全局配置
交换机配置 版本H3C S5120-v5
#配置 radius 服务器信息
[H3C]radius scheme feilian_rd #创建radius方案并进入其视图
[H3C-radius-feilian_rd]primary authentication 10.10.69.116 2812 #配置主认证服务器ip地址与端口
[H3C-radius-feilian_rd]key authentication xxxx #配置认证共享秘钥
[H3C-radius-feilian_rd]primary accounting 10.10.69.116 2813 #配置主计费服务器IP与端口
[H3C-radius-feilian_rd]key accounting xxxx #配置计费共享秘钥
[H3C-radius-feilian_rd]timer realtime-accounting 3 #配置计费周期
[H3C-radius-feilian_rd]user-name-format without-domain #发送给服务器的用户名不带域名
[H3C-radius-feilian_rd]secondary authentication 10.10.69.117 2812 #配置备认证服务器ip地址与端口
[H3C-radius-feilian_rd]secondary accounting 10.10.69.117 2813 #配置备计费服务器IP与端口
[H3C-radius-feilian_rd]quit
#配置 ISP 域:
[H3C]domain feilian_ad #创建域并进入视图
[H3C-isp-feilian_ad]authentication lan-access radius-scheme feilian_rd #配置802.1x用户使用radius方案进行认证,授权
[H3C-isp-feilian_ad]authorization lan-access radius-scheme feilian_rd
[H3C-isp-feilian_ad]accounting lan-access radius-scheme feilian_rd #配置计费方案为feilian_radius
[H3C-isp-feilian_ad]quit
#全局开启802.1x
[H3C]dot1x #开启全局 802.1x特性
[H3C]dot1x authentication-method eap #开启eap中继模式
#端口下配置802.1x
[H3C]interface Ethernet 1/0/1 #进入指定端口视图
[H3C-Ethernet1/0/1]port link-type hybrid #建议使用 hybrid 端口类型以支持动态 vlan
[H3C-Ethernet1/0/1]mac-vlan enable
[H3C-Ethernet1/0/1]dot1x #端口开启1x认证
[H3C-Ethernet1/0/1]dot1x port-method macbased #端口模式使用 mac-based 以支持多终端接入
[H3C-Ethernet1/0/1]undo dot1x handshake #建议开启,避免终端频繁握手重连
[H3C-Ethernet1/0/1]undo dot1x multicast-trigger #建议开启,避免终端频繁认证
[H3C-Ethernet1/0/1]dot1x unicast-trigger #建议开启,缩短1x认证触发时间
[H3C-Ethernet1/0/1]dot1x mandatory-domain feilian_ad #配置端口强制使用的认证域,如果不配则使用全局默认域
[H3C-Ethernet1/0/1]quit
#端口下配置基于MAC地址的接入控制
[H3C]mac-authentication #开启全局 mac 认证特性
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]mac-authentication #开启此端口MAC地址认证
[H3C-Ethernet1/0/1]mac-authentication domain feilian_ad #配置mac认证时强制使用的认证域,如果不配则使用全局默认域
[H3C-Ethernet1/0/1]quit
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]mac-authentication parallel-with-dot1x #配置 mac 认证与 802.1x 认证同步
[H3C-Ethernet1/0/1]quit
#端口开启逃生vlan
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]port hybrid vlan 85 untagged
[H3C-Ethernet1/0/1]dot1x critical vlan 85
[H3C-Ethernet1/0/1]quit
#开启 coa
[H3C]radius dynamic-author server
[H3C]client ip 10.10.69.116 key simple xxxx
[H3C]client ip 10.10.69.117 key simple xxxx
交换机配置 S5500-28C-EI-V5.2
#配置 radius 服务器信息
[H3C]radius scheme feilian_rd #创建radius方案并进入其视图
[H3C-radius-feilian_rd]primary authentication 10.10.69.116 2812 #配置主认证服务器ip地址与端口
[H3C-radius-feilian_rd]key authentication xxxx #配置认证共享秘钥
[H3C-radius-feilian_rd]primary accounting 10.10.69.116 2813 #配置主计费服务器IP与端口
[H3C-radius-feilian_rd]key accounting xxxx #配置计费共享秘钥
[H3C-radius-feilian_rd]timer realtime-accounting 3 #配置计费周期
[H3C-radius-feilian_rd]user-name-format without-domain #发送给服务器的用户名不带域名
[H3C-radius-feilian_rd]secondary authentication 10.10.69.117 2812 #配置备认证服务器ip地址与端口
[H3C-radius-feilian_rd]secondary accounting 10.10.69.117 2813 #配置备计费服务器IP与端口
[H3C-radius-feilian_rd]quit
#配置 ISP 域:
[H3C]domain feilian_ad #创建域并进入视图
[H3C-isp-feilian_ad]authentication lan-access radius-scheme feilian_rd #配置802.1x用户使用radius方案进行认证,授权
[H3C-isp-feilian_ad]authorization lan-access radius-scheme feilian_rd
[H3C-isp-feilian_ad]accounting lan-access radius-scheme feilian_rd #配置计费方案为feilian_radius
[H3C-isp-feilian_ad]quit
#全局开启802.1x
[H3C]dot1x #开启全局 802.1x特性
[H3C]dot1x authentication-method eap #开启eap中继模式
#端口下配置802.1x
[H3C]interface Ethernet 1/0/1 #进入指定端口视图
[H3C-Ethernet1/0/1]port link-type hybrid #建议使用 hybrid 端口类型以支持动态 vlan
[H3C-Ethernet1/0/1]mac-vlan enable
[H3C-Ethernet1/0/1]dot1x #端口开启1x认证
[H3C-Ethernet1/0/1]dot1x port-method macbased #端口模式使用 mac-based 以支持多终端接入
[H3C-Ethernet1/0/1]undo dot1x handshake #建议开启,避免终端频繁握手重连
[H3C-Ethernet1/0/1]undo dot1x multicast-trigger #建议开启,避免终端频繁认证
[H3C-Ethernet1/0/1]dot1x unicast-trigger #建议开启,缩短1x认证触发时间
[H3C-Ethernet1/0/1]dot1x mandatory-domain feilian_ad #配置端口强制使用的认证域,如果不配则使用全局默认域
[H3C-Ethernet1/0/1]quit
#端口下配置基于MAC地址的接入控制
[H3C]mac-authentication #开启全局 mac 认证特性
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]mac-authentication #开启此端口MAC地址认证
[H3C-Ethernet1/0/1]mac-authentication domain feilian_ad #配置mac认证时强制使用的认证域,如果不配则使用全局默认域
[H3C-Ethernet1/0/1]quit
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]mac-authentication parallel-with-dot1x #配置 mac 认证与 802.1x 认证同步
[H3C-Ethernet1/0/1]quit
#端口开启逃生vlan
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]port hybrid vlan 85 untagged
[H3C-Ethernet1/0/1]dot1x critical vlan 85
[H3C-Ethernet1/0/1]quit
#全局配置
switch#config terminal
switch(config)#aaa new-model #启用aaa认证
switch(config)#dot1x system-auth-control #全局启用dot1x认证
#配置 aaa group
switch(config)#aaa group server radius feilian_rg
Switch(config-sg-radius)#server 10.10.69.116 auth-port 2812 acct-port 2813
Switch(config-sg-radius)#server 10.10.69.117 auth-port 2812 acct-port 2813
Switch(config-radius-server)#exit
#配置radius-server模板
switch(config)#radius-server host 10.10.69.116 auth-port 2812 acct-port 2813 key xxxx
switch(config)#radius-server host 10.10.69.117 auth-port 2812 acct-port 2813 key xxxx
Switch(config-radius-server)#exit
#配置aaa认证方案
switch(config)#aaa authentication dot1x default group feilian_rg #配置802.1x认证使用radius服务器数据库
switch(config)#aaa authorization network default group feilian_rg #配置802.1x网络授权使用radius服务器。
switch(config)#aaa accounting update periodic 3
#配置启用计费更新报文发送
#配置启用 radius 计费con
switch(config)#aaa accounting dot1x default start-stop group feilian_rg
switch(config)#aaa accounting network default start-stop group feilian_rg
switch(config)#radius-server attribute 8 include-in-access-req #配置交换机携带终端 IP 地址
#配置端口
switch(config)#int g1/0/1 #进入需要开启802.1x认证的端口,如果需要进入多个端口,可以用指令:int range g1/0/1 - 3,表示进入端口1-3
switch(config-if)#switchport mode access #设置端口模式为访问模式
switch(config-if)#authentication port-control auto #部分思科ios没有该命令,用dot1x pae authenticator代替
switch(config-if)#dot1x port-control auto #端口开启dot1x认证
switch(config-if)#authentication host-mode multi-auth #设置端口接入模式为多认证模式,此时允许多个用户分别接入认证
switch(config-if)#exit
#开启MAB认证
switch(config)#int g1/0/1
switch(config-if)#mab #开启MAB认证
switch(config-if)#dot1x timeout tx-period 10 #配置超时进行mab认证的时间 注意:这里如果配置10秒则进行mab认证时间为 10 * 3
switch(config-if)#dot1x max-reauth-req 2
switch(config-if)#exit
#开启逃生vlanau
switch(config)#int g1/0/1
switch(config-if)#authentication event server dead action reinitialize vlan 85
switch(config-if)#exit
#开启 coa
switch(config)#aaa server radius dynamic-author
switch(config-locsvr-da-radius)#client 10.10.69.116 server-key xxxx
switch(config-locsvr-da-radius)#client 10.10.69.117 server-key xxxx
switch(config-locsvr-da-radius)#exit
端口配置
H3C交换机 端口配置
[8F-C2_23U-JR_PoE-68.40]interface GigabitEthernet 1/0/31
[8F-C2_23U-JR_PoE-68.40-GigabitEthernet1/0/31]display this
#
port link-type hybrid
port hybrid vlan 1 80 85 untagged
port hybrid pvid vlan 80
mac-vlan enable
poe enable
stp edged-port enable
mac-authentication
mac-authentication domain feilian_ad
dot1x critical vlan 85
undo dot1x handshake
dot1x mandatory-domain feilian_ad
undo dot1x multicast-trigger
dot1x
dot1x unicast-trigger
思科交换机 端口配置
interface GigabitEthernet0/14
switchport access vlan 80
switchport mode access
authentication host-mode multi-host
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10