数据通信 - 建设篇 - 无线
第四章 华三WX2540H配合SangforAC做有线二层&无线三层的Portal认证&OA认证
系列文章回顾
第一章 华三无线控制器配置本地转发
第二章 华三无线控制器配置802.1X认证
第三章 华三无线控制器的配置优化
华三WX2540H配合SangforAC做有线二层&无线三层的Portal认证&OA认证
前言
本文章的配置命令都是基于Radius+无线控制器+深信服行为管理 部署无线802.1X认证的配置基础上进行优化。
网络拓扑
1. 华为交换机S1730S ip地址: 5.5.5.5
2. 华三无线控制器WX2540H ip地址:3.3.3.3
3. SangforAC ip地址:2.2.2.2
4. 有线用户网段:VLAN10
5. 无线用户网段:VLAN20
6. 设备管理网段:VLAN100
实施步骤
1. 完成二层交换机的Portal配置
2. 完成无线控制器的Portal配置
3. 完成SangforAC的Portal配置
4. 测试&验证二三层的Portal认证过程
5. 测试&验证二三层的MAC认证
华为交换机S1730S的Portal配置
华为交换机S1730S的Portal配置(有线的二层Portal认证)
sysname portal-switch_5.5.5.5
dns resolve
dns server [dns-ip1]
dns server [dns-ip2]
# 配置radius-server的模板
radius-server template default
radius-server shared-key cipher password
radius-server authentication 2.2.2.2 1812 source Vlanif 200 weight 100
radius-server accounting 2.2.2.2 1813 source Vlanif 200 weight 100
quit
# 配置Portal的url模板
url-template name urlTemplate_0
url http://2.2.2.2/cid/YYYY/portal.html
url-parameter device-ip 5.5.5.5 device-mac device-mac redirect-url redirect-url user-ipaddress user-ipaddress user-mac user-mac sysname sysname user-vlan XX
url-parameter mac-address format delimiter - normal
quit
# 配置Portal认证服务器
web-auth-server NAC
server-ip 2.2.2.2
port 50100
shared-key cipher password
url-template urlTemplate_0
source-ip 5.5.5.5
quit
# 配置Portal的认证模板
portal-access-profile name portal_access_profile
web-auth-server NAC direct
portal timer offline-detect 3600
quit
# 配置mac的认证模板
mac-access-profile name mac_access_profile
mac-authen reauthenticate
mac-authen offline dhcp-release
mac-authen timer reauthenticate-period 21600
mac-authen username macaddress format with-hyphen normal
quit
# 配置用户认证模板
authentication-profile name mac_portal_authen_profile
mac-access-profile mac_access_profile
portal-access-profile portal_access_profile
access-domain xxx.com mac-authen force
access-domain xxx.com portal force
quit
# 配置Portal及Portal认证服务器的相关配置参数
portal https-redirect wired enable
portal https-redirect blacklist packet-rate 180
portal redirect js enable
portal redirect-302 enable
portal pass dns enable # 允许dns解析
portal max-user 64
portal quiet-period
portal timer quiet-period 100
portal quiet-times 5
web-auth-server listening-port 2000
web-auth-server version v2
# 配置Portal的免认证规则
free-rule-template name default_free_rule
free-rule 1 destination ip 2.2.2.2 mask 255.255.255.255 source ip any vlan 10
free-rule 2 destination ip [dns-net] mask 24 udp destination-port 389 source ip any vlan 10
free-rule 3 destination ip [dns-net] mask 24 tcp destination-port 389 source ip any vlan 10
free-rule 4 destination ip [dns-net] mask 24 udp destination-port 636 source ip any vlan 10
free-rule 5 destination ip [dns-net] mask 24 tcp destination-port 636 source ip any vlan 10
#free-rule 6 destination ip [dns-net] mask 24 udp destination-port 53 source ip any vlan 10
#free-rule 7 destination ip [dns-net] mask 24 tcp destination-port 53 source ip any vlan 10
#free-rule 8 destination ip [dns-net] mask 24 tcp destination-port 5223 source ip any vlan 10 # 允许MacOS的DNS请求
quit
# 配置Portal相关的3A认证和domain认证
aaa
authentication-scheme nac
authentication-mode radius
quit
accounting-scheme nac
accounting-mode radius
quit
domain-name-delimiter @
domain-location after-delimiter
domainname-parse-direction left-to-right
domain xxx.com
authentication-scheme nac
accounting-scheme nac
radius-server default
quit
quit
# S1730S交换机的所有下联接口(1-51), 应用二层的 mac&portal 认证模板
int range gi 0/0/1 to gi 0/0/51
port link-type access
stp edged-port enable
desc Client
authentication-profile mac_portal_authen_profile
quit
int gi 0/0/52 # 52口为上联接口
port link-type trunk
port tr all vlan all
undo port tr all vlan 1
stp point-to-point force
quit
华三无线控制器WX2540H的Portal配置
华三无线控制器WX2540H的Portal配置(无线的三层Portal认证)
sysname portal-wireless-switch_3.3.3.3
dns server [dns-ip1]
dns server [dns-ip2]
ip https enable
# 配置wlan的服务模板
wlan service-template ssid-portal
ssid SSID-Portal
vlan 20
client max-count 256
client association-location ap
client forwarding-location ap vlan 20
quick-association enable
user-isolation enable
akm mode psk
preshared-key pass-phrase cipher password
cipher-suite ccmp
security-ie rsn
client-security authentication-mode mac
client-security ignore-authentication
mac-authentication domain xxx.com
pmf optional
ft method over-the-ds
portal enable method direct
portal domain xxx.com
portal bas-ip 3.3.3.3
portal apply web-server nac_portal_web
portal ipv4-max-user 1024
portal fail-permit web-server
service-template enable
quit
radius session-control enable
# 配置radius的scheme模板
radius scheme nac_portal
primary authentication 2.2.2.2 key cipher password
primary accounting 2.2.2.2 key cipher password
accounting-on enable
key authentication cipher password
key accounting cipher password
timer quiet 10
timer realtime-accounting 24
nas-ip 3.3.3.3
quit
#
radius dynamic-author server
client ip 2.2.2.2 key cipher password
quit
# 配置Portal的domain认证
domain xxx.com
authorization-attribute idle-cut 360 20480
authentication lan-access radius-scheme nac_portal
authorization lan-access radius-scheme nac_portal
accounting lan-access radius-scheme nac_portal
authentication portal radius-scheme nac_portal
authorization portal radius-scheme nac_portal
accounting portal radius-scheme nac_portal
# 配置Portal的默认domain
domain default enable xxx.com
# 配置Portal及Portal认证服务器的相关配置参数
portal max-user 2048
portal user-logoff after-client-offline enable
portal client-gateway interface Vlan-interface100
portal idle-cut dhcp-capture enable
web idle-timeout 60
# 配置Portal的免认证规则
portal free-rule 1 destination ip any udp 53
portal free-rule 2 destination ip any tcp 53
portal free-rule 3 destination ip 2.2.2.2 255.255.255.255
portal free-rule 4 destination ip 1.1.1.2 255.255.255.255 # 放通SangforAC的虚拟重定向ip
portal free-rule 5 destination ip any tcp 5223 # 允许MacOS的DNS请求
portal free-rule 6 destination login.dingtalk.com # 钉钉OA的认证域名
portal free-rule 7 destination g.alicdn.com # 钉钉OA认证涉及的资源站点域名
portal free-rule 8 destination gm.mmstat.com # 钉钉OA认证涉及的资源站点域名
portal free-rule 9 destination cfd.aliyun.com # 钉钉OA认证涉及的资源站点域名
# H3C WX2540H 无线控制器。在服务器负载过大的情况下,建议开启Portal安全重定向功能
# --------------- 指CPU负载过高时,开启 portal safe-redirect 相关功能
#portal safe-redirect method get post
#portal safe-redirect user-agent CaptiveNetworkSupport
#portal safe-redirect user-agent MicroMessenger
#portal safe-redirect user-agent Mozilla
#portal safe-redirect user-agent WeChat
#portal safe-redirect user-agent iPhone
#portal safe-redirect user-agent micromessenger
# 配置Portal认证服务器
portal web-server nac_portal_web
url http://2.2.2.2/cid/XXXX/portal.html
server-detect log
server-type cmcc # 华三无线控制器使用CMCC2.0的Portal协议
captive-bypass ios optimize enable # 使iOS系统在连接WiFi时弹出Portal认证页面
server-detect url http://2.2.2.2/cid/XXXX/portal.html
url-parameter ap-mac ap-mac
url-parameter original-url original-url
url-parameter source-address source-address
url-parameter source-mac source-mac
url-parameter ssid ssid
# iOS系统的重定向配置
if-match original-url http://captive.apple.com/hotspot-detect.html redirect-url http://2.2.2.2/cid/XXXX/portal.html?client_type=ios
# MacOS系统的重定向配置
if-match original-url http://www.apple.com redirect-url http://2.2.2.2/cid/XXXX/portal.html?client_type=macos
# Portal的服务配置
portal server nac_portal_server
ip 2.2.2.2 key cipher password
user-sync timeout 2400
server-type cmcc
portal roaming-center
roaming-center enable
# 使能漫游中心功能
client roaming-center
portal mac-trigger-server ac_server
ip 2.2.2.2
server-type cmcc
authentication-timeout 5
其他配置优化
无线控制器增强漫游功能
# wlan service-template
bss transition-management enable
bss transition-management disassociation recommended timer 45
sacp roam-optimize traffic-hold enable advanced
# ap-model --- radio 1
resource-measure enable
sacp roam-optimize bss-candidate-list enable
sacp anti-sticky enable rssi 30 interval 3 forced-logoff
SangforAC的相关配置
Radius配置截图
虚拟重定向ip配置截图
SangforAC的认证策略&OA认证配置
- 认证方式使用 单点登录+密码认证,单点失败时转密码认证,认证服务器勾选 LDAP认证 和 OA认证。
- 为确保用户不会重复认证,且认证有效期仅X天。认证后处理勾选[自动录入用户到本地组织结构]、[自动录入用户和IP/MAC的绑定关系],免认证,绑定MAC,有效期X天。
- 认证服务器新增 LDAP认证 和 OA认证
测试&验证
iOS系统和Android系统在连接WiFi后会直接弹出Portal认证页面。验证如下
Windows连接有线网络时会进行二层Portal认证,连接无线网络时会进行三层Portal认证,Portal认证页面指向同一个页面模板,可选使用 域控LDAP密码登录、OA登录。
5207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
