8021x下mac地址旁路认证环境.docx
《8021x下mac地址旁路认证环境.docx》由会员分享,可在线阅读,更多相关《8021x下mac地址旁路认证环境.docx(34页珍藏版)》请在冰豆网上搜索。
8021x下mac地址旁路认证环境
802.1X环境测试
支持的设备和功能描述
CISCO:
MAC旁路认证特性(MAB)
H3C:
MAC认证旁路功能
思路
当终端发送无EAPOL认证信息的数据包通过交换机时,交换机若开启了基于MAC的认证功能(MAB),则交换机等待802.1X认证超时后会启动MAB认证以终端MAC作为帐号密码进行认证,如果在RADIUS服务器上已授权许可该MAC地址表,则认证成功,PXE协议通过,PHANTOSYS终端启动,终端进入操作系统后,进行再认证过程,此时先以域帐号进行认证,若不能以域帐号通过认证,则认证失败,再次以MAB通过认证
这种方式的好处,不需要在交换机上取消802.1X认证,不用为了避免其它设备接入网络进行MAC与端口绑定,不影响正常的802.1X认证
测试环境
WIN2003SER(X86)SP2+CISCOACSSERVERv4.2认证服务器一
WIN2003SER(X86)SP2+DNS+AD+IAS+IIS+CA认证服务器二
CISCO3560(Version12.2(55)SE3)网络设备
参考资料
ConfiguretheRADIUSServerwithClientMACAddressesACS配置
ACS4.0手册
MACAuthenticationBypass
以下内容摘自CISCO3560命令手册
YoucanconfiguretheswitchtoauthorizeclientsbasedontheclientMACaddress(seeFigure9-2onpage9-5)byusingtheMACauthenticationbypassfeature.Forexample,youcanenablethisfeatureon802.1xportsconnectedtodevicessuchasprinters.
If802.1xauthenticationtimesoutwhilewaitingforanEAPOLresponsefromtheclient,theswitchtriestoauthorizetheclientbyusingMACauthenticationbypass.
WhentheMACauthenticationbypassfeatureisenabledonan802.1xport,theswitchusestheMACaddressastheclientidentity.TheauthenticationserverhasadatabaseofclientMACaddressesthatareallowednetworkaccess.Afterdetectingaclientonan802.1xport,theswitchwaitsforanEthernetpacketfromtheclient.TheswitchsendstheauthenticationserveraRADIUS-access/requestframewithausernameandpasswordbasedontheMACaddress.Ifauthorizationsucceeds,theswitchgrantstheclientaccesstothenetwork.Ifauthorizationfails,theswitchassignstheporttotheguestVLANifoneisconfigured.
以下内容摘自QuidwayS5300系列以太网交换机配置指南
2.4.4(可选)使能MAC旁路认证功能
背景信息
MAC旁路认证,指当终端进行802.1x认证失败后,把它的MAC地址作为用户名和密码上送RADIUS服务器进行认证。
对于某些特殊终端,例如打印机等,无法使用和安装802.1x终端软件,可以通过基于MAC的旁路认证方式进行认证。
配置MAC旁路认证,有以下两种配置方法:
操作步骤
∙系统视图下
1.执行命令system-view,进入系统视图。
2.执行命令dot1xmac-bypassinterface{interface-typeinterface-number1[tointerface-number2]}&<1-10>,使能接口MAC旁路认证功能。
系统视图下执行dot1xmac-bypass命令时指定接口列表,可以批量配置接口MAC旁路认证功能。
∙接口视图下
3.执行命令system-view,进入系统视图。
4.执行命令interfaceinterface-typeinterface-number,进入接口视图。
5.执行命令dot1xmac-bypass,在接口下使能MAC旁路认证功能。
执行本命令将包含并覆盖该接口下的802.1x使能命令,即
o如果接口下原来没有使能802.1x,执行dot1xmac-bypass命令后,802.1x使能了。
o如果接口下原来已经使能802.1x,执行dot1xmac-bypass命令后,覆盖原来的配置,即接口的认证方式为MAC旁路认证。
去使能MAC旁路认证功能,使用undodot1xenable命令。
注意同时也将去使能802.1x功能。
CISCOACSSERVER
操作步骤
先在ACSSERVER上建立以终端MAC为用户名密码的帐号(小写)
ACSSERVER设置
首次运行ACS后需要设置网络,选择networkconfiguration选项,再选择AAACLIENTS菜单下的ADDENTRY添加AAA终端(交换机),如图所示
设置AAA设备名(不能有空格),IP,共享密钥,认证模式选择RADIUS(IETF)设置好后选择界面下的提交和保存
设置好后如图所示
再根据实际情况更改AAASERVER与交换机通信的端口(默认1645,1646),本次案例使用1812,1813
设置接口界面选项
添加允许组设置使用的选项
进行组设置
注意:
081的值是需要的实际VLANID,点击提交保存即可
WINOWS2003IASSERVER
依次添加DNS,AD,IAS,IIS,CA组件
新建用于认证的组(802.1X)和用户(用户名和密码为终端MAC)
设置用户远程拨入权限
将用户添加到802.1X组
设置IAS
设置RADIUS客户端(交换机),默认AUTH-PORT1812,ACCT-PORT1813
新建IAS访问策略
设置该策略用于交换机认证
选择用于该策略的用户组
设置验证类型
设置策略远程访问权限
设置策略IP分配规则
设置身份认证方式(MAB认证为PAP验证方式)
添加连接策略,TUNNEL-TYPE为VLAN,TUNNEL-MEDIUM-TYPE为802,TUNNEL-PVT-GROUP-ID为认证后要分配的VLANID号,案例为300
终端加入域后,安装证书(浏览器输入http:
//radius-server-ip/certsrv)后开启认证即可
附:
IAS事件记录
PXE
用户000ae46b78f2被授予了访问权。
Fully-Qualified-User-Name=phantosys.biz/Users/000ae46b78f2
NAS-IP-Address=192.168.1.254
NAS-Identifier=<不存在>
Client-Friendly-Name=cisco3560
Client-IP-Address=192.168.1.254
Calling-Station-Identifier=00-0A-E4-6B-78-F2
NAS-Port-Type=Ethernet
NAS-Port=50009
Proxy-Policy-Name=对所有用户使用
Authentication-Provider=Windows
Authentication-Server=<未确定>
Policy-Name=802.1x
Authentication-Type=PAP
EAP-Type=<未确定>
域帐号
用户PHANTOSYSB\test被授予了访问权。
Fully-Qualified-User-Name=phantosys.biz/Users/test
NAS-IP-Address=192.168.1.254
NAS-Identifier=<不存在>
Client-Friendly-Name=cisco3560
Client-IP-Address=192.168.1.254
Calling-Station-Identifier=00-0A-E4-6B-78-F2
NAS-Port-Type=Ethernet
NAS-Port=50009
Proxy-Policy-Name=对所有用户使用
Authentication-Provider=Windows
Authentication-Server=<未确定>
Policy-Name=802.1x
Authentication-Type=PEAP
EAP-Type=受保护的密码(EAP-MSCHAPv2)
交换机配置命令参考
若不是以CONSOLE线连接交换机,需要先设置帐号(设置端口认证后需要输入)
conft
user用户名pass密码
在交换机上设置认证服务器
Switch#Conft
Switch(config)#aaanew-model
Switch(config)#aaaauthenticationdot1xdefaultgroupradius
dot1xsystem-auth-control
aaaauthorizationnetworkdefaultgroupradius
radius-serverhostipauth-port1812acct-port1813keystring设置要使用的认证服务器IP,端口,密钥(与认证服务器中终端设置相同)
radius-servervsasendauthentication按标准参数划分VLAN
开启端口认证
intinterface配置要使用的端口
switchportmodeaccess
dox1tport-controlauto
Dot1xmac-auth-bypasseap若认证服务器不支持EAP认证,则不输入EAP(IAS不支持EAP)
Dot1xtimeouttx-period1认证超时调整,最小值为1
Dot1xtimeoutauth-period1认证时间调整
End
Switch#showdot1xintinterface查看端口认证设置
恢复端口缺省设置
Conft
Intinterface
Dot1xdefault
End
3560交换机配置参考
jiqimao#showrun
Buildingconfiguration...
Currentconfiguration:
4218bytes
!
version12.2
noservicepad
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamejiqimao
!
boot-start-marker
boot-end-marker
!
enablesecret5$1$WUN0$RdztIryAB2avFHWED95R3.
!
usernameciscopassword0cisco
!
!
aaanew-model
!
!
aaaauthenticationdot1xdefaultgroupradius
aaaauthorizationnetworkdefaultgroupradius
!
!
!
aaasession-idcommon
systemmturouting1500
iprouting
!
!
!
!
dot1xsystem-auth-control
!
!
!
spanning-treemodepvst
spanning-treeextendsystem-id
!
vlaninternalallocationpolicyascending
!
!
!
interfaceFastEthernet0/1
spanning-treeportfast
!
interfaceFastEthernet0/2
spanning-treeportfast
!
interfaceFastEthernet0/3
spanning-treeportfast
!
interfaceFastEthernet0/4
spanning-treeportfast
!
interfaceFastEthernet0/5
spanning-treeportfast
!
interfaceFastEthernet0/6
spanning-treeportfast
!
interfaceFastEthernet0/7
spanning-treeportfast
!
interfaceFastEthernet0/8
spanning-treeportfast
!
interfaceFastEthernet0/9
switchportmodeaccess
authenticationport-controlauto
mab
dot1xpaeauthenticator
dot1xtimeouttx-period1
dot1xtimeoutauth-period1
spanning-treeportfast
!
interfaceFastEthernet0/10
spanning-treeportfast
!
interfaceFastEthernet0/11
spanning-treeportfast
!
interfaceFastEthernet0/12
spanning-treeportfast
!
interfaceFastEthernet0/13
spanning-treeportfast
!
interfaceFastEthernet0/14
spanning-treeportfast
!
interfaceFastEthernet0/15
spanning-treeportfast
!
interfaceFastEthernet0/16
spanning-treeportfast
!
interfaceFastEthernet0/17
spanning-treeportfast
!
interfaceFastEthernet0/18
spanning-treeportfast
!
interfaceFastEthernet0/19
spanning-treeportfast
!
interfaceFastEthernet0/20
spanning-treeportfast
!
interfaceFastEthernet0/21
spanning-treeportfast
!
interfaceFastEthernet0/22
spanning-treeportfast
!
interfaceFastEthernet0/23
spanning-treeportfast
!
interfaceFastEthernet0/24
spanning-treeportfast
!
interfaceGigabitEthernet0/1
!
interfaceGigabitEthernet0/2
!
interfaceVlan1
ipaddress192.168.1.254255.255.255.0
!
interfaceVlan300
ipaddress172.16.100.100255.255.255.0
iphelper-address192.168.1.251
!
ipclassless
ipforward-protocoludp4011
ipforward-protocoludp14372
iphttpserver
iphttpsecure-server
!
ipslaenablereaction-alerts
radius-serverhost192.168.1.110auth-port1812acct-port1813keyphantosys
radius-servervsasendauthentication
!
!
linecon0
loggingsynchronous
linevty04
passwordcisco
linevty515
passwordcisco
!
end
PXE寻址,启动正常
以下为交换机记录(端口fa0/9,MAC000ae46b78f2)
16:
13:
17:
%AUTHMGR-5-START:
Starting'dot1x'forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
18:
%DOT1X-5-FAIL:
Authenticationfailedforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionID
16:
13:
18:
%AUTHMGR-7-RESULT:
Authenticationresult'no-response'from'dot1x'forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
1
Switch(config-if)#6:
13:
18:
%AUTHMGR-7-FAILOVER:
Failingoverfrom'dot1x'forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
18:
%AUTHMGR-5-START:
Starting'mab'forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
18:
%MAB-5-SUCCESS:
Authenticationsuccessfulforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
18:
%AUTHMGR-7-RESULT:
Authenticationresult'success'from'mab'forclient(000a.e46b.78
Switch(config-if)#f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
18:
%AUTHMGR-5-VLANASSIGN:
VLAN300assignedtoInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
16:
13:
19:
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/9,changedstatetoup
16:
13:
19:
%AUTHMGR-5-SUCCESS:
Authorizationsucceededforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A
升级会员 