] dot1x authentication-method eap
[SwitchA-dot1x-access-profile-dot1x] quit

---认证模板配置
[SwitchA] authentication-profile name dot1x
[SwitchA-authen-profile- dot1x] dot1x-access-profile dot1x
[SwitchA-authen-profile- dot1x] access-domain dot1x force 
[SwitchA-authen-profile- dot1x] quit


---接入口配置
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] authentication-profile dot1x

//查看用户上线信息

display access-user 

2.2 华三

#
radius scheme dot1x
 primary authentication 10.130.16.42
 key authentication simple admin@123
 user-name-format without-domain
#
domain dot1x
 authentication lan-access radius-scheme dot1x
 authorization lan-access none
 accounting lan-access none
#
 dot1x
 dot1x authentication-method eap


//接入端口上配置
#
interface GigabitEthernet1/0/2
 port access vlan 10
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain dot1x

//查看用户上线信息
display dot1x connection