一、仅做dot1x认证
-
全局配置
dot1x
dot1x authentication-method eap
dot1x timer tx-period 10
-
创建radius服务模板
radius scheme 1x-test
primary authentication 10.10.10.10 key simple 123456
primary accounting 10.10.10.10 key simple 123456
secondary authentication 10.10.10.11 key simple 123456
secondary accounting 10.10.10.11 key simple 123456
user-name-format whithout-domain
accounting-on enable
-
创建ISP域
domain 1x-domain
authentication lan-access radius-scheme 1x-test
authorization lan-access radius-scheme 1x-test
accounting lan-access radius-scheme 1x-test
access-limit disable
state active
idle-cut disable
-
接口开启802.1x认证
interface g0/0/1
port link-type hybrid
port hybrid vlan 100,110,120 untagged
port hybrid pvid vlan 10
mac-vlan enable
dot1x guest-vlan 100 //guest-vlan
dot1x auth-fail vlan 110 //认证失败vlan
dot1x critical vlan 120 //逃生vlan
undo dot1x handshake
dot1x mandatory-domain 1x-domain
undo dot1x multicast-trigger
dot1x
dot1x unicast-trigger
-
COA配置(踢设备下线)
radius dynamic-author server
client ip 10.10.10.10 key simple 123456
二、1x+mac复合认证
-
全局配置
dot1x authentication-method eap
dot1x timer tx-period 10
mac-authentication domain 1x-domain
port-security enable
-
创建radius服务模板
radius scheme 1x-test
primary authentication 10.10.10.10 key simple 123456
primary accounting 10.10.10.10 key simple 123456
secondary authentication 10.10.10.11 key simple 123456
secondary accounting 10.10.10.11 key simple 123456
user-name-format whithout-domain
accounting-on enable
-
创建ISP域
domain 1x-domain
authentication lan-access radius-scheme 1x-test
authorization lan-access radius-scheme 1x-test
accounting lan-access radius-scheme 1x-test
access-limit disable
state active
idle-cut disable
-
接口开启mac认证和802.1x认证
interface g0/0/1
port link-type hybrid
port hybrid vlan 100,110,120 untagged
port hybrid pvid vlan 10
mac-vlan enable
dot1x guest-vlan 100 //guest-vlan
dot1x auth-fail vlan 110 //认证失败vlan
dot1x critical vlan 120 //逃生vlan
port-security port-mode userlogin-secure-or-mac-ext //先1x认证再mac认证
port-security port-mode mac-else-userlogin-secure-secure-ext //先mac,认证失败后1x 一般接哑重点使用先mac后1x
macauthentication parallel-with-dot1x //mac认证和1x认证并行处理
undo dot1x handshake
dot1x mandatory-domain 1x-domain
undo dot1x multicast-trigger
dot1x
dot1x unicast-trigger
//如果配置的先1x后mac认证,可以配置如下命令,让mac认证延时15~30秒
mac-authentication timer auth-delay 15
//端口同时开启了MAC地址认证和802.1X认证的情况下,某些组网环境中希望设备对用户报文先进行802.1X认证。例如,有些客户端在发送802.1X认证请求报文之前,就已经向设备发送了其它报文,比如DHCP报文,因而触发了并不期望的MAC地址认证。这种情况下,可以开启端口的MAC地址认证延时功能。开启该功能后,端口就不会在收到用户报文时立即触发MAC地址认证,而是会等待一定的延迟时间,若在此期间该用户一直未进行802.1X认证或未成功通过802.1X认证,则延迟时间超时后端口会对之前收到的用户报文进行MAC地址认证。
这样可以较快获取dhcp ip地址
-
COA配置(踢设备下线)
radius dynamic-author server
client ip 10.10.10.10 key simple 123456