Dhcp+acs认证
ACS:思科安全访问控制服务器 思科安全访问控制服务器(Cisco Secure Access Control Sever)是一个高度可扩展、高性能的访问控制服务器,提供了全面的身份识别网络解决方案,是思科基于身份的网络服务(IBNS)架构的重要组件。Cisco Secure ACS通过在一个集中身份识别联网框架中将身份验证、用户或管理员接入及策略控制相结合,强化了接入安全性。这使企业网络能具有更高灵活性和移动性,更为安全且提高用户生产率。Cisco Secure ACS 支持范围广泛的接入连接类型,包括有线和无线局域网、拨号、宽带、内容、存储、VoIP、防火墙和 ×××。Cisco Secure ACS 是思科网络准入控制的关键组件。
实验器材:一台防火墙做dhcp中继,一台交换机,两台pc机,其中一台开两台虚拟机,一台linux虚拟机做dhcp服务器,一台windowspc虚拟机做acs服务器。
本实验通过acs实现对交换机的安全访问控制,实现pc机获得dhcp分配地址的目的。
防火墙配置:
先加区域
[H3C]inter eth0/0
[H3C-Ethernet0/0.1]ip address 192.168.1.254 255.255.255.0
[H3C]inter eth0/0.1
[H3C-Ethernet0/0.1]vlan-type ?
dot1q IEEE 802.1Q encapsulation
[H3C-Ethernet0/0.1]vlan-type dot1q vid 10
[H3C-Ethernet0/0.1]ip address 192.168.10.254 255.255.255.0
[H3C-Ethernet0/0.1]inter eth0/0.2
[H3C-Ethernet0/0.2]vlan-type dot1q vid 30
[H3C-Ethernet0/0.2]ip address 192.168.30.254 255.255.255.0
取消隔离:
[H3C]undo insulate
[H3C-zone-trust]inter eth0/0.10
[H3C-Ethernet0/0.10]ip ?
address
Set the IP address of an interface
fast-forwarding Fast-forwarding switch information
policy
Enable policy routing on the interface
relay
Relay
urpf
Unicast reverse path forward function
[H3C-Ethernet0/0.10]ip relay ?
address Specify interface IP relay address
[H3C-Ethernet0/0.10]ip relay address 192.168.30.3 ?
<cr>
[H3C-Ethernet0/0.10]ip relay address 192.168.30.3(dhcp服务器ip是30.3)
[H3C]dhcp select relay all
配置交换机:
[switch]inter e0/2
[switch-Ethernet0/2]port link-type trunk
[switch-Ethernet0/2]port trunk permit vlan all
Please wait........................................... Done.
划分vlan:
[switch]vlan 10
[switch-vlan10]port e0/10
[switch]vlan 30
[switch-vlan10]port e0/3
交换机配置ip:
[switch]inter vlan 1
[switch-Vlan-interface1]
%Apr 2 04:37:23 2000 switch L2INF/5/VLANIF LINK STATUS CHANGE:
Vlan-interface1: turns into UP state
[switch-Vlan-interface1]ip address 192.168.1.100 255.255.255.0
用linux虚拟机作为dhcp服务器:
编辑/etc/dhcpd.conf
8 subnet 192.168.10.0 netmask 255.255.255.0 {
9
10 # --- default gateway
11 option routers 192.168.10.254;
12 option subnet-mask 255.255.255.0;
13
14 option nis-domain "domain.org";
15 option domain-name "qqqq.com";
16 option domain-name-servers 222.88.88.88;
17
18 option time-offset -18000; # Eastern Standard Time
19 # option ntp-servers 192.168.1.1;
20 # option netbios-name-servers 192.168.1.1;
21 # --- Selects point-to-point node (default is hybrid). Don't change this unless
22 # -- you understand Netbios very well
23 # option netbios-node-type 2;
24
25 range dynamic-bootp 192.168.10.1 192.168.10.253;
26 default-lease-time 21600;
27 max-lease-time 43200;
28
29 # we want the nameserver to appear at a fixed address
30
31 }
32
33
34 subnet 192.168.30.0 netmask 255.255.255.0 {
35
36 # --- default gateway
37 option routers 192.168.30.254;
38 option subnet-mask 255.255.255.0;
39
40 option nis-domain "domain.org";
41 option domain-name "eee.com";
42 option domain-name-servers 222.88.88.88;
43
44 option time-offset -18000; # Eastern Standard Time
45 # option ntp-servers 192.168.1.1;
46 # option netbios-name-servers 192.168.1.1;
47 # --- Selects point-to-point node (default is hybrid). Don't change this unless
48 # -- you understand Netbios very well
49 # option netbios-node-type 2;
启动dhcp:
[root@localhost Server]# service dhcpd restart
Shutting down dhcpd:
[ OK ]
Starting dhcpd:
[ OK ]
[root@localhost Server]#
用交换机10端口的vlan10pc机测试得到地址:
配置交换机:
[switch]radius scheme xxx(配方案)
New Radius server
[switch-radius-xxx]primary authen 192.168.30.100(制定acs服务器地址)
[switch-radius-xxx]key ?
accounting
Specify RADIUS accounting server
authentication Specify RADIUS authentication server
[switch-radius-xxx]key authen 123456(共享密钥)
[switch-radius-xxx]account optional(设定审计可选)
[switch-radius-xxx]server-type standard(设置服务器类型为标准)
[switch-radius-xxx]user-name-format without-domain(设置向服务器发送时不带域名)
[switch]domain tec
New Domain added.
[switch-isp-tec]radius scheme xxx
[switch-radius-xxx]accounting?
accounting accounting-on
[switch-radius-xxx]accounting optional
[switch-isp-tec]access-limit enable 10(设置一个域内用户数量)
[switch]dot1x
802.1x is enabled globally
[switch]inter e0/10
[switch-Ethernet0/10]dot1x
802.1x is enabled on port Ethernet0/10
[switch-Ethernet0/10]quit dot1x ?
^
% Too many parameters found at '^' position.
[switch-Ethernet0/10]quit
[switch]dot1x ?
authentication-method Specify system authentication method
dhcp-launch
Trigger system authentication when receiving DHCP
packet(s)
guest-vlan
Specify guest vlan configuration information for ports
interface
Specify interface configuration information
max-user
Specify maximal on-line user number per port
port-control
Specify port authenticated status
port-method
Specify port controlled method
quiet-period
Enable quiet period function
re-authenticate
Enable periodic re-authentication of the client, which
is disabled by default
retry
Specify maximal request times
retry-version-max
Specify maximal request times for version information
supp-proxy-check
Check whether user(s) access the networks by proxy or
not
timer
Specify timer parameters
version-check
Check the version information of 802.1x supplicant and
OS information of PC
<cr>
[switch]dot1x authentication-method ?
chap CHAP(Challenge Handshake Authentication Protocol) authentication
method.It's default.
eap
EAP(Extensible Authentication Protocol) authentication method(support
eap-tls, eap-md5, peap)
pap
PAP(Password Authentication Protocol) authentication method
[switch]dot1x authentication-method pap
PAP authentication is enabled
Vlan10
用交换机10端口的vlan10pc机测试得到地址:
服务端安装acs并配置:
Vlan10客户机访问:
转载于:https://blog.51cto.com/liufan0321/1079501
1150
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
