H3CAC进行Portal认证Word文件下载.docx

H3CAC进行Portal认证Word文件下载.docx

《H3CAC进行Portal认证Word文件下载.docx》由会员分享，可在线阅读，更多相关《H3CAC进行Portal认证Word文件下载.docx（10页珍藏版）》请在冰豆网上搜索。

2、 

AC侧配置及说明

#

version5.20,Release3120P17

sysnameWX3024-AC

domaindefaultenablesystem

telnetserverenable

port-securityenable

//配置portalserver、ip、key、url以及server-type，注意这里server-type必须配置为imc

portalserverimcip172.16.0.22keycipher$c$3$6uB5v4kaCg1aSOJkOqX+==url172.16.0.22:

8080/portalserver-typeimc

//配置portalfree-rule放通AC联口

portalfree-rule0sourceinterfaceGigabitEthernet1/0/1destinationany

oapmanagement-ip192.168.0.101slot0

password-recoveryenable

vlan1

vlan24

//配置radius策略，注意server-type必须选择extended模式，注意user-name-format及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一致。

radiusschemeimc

server-typeextended

primaryauthentication172.16.0.22

primaryaccounting172.16.0.22

keyauthenticationcipher$c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q==

keyaccountingcipher$c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A==

user-name-formatwithout-domain

nas-ip172.16.0.202

//配置domain

domainimc

authenticationportalradius-schemeimc

authorizationportalradius-schemeimc

accountingportalradius-schemeimc

access-limitdisable

stateactive

idle-cutdisable

self-service-urldisable

domainsystem

//配置AP注册dhcppool

dhcpserverip-pool1

network192.168.0.0mask255.255.255.0

//配置终端业务dhcppool

dhcpserverip-pooloption55

network192.168.24.0mask255.255.255.0

gateway-list192.168.24.254

dns-list8.8.8.8

user-groupsystem

group-attributeallow-guest

local-useradmin

passwordcipher$c$3$iMGlwEx7o4TNbMqd7OaOAwB5SWSzOrKE

authorization-attributelevel3

service-typetelnet

wlanrrm

dot11amandatory-rate61224

dot11asupported-rate918364854

dot11bmandatory-rate12

dot11bsupported-rate5.511

dot11gmandatory-rate125.511

dot11gsupported-rate69121824364854

//配置无线服务模板

wlanservice-template10clear

ssidoption55

bindWLAN-ESS10

service-templateenable

wlanap-groupdefault_group

apap1

apap2

interfaceNULL0

//与iMC互联ip及vlan接口

interfaceVlan-interface1

ipaddress172.16.0.202255.255.255.0

# 

//终端业务互联ip及vlan接口，接口下开启portal，注意portaldomain及portalnas-ip配置需要与iMC服务器portal设备保持一致

interfaceVlan-interface24

ipaddress192.168.24.1255.255.255.0

portalserverimcmethoddirect

portaldomainimc

portalnas-ip172.16.0.202

interfaceGigabitEthernet1/0/1

portlink-typetrunk

porttrunkpermitvlanall

//配置wlan-ess接口

interfaceWLAN-ESS10

portaccessvlan24

wlanapap2modelWA2610H-GNid2

serial-id219801A0FH9136Q00287

radio1

service-template10

radioenable

//开启dhcp-snooping，使能dhcp-snooping记录用户的option55和option60信息功能

dhcp-snooping

dhcp-snoopingbindingrecorduser-identity

//配置默认路由

iproute-static0.0.0.00.0.0.0192.168.24.254

snmp-agent

snmp-agentlocal-engineid800063A203000FE2873066

snmp-agentcommunityreadpublic

snmp-agentcommunitywriteprivate

snmp-agentsys-infoversionall

//使能dhcp

dhcpenable

user-interfacecon0

user-interfacevty04

authentication-modescheme

userprivilegelevel3

return 

3、 

iMC侧配置请参考KMS-21434《 

WX系列AC与iMC配合实现无线Portal认证典型配置》，这里不再赘述。

4、 

结果验证及抓包

1）AC上查看在线的客户端和portal在线用户信息：

WX3024-AC>

diswlanclient

TotalNumberofClients 

:

2

ClientInformation

SSID:

option55

-------------------------------------------------------------------------------------------------

MACAddress 

UserName 

APID/RID 

IPAddress 

VLAN

2477-0391-7720 

-NA- 

2/1 

192.168.24.2 

24

28e1-4cb5-8249 

192.168.24.3 

disportaluserall

Index:

12

State:

ONLINE

SubState:

NONE

ACL:

Work-mode:

stand-alone

MAC 

IP 

Vlan 

Interface

----------------------------------------------------------------------------------------------

2477-0391-7720 

192.168.24.2 

24 

Vlan-interface24

13

28e1-4cb5-8249 

192.168.24.3 

Total2user（s）matched,2listed.

2）iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息：

3）查看AC的debugging信息，可以清楚看到Radius的code=[1]报文里携带了option55和option60的属性字段：

*Apr2616:

37:

06:

9362000WX3024-ACRDS/7/DEBUG:

Sendattributelist:

9462000WX3024-ACRDS/7/DEBUG:

[1 

User-name 

][8][c09467]

[60CHAP_Challenge 

][18][6EFCA7E2624584E38EA53882A4A12C90]

[4 

NAS-IP-Address 

][6][172.16.0.202]

[32NAS-Identifier 

][11][WX3024-AC]

[5 

NAS-Port 

][6][16818200]

[87NAS_Port_Id 

][18][00024]

9862000WX3024-ACRDS/7/DEBUG:

[61NAS-Port-Type 

][6][19]

[H3C-26Connect_ID 

][6][21]

[6 

Service-Type 

][6][2]

[7 

Framed-Protocol 

][6][255]

[31Caller-ID 

][19][36432D38382D31342D35392D38392D3843]

[30Called-station-Id 

][28][74-25-8A-33-81-70:

option55]

07:

0272000WX3024-ACRDS/7/DEBUG:

[44Acct-Session-Id 

][16][160]

[8 

Framed-Address 

][6][192.168.24.4]

[H3C-255Product-ID 

][12][H3CWX3024]

[H3C-60Ip-Host-Addr 

][32][192.168.24.46c:

88:

14:

59:

89:

8c]

[H3C-208DHCP-Option55 

][14][010F03062C2E2F1F2179F92B]

[H3C-209DHCP-Option60 

][10][4DE30]

0772000WX3024-ACRDS/7/DEBUG:

[H3C-59NAS-Startup-Timestamp 

][6][956750400]

0872000WX3024-ACRDS/7/DEBUG:

Event:

BegintoswitchRADIUSserverwhensending0packet.

1082000WX3024-ACRDS/7/DEBUG:

TheRDTWLtimerhasresumeed.

%Apr2616:

1182000WX3024-ACRDS/6/RDS_SUCC:

-IfName=Vlan-interface24-VlanId=24-MACAddr=6C:

8C-IPAddr=192.168.24.4-IPv6Addr=N/A-UserName=c09467imc;

Usergotonlinesuccessfully.

1382000WX3024-ACPORTAL/5/PORTAL_USER_LOGON_SUCCESS:

-UserName=c09467-IPAddr=192.168.24.4-IfName=Vlan-interface24-VlanID=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170-SSID=option55-NasId=-NasPortId=;

1692000WX3024-ACRDS/7/DEBUG:

Mallocseed:

38in172.16.0.22forUserID:

21

1792000WX3024-ACRDS/7/DEBUG:

ModifyNAS-IPto172.16.0.202.

1892000WX3024-ACRDS/7/DEBUG:

Send:

IP=[172.16.0.22],UserIndex=[21],ID=[38],RetryTimes=[0],Code=[1],Length=[279]

4）通过抓包我们也可以看到这个属性字段：

四、 

配置关键点：

1、portalserver的server-type必须选择imc，radiusscheme的server-type必须选择extended。

2、全局视图下开启dhcp-snooping和dhcp-snoopingbindingrecorduser-identity。

3、AC本身并不支持终端操作系统和厂商识别，只是把相关option55和option60信息传送给iMC完成终端识别。