H3CAC进行Portal认证Word文件下载.docx
《H3CAC进行Portal认证Word文件下载.docx》由会员分享,可在线阅读,更多相关《H3CAC进行Portal认证Word文件下载.docx(10页珍藏版)》请在冰豆网上搜索。
2、
AC侧配置及说明
#
version5.20,Release3120P17
sysnameWX3024-AC
domaindefaultenablesystem
telnetserverenable
port-securityenable
//配置portalserver、ip、key、url以及server-type,注意这里server-type必须配置为imc
portalserverimcip172.16.0.22keycipher$c$3$6uB5v4kaCg1aSOJkOqX+==url172.16.0.22:
8080/portalserver-typeimc
//配置portalfree-rule放通AC联口
portalfree-rule0sourceinterfaceGigabitEthernet1/0/1destinationany
oapmanagement-ip192.168.0.101slot0
password-recoveryenable
vlan1
vlan24
//配置radius策略,注意server-type必须选择extended模式,注意user-name-format及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一致。
radiusschemeimc
server-typeextended
primaryauthentication172.16.0.22
primaryaccounting172.16.0.22
keyauthenticationcipher$c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q==
keyaccountingcipher$c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A==
user-name-formatwithout-domain
nas-ip172.16.0.202
//配置domain
domainimc
authenticationportalradius-schemeimc
authorizationportalradius-schemeimc
accountingportalradius-schemeimc
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
domainsystem
//配置AP注册dhcppool
dhcpserverip-pool1
network192.168.0.0mask255.255.255.0
//配置终端业务dhcppool
dhcpserverip-pooloption55
network192.168.24.0mask255.255.255.0
gateway-list192.168.24.254
dns-list8.8.8.8
user-groupsystem
group-attributeallow-guest
local-useradmin
passwordcipher$c$3$iMGlwEx7o4TNbMqd7OaOAwB5SWSzOrKE
authorization-attributelevel3
service-typetelnet
wlanrrm
dot11amandatory-rate61224
dot11asupported-rate918364854
dot11bmandatory-rate12
dot11bsupported-rate5.511
dot11gmandatory-rate125.511
dot11gsupported-rate69121824364854
//配置无线服务模板
wlanservice-template10clear
ssidoption55
bindWLAN-ESS10
service-templateenable
wlanap-groupdefault_group
apap1
apap2
interfaceNULL0
//与iMC互联ip及vlan接口
interfaceVlan-interface1
ipaddress172.16.0.202255.255.255.0
#
//终端业务互联ip及vlan接口,接口下开启portal,注意portaldomain及portalnas-ip配置需要与iMC服务器portal设备保持一致
interfaceVlan-interface24
ipaddress192.168.24.1255.255.255.0
portalserverimcmethoddirect
portaldomainimc
portalnas-ip172.16.0.202
interfaceGigabitEthernet1/0/1
portlink-typetrunk
porttrunkpermitvlanall
//配置wlan-ess接口
interfaceWLAN-ESS10
portaccessvlan24
wlanapap2modelWA2610H-GNid2
serial-id219801A0FH9136Q00287
radio1
service-template10
radioenable
//开启dhcp-snooping,使能dhcp-snooping记录用户的option55和option60信息功能
dhcp-snooping
dhcp-snoopingbindingrecorduser-identity
//配置默认路由
iproute-static0.0.0.00.0.0.0192.168.24.254
snmp-agent
snmp-agentlocal-engineid800063A203000FE2873066
snmp-agentcommunityreadpublic
snmp-agentcommunitywriteprivate
snmp-agentsys-infoversionall
//使能dhcp
dhcpenable
user-interfacecon0
user-interfacevty04
authentication-modescheme
userprivilegelevel3
return
3、
iMC侧配置请参考KMS-21434《
WX系列AC与iMC配合实现无线Portal认证典型配置》,这里不再赘述。
4、
结果验证及抓包
1)AC上查看在线的客户端和portal在线用户信息:
WX3024-AC>
diswlanclient
TotalNumberofClients
:
2
ClientInformation
SSID:
option55
-------------------------------------------------------------------------------------------------
MACAddress
UserName
APID/RID
IPAddress
VLAN
2477-0391-7720
-NA-
2/1
192.168.24.2
24
28e1-4cb5-8249
192.168.24.3
disportaluserall
Index:
12
State:
ONLINE
SubState:
NONE
ACL:
Work-mode:
stand-alone
MAC
IP
Vlan
Interface
----------------------------------------------------------------------------------------------
2477-0391-7720
192.168.24.2
24
Vlan-interface24
13
28e1-4cb5-8249
192.168.24.3
Total2user(s)matched,2listed.
2)iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息:
3)查看AC的debugging信息,可以清楚看到Radius的code=[1]报文里携带了option55和option60的属性字段:
*Apr2616:
37:
06:
9362000WX3024-ACRDS/7/DEBUG:
Sendattributelist:
9462000WX3024-ACRDS/7/DEBUG:
[1
User-name
][8][c09467]
[60CHAP_Challenge
][18][6EFCA7E2624584E38EA53882A4A12C90]
[4
NAS-IP-Address
][6][172.16.0.202]
[32NAS-Identifier
][11][WX3024-AC]
[5
NAS-Port
][6][16818200]
[87NAS_Port_Id
][18][00024]
9862000WX3024-ACRDS/7/DEBUG:
[61NAS-Port-Type
][6][19]
[H3C-26Connect_ID
][6][21]
[6
Service-Type
][6][2]
[7
Framed-Protocol
][6][255]
[31Caller-ID
][19][36432D38382D31342D35392D38392D3843]
[30Called-station-Id
][28][74-25-8A-33-81-70:
option55]
07:
0272000WX3024-ACRDS/7/DEBUG:
[44Acct-Session-Id
][16][160]
[8
Framed-Address
][6][192.168.24.4]
[H3C-255Product-ID
][12][H3CWX3024]
[H3C-60Ip-Host-Addr
][32][192.168.24.46c:
88:
14:
59:
89:
8c]
[H3C-208DHCP-Option55
][14][010F03062C2E2F1F2179F92B]
[H3C-209DHCP-Option60
][10][4DE30]
0772000WX3024-ACRDS/7/DEBUG:
[H3C-59NAS-Startup-Timestamp
][6][956750400]
0872000WX3024-ACRDS/7/DEBUG:
Event:
BegintoswitchRADIUSserverwhensending0packet.
1082000WX3024-ACRDS/7/DEBUG:
TheRDTWLtimerhasresumeed.
%Apr2616:
1182000WX3024-ACRDS/6/RDS_SUCC:
-IfName=Vlan-interface24-VlanId=24-MACAddr=6C:
8C-IPAddr=192.168.24.4-IPv6Addr=N/A-UserName=c09467imc;
Usergotonlinesuccessfully.
1382000WX3024-ACPORTAL/5/PORTAL_USER_LOGON_SUCCESS:
-UserName=c09467-IPAddr=192.168.24.4-IfName=Vlan-interface24-VlanID=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170-SSID=option55-NasId=-NasPortId=;
1692000WX3024-ACRDS/7/DEBUG:
Mallocseed:
38in172.16.0.22forUserID:
21
1792000WX3024-ACRDS/7/DEBUG:
ModifyNAS-IPto172.16.0.202.
1892000WX3024-ACRDS/7/DEBUG:
Send:
IP=[172.16.0.22],UserIndex=[21],ID=[38],RetryTimes=[0],Code=[1],Length=[279]
4)通过抓包我们也可以看到这个属性字段:
四、
配置关键点:
1、portalserver的server-type必须选择imc,radiusscheme的server-type必须选择extended。
2、全局视图下开启dhcp-snooping和dhcp-snoopingbindingrecorduser-identity。
3、AC本身并不支持终端操作系统和厂商识别,只是把相关option55和option60信息传送给iMC完成终端识别。