收藏
下载资源下载资源 加入VIP,免费下载

Aruba控制器操作配置模版中文.docx

上传人:b****5 文档编号:28831106 上传时间:2023-07-20 格式:DOCX 页数:18 大小:20.49KB
下载 相关 举报
Aruba控制器操作配置模版中文.docx_第1页
第1页 / 共18页
Aruba控制器操作配置模版中文.docx_第2页
第2页 / 共18页
Aruba控制器操作配置模版中文.docx_第3页
第3页 / 共18页
Aruba控制器操作配置模版中文.docx_第4页
第4页 / 共18页
Aruba控制器操作配置模版中文.docx_第5页
第5页 / 共18页
点击查看更多>>
下载资源
资源描述

Aruba控制器操作配置模版中文.docx

《Aruba控制器操作配置模版中文.docx》由会员分享,可在线阅读,更多相关《Aruba控制器操作配置模版中文.docx(18页珍藏版)》请在冰豆网上搜索。

Aruba控制器操作配置模版中文.docx

Aruba控制器操作配置模版中文

1.Mgmt用户设置

设置mgmt用户ssh登录的方式:

是证书还是用户名与密码

sshmgmt-auth[public-key|username/password]

mgmt-userssh-pubkeyclient-cert

mgmt用户验证使用外部认证服务器:

aaaauthentication-serverradiusrad1

host

key

――――

aaaserver-groupcorp_rad

auth-serverrad1

-------------------------

aaaauthenticationmgmt

default-roleroot

enable

server-groupcorp_rad

禁用本地认证数据库

mgmt-userlocalauth-disable

设置用户超时退出

loginsessiontimeout//CLI下

web-serversessiontimeout//webUI下

1.1配置mgmt的tacacs认证

Thepre-definedrolesforthecontrollersare:

1.root-superuserrole

2.guest-provisioning-guestprovisioningrole

3.network-operations-Networkoperatorrole

4.read-only-Readonlyrole

5.location-api-mgmt-LocationAPIManagementRole

aaaauthentication-servertacacsTACACS-SERVER

hostTACACS_SERVER_IP

keyPRESHARE_KEY

session-authorization

 !

aaaserver-groupTACACS-SERVER-GRP

auth-serverTACACS-SERVER

 !

aaatacacs-accountingserver-groupTACACS-SERVER-GRPmodeenablecommand[all|action|configuration|show]

aaaauthenticationmgmt

server-groupTACACS-SERVER-GRP

enable

 !

2.系统默认的角色与策略:

默认的策略:

ipaccess-listsessioncontrol,validuser,allowall,icmp-acl,logon-control,captiveportal,

tftp-acl,https-acl,http-acl,dhcp-acl,ap-acl,

默认的角色:

user-roleap-role,voice,guest-logon(portal认证),guest,authenticated,logon

――――――――――――――――――――――――――――――――――――

3.本地数据库操作

local-userdbexport

local-userdbimport

local-userdbadd{generate-username|username}{generate-password|password}

――――――――――――――――――――――――――――――――――――――――

4.配置DHCP服务:

ipdhcppooluser-pool

default-router192.168.100.1

dns-server192.168.100.1

network192.168.100.0255.255.255.0

!

servicedhcp

ipdhcpexcluded-address192.168.100.1192.168.100.10

――――――――――――――――――――――――――――――――――――

5.配置带宽:

aaabandwidth-contractBC512_upkbps512

user-roleweb-guest

bw-contractBC512_upper-userupstream

―――――――――――――――――――――――――――――――――――――

6.策略:

限制访问内网

netdestination“InternalNetwork”

network10.0.0.0255.0.0.0

network172.16.0.0255.255.0.0

network192.168.0.0255.255.0.0

ipaccess-listsessionblock-internal-access

useralias“InternalNetwork”anydeny

―――――――――――――――――――――――――――――――――――――

7.配置portal认证:

外置portal时:

netdestinationportal-server

host10.50.22.221

ipaccess-listsessionabc-portal-acl

useraliasportral-serversvc-httppermit

aaaauthenticationcaptive-portalc-portal

default-roleemployee

server-groupcp-srv

login-pagehttp:

//192.168.100.10/test.php

user-rolelogon

captive-portalc-portal

session-aclabc-portal-acl

aaaprofileaaa_c-portal

initial-rolelogon

wlanssid-profilessid_c-portal

essidc-portal-ap

wlanvirtual-apvp_c-portal

aaa-profileaaa_c-portal

ssid-profilessid_c-portal

vlan20

portal下增加白名单:

(host)(config)#netdestination"Mywhite-list"

(host)(config)#name

(host)(config)#name

(host)(config)#aaaauthenticationcaptive-portaldefault

(host)(CaptivePortalAuthenticationProfile"default")#white-listMywhite-list

注意:

如果在一台控制器配置多个captiveportal的VirtaulAP时,每个captiveportal必须分别配置不同的initialrole和userrole、cpprofile、AAAprofile与ssidprofile;

 

8.配置Airtimefair

(Aruba651)(Trafficmanagementprofile"test")#shaping-policyfair-access

(Aruba651)(Trafficmanagementprofile"test")#exit

(Aruba651)(config)ap-groupdemo-group

(Aruba651)(APgroup"demo-group")#dot11g-traffic-mgmt-profiletest

(Aruba651)(APgroup"demo-group")#

 

9.配置LACP:

LACP默认不生效

每台设备最多创建8个组(0-7),每个组最多允许8个端口加入,所有端口的属性要相同;

1、EnableLACPandconfiguretheper-portspecificLACP.Thegroupnumberrangeis0to7.

lacpgroupmode{active|passive}

?

Activemode—theinterfaceisinactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredtobeintheactivestate.Theportinanactivemodealsoautomaticallyinitiatesnegotiationswithother

portsbyinitiatingLACPpackets.

?

Passivemode—theinterfaceisnotinanactivenegotiatingstate.LACPrunsonanylinkthatisconfiguredinapassivestate.Theportinapassivemoderespondstonegotiationsrequestsfromotherportsthatareinanactivestate.PortsinpassivestaterespondtoLACPpackets.

注意:

passive模式的端口不能与另一个passive模式的端口建立起来;

2.SetthetimeoutfortheLACPsession.Thetimeoutvalueistheamountoftimethataport-channel

interfacewaitsforaLACPDUfromtheremotesystembeforeterminatingtheLACPsession.Thedefault

timeoutvalueislong(90seconds);shortis3seconds,默认为long

lacptimeout{long|short}

3.Settheportpriority.

lacpport-priority

Thehigherthepriorityvaluethelowerthepriority.Rangeis1to65535anddefaultis255.

4.加入端口中

interfacefastethernet1/1

lacptimeoutshort

lacpgroup0modeactive

―――――――――――――――――――――――――――――――――――――――――

10.配置RAP(remoteap)

在控制器上配置VPN、AP通过认证后的地址池,及isakmp的共享密码;注意地址池为RAP的管理地址,如其他网管要直接ping通RAP,需要将此地址段配置静态路由;

vpdngroupl2tp

pppauthenticationPAP

iplocalpool

cryptoisakmpkeyaddress0.0.0.0netmask0.0.0.0

 

在控制器上配置服务器组,RAP通过username/password方式接入,并在服务器上增加用户名与密码,此用户名/密码用于L2TP/PAP认证(如果采用证书方式,此步可以省略)

aaaserver-group

auth-server

aaaauthenticationvpndefault-rap

default-role

server-group

local-userdbaddusernamerapuser1password

配置remoteap的VAP:

wlanssid-profile

essid

opmode

wpa-passphrase(ifnecessary)

配置用户角色,用于dot1x-default-role

(cli)#netdestinationcorp

(cli)(config-dest)#network10.3.10.0255.255.255.0

(cli)(config-dest)# !

ipaccess-listsessionRemote_Enterprise_acl

anyanysvc-dhcppermit

useraliascorpanypermit

aliascorpuseranypermit

usernetwork224.0.0.0255.0.0.0anypermit

aliascoopraliascorpanypermit

useranyanyroutesrc-nat

(cli)#user-rolecorpsplit

(cli)(config-role)#session-aclRemote_Enterprise_acl

(cli)(config-role)# !

配置aaaprofile可用于split-tunnel时用户角色策略指定

aaaprofile

authentication-dot1x

dot1x-default-role

dot1x-server-group

(cli)#wlanvirtual-apsplit

(cli)#vlanX<--ClientsgetIPaddr.fromVLANX

(cli)#forward-modesplit-tunnel

aaa-profile

rap-operation{always|backup|persistent}

配置RAP的有线端口:

apwired-ap-profileWired_Branch_ap_profile

wired-ap-enable

forward-modesplit-tunnel

switchportaccessvlan128

!

apwired-port-profileWired_Branch_port_profile

aaa-profileRemote_Ent_aaa_profile

wired-ap-profileWired_Branch_ap_profile

配置RAP做DHCPserver

apsystem-profileAPGroup1_sys_profile

lms-ip63.82.214.194

rap-dhcp-server-vlan177

rap-dhcp-server-id192.168.177.1

rap-dhcp-default-router192.168.177.1

rap-dhcp-pool-start192.168.177.100

rap-dhcp-pool-end192.168.177.254

!

ap-group

virtual-ap

在webUI界面对AP进行provision,从AC上获取IP,修改为remote模式,AP会重启

11.配置MAC认证完整例子

RADIUSServerDefinition:

服务器认证

aaaauthentication-serverradius"amigopod"

host"172.16.0.20"

keyf0e40f33109cd5f863a77327072720aaa4785eff2ca57800

nas-identifier"Aruba651"

nas-ip172.16.0.254

!

aaaserver-group"amigopod-srv"

auth-serveramigopod

!

aaarfc-3576-server"172.16.0.20"

key10795ff19c00465dd0b0824e562103bee537be631e5bc876

MACAuthenticationProfile:

MAC认证

aaaauthenticationmac"amigopod-mac"

caseupper

delimiterdash

AAAProfile:

aaaprofile"amigopod-aaa"

authentication-mac"amigopod-mac"

mac-default-role"authenticated"

mac-server-group"amigopod-srv"

radius-accounting"amigopod-srv"

rfc-3576-server"172.16.0.20"

CaptivePortalProfile:

aaaauthenticationcaptive-portal"amigopod-cp"

server-group"amigopod-srv"

redirect-pause3

nologout-popup-window

protocol-http

login-page"http:

//172.16.0.20/aruba_login.php"

NetdestinationAliasforAmigopod:

netdestinationamigopod

host172.16.0.20

AccessPolicytoallowredirecttoAmigopod:

允许的acl

ipaccess-listsessionallow-amigopod

useraliasamigopodsvc-httppermit

useraliasamigopodsvc-httpspermit

InitialRolewithCaptivePortalenabled:

配置initial角色

user-rolelogon

captive-portal"amigopod-cp"

access-listsessionlogon-control

access-listsessionallow-amigopod

access-listsessioncaptiveportal

PostAuthenticationRoleforMACAuthentication:

配置MAC认证角色

user-roleMAC-Guest

access-listsessionallowall

SSIDProfile:

wlanssid-profile"MAC-Auth-CP"

essid"amigo-MAC-CP"

VirtualAP:

wlanvirtual-ap"MAC-Auth-CP"

aaa-profile"amigopod-aaa"

ssid-profile"MAC-Auth-CP"

 

12.配置LDAP认证服务器

Portal认证

aaaauthentication-serverldap"aruba-ldap"

host10.1.1.50

admin-dn"cn=ldapquery2,cn=Users,dc=arubanetworks,dc=com"

admin-passwd"Zaq1xsw2"

base-dn"ou=Corp,dc=arubanetworks,dc=com"

!

aaaserver-group"aruba-ldap"

auth-serveraruba-ldap

setroleconditionmemberOfcontains"dl-seonly"set-valueroot

!

如果将ldap认证应用于无线用户802.1x,必须使用eap-gtc方式

aaaauthenticationdot1x"dot1x_prof-yxy03"

terminationenable

  terminationeap-typeeap-peap

  terminationinner-eap-typeeap-gtc

aaaauthenticationmgmt//应用在管理用户

default-role"no-access"

server-group"aruba-ldap"

enable

!

注意:

使用802.1x认证时不能用LDAP认证服务器;但portal认证时可以;

13.有线端口NAT

!

ipNATpoolDell-AirWave63.80.98.5663.80.98.56172.16.0.246

ipNATpoolSE-WebServer63.80.98.5963.80.98.59172.16.0.16

ipNATpoolPDL-eTips63.80.98.6163.80.98.61172.16.0.15

ipNATpoolPDL-Clearpass63.80.98.6063.80.98.60172.16.0.13

ipNATpoolPDL-AirWave63.80.98.4963.80.98.49172.16.0.252

!

netdestinationPDL-Airwave-Live

host63.80.98.49

!

netdestinationIPComms

host64.154.41.150

!

netdestinationSE-WebServer

host63.80.98.59

!

netdestinationLive-IP

host63.80.98.41

!

netdestinationPDL-eTips

host63.80.98.61

!

netdestinationDell-A

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 幼儿教育 > 家庭教育

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1