需求:通过域环境控制人员上网行为,阻止外来不信任计算机上网(节约为本,不买现成产品)。
设备:AD域服务器,2、3层交换机若干,防火墙,客户端若干。
条件:1.若不加入域,不登陆域,一律无法访问INTERNET。
2.针对域用户进行分级:A类上外网没限制,B类上外网有时间限制(在工作时间段内不允),
C类完全不允许上外网。
INSTALL AND CONFIGURE IAS.
Step 1: If you do not already have an Active Directory environment setup, you will need to install a Windows 2000 server and configure Active Directory on at least one server. Make sure your DNS servers are setup correctly to function correctly with Active Directory.
Step 2: Install the Microsoft IAS service onto the Domain Controller running Active Directory. IAS can be found on your Windows 2000 Server CD.
From Control Panel go to Add/Remove Windows Components.
Select the Networking Services option and click on the “Details” button to add a new network service.
Select the Internet Authentication Service component to install.
Step 3: Define the IAS RADIUS clients that will authenticate to this IAS server. This will include all the Foundry devices that will be supporting 802.1X client authentication. Create a new IAS client entry for each Foundry device. Foundry devices can also have multiple IAS RADIUS servers defined to eliminate single points of failure.
From the IAS management screen, right-click on Clients and select New Client.
Enter the name of the device to give it a “Friendly Name” and select RADIUS as the protocol.
Enter the IP Address or DNS Name of the Foundry device, select RADIUS Standard as the Client Vendor, check the “Client must always send the signature attribute in the request” option, and enter the shared secret that will be used to identify the Foundry device. This secret must be the same string used on the Foundry device to define the RADIUS server.
Step 4: Create a Remote Access Policy to govern access.
From the IAS management screen, right-click on Remote Access Policies and select New Remote Access Policy.
Enter a Policy Friendly Name to describe the policy.
Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry 802.1X Port Authentication is Day-and-Time-Restriction.
Set the days and times that users are allowed to authenticate. This example allowed all days and times.
Step 5: Turn on Remote Access Logging.
From the IAS management screen, select the Remote Access Logging option. On the right pane, right-click the Local File and select Properties.
Under the “Settings” tab, select the desired logging features.
Under the “Local File” tab, make sure the Log File Format is set to IAS Format and set the duration to keep the log entries for.
Step 6: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due to the way passwords are handled using EAP-MD5.
From the “Active Directory Users and Computers” menu option, right-click the name of your Active Directory domain and select Properties.
From the Properties screen, select the “Group Policy” tab. Highlight the “Default Domain Policy” and click on the “Edit” button.
Under the “Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy” tree, set the “Store password using reversible encryption…” to Enable.
Step 7: Enable “Dial-In” access and “Password Reversible Encryption” for user accounts.
After the account is created, double-click on the user account to display the user account Properties.
Under the “Dial-In” tab, click on the “Allow Access” radio button for Remote Access Permission.
Under the “Account” tab, check the “Store password using reversible encryption” option.
CONFIGURE REMOYRE ACCESS POLICY
Using the Remote Access Policies option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous step. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom. For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence.
Right click Remote Access Policies and select New Remote Access Policy.
Enter a Policy Friendly Name that describes the policy. Each Remote Access Policy will be matched to one VLAN Group. An example may be, “Allow - VLAN 10 Policy”. Select the “Next” button to continue.
New Remote Access Policy for VLAN Group
The Conditions Window will be displayed. Select “Add” to add the condition that this policy will act on.
Select the “Windows-Groups” attribute type and click on the “Add” button.
The Groups window will be displayed. Click on the “Add” button and select the VLAN Group that matches this new policy. Only one VLAN Group should be associated with each policy.
Select the “OK” and “Next” options in the next few screens to accept the group value.
Adding VLAN Group
On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address” to support DHCP.
On the Edit Dial-In Profile screen, select the “Advanced” tab. The current default parameters returned to the Foundry device should be Service-Type and Framed-Protocol.
Select the “Add” button to add the additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment.
Connection Attributes Screen
The RADIUS Attribute screen is displayed. From this list, three RADIUS attributes will be added:
o Tunnel-Medium-Type
o Tunnel-Pvt-Group-ID
o Tunnel-Type
Tunnel-Medium-Type
Select Tunnel-Medium-Type and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Enumerable Attribute Information screen is displayed. Select the “802” value from the Attribute Value drop down box.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen
Tunnel-Pvt-Group-ID
Select Tunnel-Pvt-Group-ID and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Attribute Information screen is displayed. Enter the correct VLAN ID or Name for this policy. Users belonging to the VLAN Group specified in this policy will be assigned to the VLAN ID specified.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen
Tunnel-Type
Select Tunnel-Type and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Enumerable Attribute Information screen is displayed. Select the Virtual LANs (VLAN) option from the Attribute Value drop down box.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen and select the “Close” button.
设备:AD域服务器,2、3层交换机若干,防火墙,客户端若干。
条件:1.若不加入域,不登陆域,一律无法访问INTERNET。
2.针对域用户进行分级:A类上外网没限制,B类上外网有时间限制(在工作时间段内不允),
C类完全不允许上外网。
INSTALL AND CONFIGURE IAS.
Step 1: If you do not already have an Active Directory environment setup, you will need to install a Windows 2000 server and configure Active Directory on at least one server. Make sure your DNS servers are setup correctly to function correctly with Active Directory.
Step 2: Install the Microsoft IAS service onto the Domain Controller running Active Directory. IAS can be found on your Windows 2000 Server CD.
From Control Panel go to Add/Remove Windows Components.
Select the Networking Services option and click on the “Details” button to add a new network service.
Select the Internet Authentication Service component to install.
Step 3: Define the IAS RADIUS clients that will authenticate to this IAS server. This will include all the Foundry devices that will be supporting 802.1X client authentication. Create a new IAS client entry for each Foundry device. Foundry devices can also have multiple IAS RADIUS servers defined to eliminate single points of failure.
From the IAS management screen, right-click on Clients and select New Client.
Enter the name of the device to give it a “Friendly Name” and select RADIUS as the protocol.
Enter the IP Address or DNS Name of the Foundry device, select RADIUS Standard as the Client Vendor, check the “Client must always send the signature attribute in the request” option, and enter the shared secret that will be used to identify the Foundry device. This secret must be the same string used on the Foundry device to define the RADIUS server.
Step 4: Create a Remote Access Policy to govern access.
From the IAS management screen, right-click on Remote Access Policies and select New Remote Access Policy.
Enter a Policy Friendly Name to describe the policy.
Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry 802.1X Port Authentication is Day-and-Time-Restriction.
Set the days and times that users are allowed to authenticate. This example allowed all days and times.
Step 5: Turn on Remote Access Logging.
From the IAS management screen, select the Remote Access Logging option. On the right pane, right-click the Local File and select Properties.
Under the “Settings” tab, select the desired logging features.
Under the “Local File” tab, make sure the Log File Format is set to IAS Format and set the duration to keep the log entries for.
Step 6: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due to the way passwords are handled using EAP-MD5.
From the “Active Directory Users and Computers” menu option, right-click the name of your Active Directory domain and select Properties.
From the Properties screen, select the “Group Policy” tab. Highlight the “Default Domain Policy” and click on the “Edit” button.
Under the “Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy” tree, set the “Store password using reversible encryption…” to Enable.
Step 7: Enable “Dial-In” access and “Password Reversible Encryption” for user accounts.
After the account is created, double-click on the user account to display the user account Properties.
Under the “Dial-In” tab, click on the “Allow Access” radio button for Remote Access Permission.
Under the “Account” tab, check the “Store password using reversible encryption” option.
CONFIGURE REMOYRE ACCESS POLICY
Using the Remote Access Policies option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous step. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom. For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence.
Right click Remote Access Policies and select New Remote Access Policy.
Enter a Policy Friendly Name that describes the policy. Each Remote Access Policy will be matched to one VLAN Group. An example may be, “Allow - VLAN 10 Policy”. Select the “Next” button to continue.
New Remote Access Policy for VLAN Group
The Conditions Window will be displayed. Select “Add” to add the condition that this policy will act on.
Select the “Windows-Groups” attribute type and click on the “Add” button.
The Groups window will be displayed. Click on the “Add” button and select the VLAN Group that matches this new policy. Only one VLAN Group should be associated with each policy.
Select the “OK” and “Next” options in the next few screens to accept the group value.
Adding VLAN Group
On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address” to support DHCP.
On the Edit Dial-In Profile screen, select the “Advanced” tab. The current default parameters returned to the Foundry device should be Service-Type and Framed-Protocol.
Select the “Add” button to add the additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment.
Connection Attributes Screen
The RADIUS Attribute screen is displayed. From this list, three RADIUS attributes will be added:
o Tunnel-Medium-Type
o Tunnel-Pvt-Group-ID
o Tunnel-Type
Tunnel-Medium-Type
Select Tunnel-Medium-Type and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Enumerable Attribute Information screen is displayed. Select the “802” value from the Attribute Value drop down box.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen
Tunnel-Pvt-Group-ID
Select Tunnel-Pvt-Group-ID and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Attribute Information screen is displayed. Enter the correct VLAN ID or Name for this policy. Users belonging to the VLAN Group specified in this policy will be assigned to the VLAN ID specified.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen
Tunnel-Type
Select Tunnel-Type and click on the “Add” button.
On the Multivalued Attribute Information screen, click on the “Add” button.
The Enumerable Attribute Information screen is displayed. Select the Virtual LANs (VLAN) option from the Attribute Value drop down box.
Select “OK” to accept the value.
Return to the RADIUS Attribute Screen and select the “Close” button.
1023
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
