基于AD+ACS+CA+8021X的动态VLAN设置.docx
《基于AD+ACS+CA+8021X的动态VLAN设置.docx》由会员分享,可在线阅读,更多相关《基于AD+ACS+CA+8021X的动态VLAN设置.docx(18页珍藏版)》请在冰豆网上搜索。
基于AD+ACS+CA+8021X的动态VLAN设置
基于AD+ACS+CA+802.1X的动态VLAN设置
(1)
2008-06-2315:
19
802.1x身份验证
要求:
1. 交换机支持802.1X协议。
2. 有一台RADIUS服务器。
3. 一台客户端。
网络拓扑:
验证方式:
PEAP验证:
使用证书+AD用户集成认证;
环境:
OperationSystem:
Windows2003enterpriseedition
RadiusServer:
windowsIAS(Internet验证服务,windows组件中安装)
CAServer:
WindowsCA证书服务(windows组件中安装)
RadiusClient:
Windows自带。
(网络连接->属性->验证),如果没有“验证”选项卡,则是相关服务没有启用。
(开始->运行->services.msc->启动”WirelessZeroConfiguration”服务)
配置:
1. 安装域,域名暂时定为:
。
过程略,查看相关文档
2. 安装IIS(Internet信息服务),IAS,CA:
控制面板->添加/删除程序->安装windows组件,如图:
基于AD+ACS+CA+802.1X的动态VLAN设置
(2)
2008-06-2315:
22
注意先安装IIS->CA->IAS,顺序不能乱了.
3. 配置CA:
配置过程略,参考相关资料.
4. CISCO2950G-48-EI交换机配置:
Buildingconfiguration...
Currentconfiguration:
4944bytes
!
version12.1
noservicepad
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnameLayer_4_2
!
aaanew-model
aaaauthenticationdot1xdefaultgroupradius
aaaauthorizationnetworkdefaultgroupradius
!
ipsubnet-zero
!
!
!
spanning-treemodemst
nospanning-treeoptimizebpdutransmission
spanning-treeextendsystem-id
dot1xsystem-auth-control
!
!
!
switchportaccessvlan6
!
interfaceFastEthernet0/1.1
!
interfaceFastEthernet0/2
switchportaccessvlan6
!
interfaceFastEthernet0/3
switchportaccessvlan6
!
interfaceFastEthernet0/4
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/5
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/6
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/7
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/8
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/9
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/10
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/11
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/12
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/13
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/14
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/15
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/16
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/17
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/18
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/19
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/20
switchportaccessvlan6
!
interfaceFastEthernet0/21
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/22
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/23
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/24
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/25
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/26
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/27
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/28
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/29
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/30
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/31
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/32
switchportaccessvlan6
spanning-treeportfast
!
interfaceFastEthernet0/33
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/34
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/35
switchportaccessvlan7
spanning-treeportfast
!
switchportmodeaccess
dot1xport-controlauto
dot1xguest-vlan21
spanning-treeportfast
!
interfaceFastEthernet0/37
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/38
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/39
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/40
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/41
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/42
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/43
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/44
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/45
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/46
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/47
switchportaccessvlan7
spanning-treeportfast
!
interfaceFastEthernet0/48
switchportaccessvlan7
spanning-treeportfast
!
interfaceGigabitEthernet0/1
switchportmodetrunk
!
interfaceGigabitEthernet0/2
!
interfaceVlan1
ipaddress192.168.0.1255.255.255.0
noiproute-cache
!
interfaceVlan6
ipaddress192.168.1.1255.255.255.0
noiproute-cache
shutdown
!
interfaceVlan7
ipaddress192.168.2.1255.255.255.0
noiproute-cache
shutdown
!
iphttpserver
radius-serverhost192.168.0.2auth-port1812acct-port1813keytest
radius-serverretransmit3
radius-servervsasendauthentication
!
linecon0
linevty04
!
!
!
monitorsession1sourceinterfaceFa0/1
monitorsession1destinationinterfaceFa0/43
end
Layer_4_2#
基于AD+ACS+CA+802.1X的动态VLAN设置(3)
2008-06-2315:
31
5. 配置IAS:
a) 打开IAS:
b) 新建立”RADIUS客户端”:
c) 新建访问策略
基于AD+ACS+CA+802.1X的动态VLAN设置(4)
2008-06-2315:
33
d) 修改策略属性
基于AD+ACS+CA+802.1X的动态VLAN设置(5)
2008-06-2315:
37
配置接入设备PC
1. 将终端设备加入域.
2. 在终端设备上手动安装根证书
登录域后在浏览器上键入http:
//192.168.10.8/certsrv进入证书WEB申请页面,登录用户采用域管理用户账号.选择申请一个证书→用户证书→点击提交(当遇到提示时选择是)→点安装此证书进行证书安装,按下一步结束证书安装。
3. 进行PC上的802.1x认证设置:
在网卡的连接属性中选择“验证→为此网络启用IEEE802.1x验证”,EAP类型选为“受保护的(PEAP)”,勾选“当计算机信息可用时验证为计算机”,然后再点“属性”,在EAP属性窗口中选择“验证服务器证书”,选择“连接到下列服务器”这里是192.168.10.8。
钩选“不提示用户验证新服务器或受信任的证书授权机构”同时在“在受信任的根证书颁发机构”窗口中选择对应的ROOTCA,这里为bjlzj,认证方法选成“EAP-MSCHAPv2”.再点“设定”按钮勾选选项即可