前几天写了H3C和CISCO两种交换机的802.1X实现方法,但是有人联系我说CA没有配置好,验证不过去.由于时间关系,我这里不写出自己的配置文档.手上有一篇可供参考的配置文档,希望对大家有所帮助.电子版文档在我的究竟中资源里面去下载吧.地址:http://download.csdn.net/user/deflag
使用EAP-TLS(智能卡与证书)实现802.1X----验证服务器和交换机相关配置
For this configuration, complete the following steps:
1. Configure Active Directory for accounts and groups.
2. Configure the primary IAS server on a computer.
3. Configure the secondary IAS server on another computer.
netsh aaaa show config >c:/IAS.txt
netsh exec c:/IAS.txt
4. Deploy and configure your authenticating switches.
6. Configure a certificate infrastructure for EAP-TLS.
7. Install computer certificates on wired client computers (EAP-TLS).
8. Install user certificates on wired client computers (EAP-TLS).
9. Configure wired client computers for EAP-TLS.
10.Configure wired client computers for EAP-MD5 CHAP.
11.Verify wired connections.
MD5:
1. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters /MaximumPasswordAge (REG_DWORD data type)
2. Enable storage of a reversibly encrypted form of the account's password in your domains.
3. Force a reset of the account passwords so that the new passwords are stored in a reversibly encrypted form.
采用系统为Windows2003,必须安装AD,DNS,IAS,CA
------------------------------------
------------------------------------
下表列出了不同的认证方式需要用到的证书:
Authentication Type
|
Certificates on Wired client
|
|