H3C交换机结合深信服AC做802.1x认证
这里介绍H3C接入交换机结合深信服的AC设备做802.1x认证,深信服设备做认证服务器,H3C交换机做NAS客户端。深信服的AC做准入的认证方式只能支持eap协议。
深信服认证采用本地账号
1、配置深信服AC的802.1x认证:
AC设备地址是192.168.1.94;Radius服务器共享密钥"a123456"
2、创建本地账号:
两个本地账号的密码都是"123456"
3、配置交换机的dot1x认证:
[H3C]dot1x
[H3C]dot1x authentication-method eap #深信服做服务器端只能支持eap
[H3C]dot1x retry 3 #认证多少次不通过时认为认证失败
[H3C]radius scheme sangfor #配置radius方案
[H3C-radius-sangfor]primary authentication 192.168.1.94 #深信服AC地址
[H3C-radius-sangfor]primary accounting 192.168.1.94
[H3C-radius-sangfor]key authentication a123456 #共享密钥
[H3C-radius-sangfor]key accounting a123456
[H3C-radius-sangfor]nas-ip 192.168.1.2 #发给服务器认证时使用的源地址,此地址需要和服务器能通,交换机地址
[H3C-radius-sangfor]quit
[H3C]
[H3C]domain sangfor.local #配置认证域
[H3C-isp-sangfor.local]authentication lan-access radius-scheme sangfor #授权lan-access资源即可
[H3C-isp-sangfor.local]authorization lan-access radius-scheme sangfor
[H3C-isp-sangfor.local]accounting lan-access radius-scheme sangfor
[H3C-isp-sangfor.local]quit
[H3C]
[H3C]interface Ethernet 1/0/1 #开启端口的dot1x认证
[H3C-Ethernet1/0/1]dot1x
[H3C-Ethernet1/0/1]dot1x mandatory-domain sangfor.local
[H3C-Ethernet1/0/1]quit
4、下载深信服准入客户端并开启dot1x认证,安装测试:
5、免认证:
[H3C]mac-address static 000c-2930-ca52 interface Ethernet 1/0/1 vlan 1
深信服认证采用AD域账号
1、修改认证方式为AD域控,并加入域"mynet.top":
2、配置交换机的dot1x认证:
[H3C]dot1x
[H3C]dot1x authentication-method eap #深信服做服务器端只能支持eap
[H3C]dot1x retry 3 #认证多少次不通过时认为认证失败
[H3C]radius scheme sangfor #配置radius方案
[H3C-radius-sangfor]primary authentication 192.168.1.94 #深信服AC地址
[H3C-radius-sangfor]primary accounting 192.168.1.94
[H3C-radius-sangfor]key authentication a123456 #共享密钥
[H3C-radius-sangfor]key accounting a123456
[H3C-radius-sangfor]nas-ip 192.168.1.2 #发给服务器认证时使用的源地址,此地址需要和服务器能通,交换机地址
[H3C-radius-sangfor]quit
[H3C]
[H3C]domain mynet.top
[H3C-isp-mynet.top]authentication lan-access radius-scheme sangfor
[H3C-isp-mynet.top]authorization lan-access radius-scheme sangfor
[H3C-isp-mynet.top]accounting lan-access radius-scheme sangfor
[H3C-isp-mynet.top]quit
[H3C]
[H3C]interface Ethernet 1/0/1
[H3C-Ethernet1/0/1]dot1x
[H3C-Ethernet1/0/1]dot1x mandatory-domain mynet.top
[H3C-Ethernet1/0/1]quit
3、认证成功如下:
[H3C]
%Apr 26 15:17:18:809 2000 H3C RDS/6/RDS_SUCC: -IfName=Ethernet1/0/1-VlanId=1-MACAddr=B0:0C:D1:6B:C7:71-IPAddr=N/A-IPv6Addr=N/A-UserName=SANGFORCLIENT张飞@mynet.top; User got online successfully.
[H3C]
4、免认证:
[H3C]mac-address static 000c-2930-ca52 interface Ethernet 1/0/1 vlan 1