H3C AC进行Portal认证.docx

H3C AC进行Portal认证.docx

《H3C AC进行Portal认证.docx》由会员分享，可在线阅读，更多相关《H3C AC进行Portal认证.docx（9页珍藏版）》请在冰豆网上搜索。

H3CAC进行Portal认证

一、 组网需求：

令狐采学

在BYOD组网方案下，我们主要通过iNode客户端、HTTP网页、终端Mac地址以及DHCP的Option属性这四种方式获取终端的操作系统和厂商信息，实现终端识别以便完成相应的权限策略控制。

其中DHCP的Option属性方式可普遍用户各种场景。

由于部署DHCP服务器并安装Agent插件的方式比较繁琐，这里我们以普通Portal认证为例介绍一种通过无线控制器的DHCP-snooping功能获取记录终端的option55（终端操作系统）和option60（终端厂商）信息并通过Radius属性上报给iMC服务器的典型配置。

WX系列AC、FitAP、交换机、便携机（安装有无线网卡）、iMC服务器及其他智能终端。

二、 组网图：

三、 配置步骤：

1、 AC版本要求

WX系列AC从B109D012合入该特性，因此只有这个版本号及其以后的版本支持DHCP-snooping功能获取记录终端的option55（终端操作系统）和option60（终端厂商）信息并通过Radius属性上报给iMC服务器。

WX系列AC可通过下面的命令查看内部版本号：

_displayversion

H3CComwarePlatformSoftware

ComwareSoftware,Version5.20,Release2607P18

ComwarePlatformSoftwareVersionCOMWAREV500R002B109D022

H3CWX5540ESoftwareVersionV200R006B09D022

Copyright（c）2004-2014HangzhouH3CTech.Co.,Ltd.Allrightsreserved.

CompiledFeb25201411:

08:

07,RELEASESOFTWARE

H3CWX5540Euptimeis1week,4days,0hour,49minutes

2、 AC侧配置及说明

#

 version5.20,Release3120P17

#

 sysnameWX3024-AC

#

 domaindefaultenablesystem

#

 telnetserverenable

#

 port-securityenable

#

//配置portalserver、ip、key、url以及server-type，注意这里server-type必须配置为imc

portalserverimcip172.16.0.22keycipher$c$3$6uB5v4kaCg1aSOJkOqX+==urlhttp:

//172.16.0.22:

8080/portalserver-typeimc

//配置portalfree-rule放通AC内联口

portalfree-rule0sourceinterfaceGigabitEthernet1/0/1destinationany

#

 oapmanagement-ip192.168.0.101slot0

#

 password-recoveryenable

#

vlan1

#

vlan24

#

//配置radius策略，注意server-type必须选择extended模式，注意user-name-format及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一致。

radiusschemeimc

 server-typeextended

 primaryauthentication172.16.0.22

 primaryaccounting172.16.0.22

 keyauthenticationcipher$c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q==

 keyaccountingcipher$c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A==

 user-name-formatwithout-domain

 nas-ip172.16.0.202

#

//配置domain

domainimc

 authenticationportalradius-schemeimc

 authorizationportalradius-schemeimc

 accountingportalradius-schemeimc

 access-limitdisable

 stateactive

 idle-cutdisable

 self-service-urldisable

domainsystem

 access-limitdisable

 stateactive

 idle-cutdisable

 self-service-urldisable

#

//配置AP注册dhcppool

dhcpserverip-pool1

 network192.168.0.0mask255.255.255.0

#

//配置终端业务dhcppool

dhcpserverip-pooloption55

 network192.168.24.0mask255.255.255.0

 gateway-list192.168.24.254

 dns-list8.8.8.8

#

user-groupsystem

 group-attributeallow-guest

#

local-useradmin

 passwordcipher$c$3$iMGlwEx7o4TNbMqd7OaOAwB5SWSzOrKE

 authorization-attributelevel3

 service-typetelnet

#

wlanrrm

 dot11amandatory-rate61224

 dot11asupported-rate918364854

 dot11bmandatory-rate12

 dot11bsupported-rate5.511

 dot11gmandatory-rate125.511

 dot11gsupported-rate69121824364854

#

//配置无线服务模板

wlanservice-template10clear

 ssidoption55

 bindWLAN-ESS10

 service-templateenable

#

wlanap-groupdefault_group

 apap1

 apap2

#

interfaceNULL0

#

//与iMC互联ip及vlan接口

interfaceVlan-interface1

 ipaddress172.16.0.202255.255.255.0

#              

//终端业务互联ip及vlan接口，接口下开启portal，注意portaldomain及portalnas-ip配置需要与iMC服务器portal设备保持一致

interfaceVlan-interface24

 ipaddress192.168.24.1255.255.255.0

 portalserverimcmethoddirect

 portaldomainimc

 portalnas-ip172.16.0.202

#

interfaceGigabitEthernet1/0/1

 portlink-typetrunk

 porttrunkpermitvlanall

#

//配置wlan-ess接口

interfaceWLAN-ESS10

 portaccessvlan24

#

wlanapap2modelWA2610H-GNid2

 serial-id219801A0FH9136Q00287

 radio1

 service-template10

 radioenable

#

//开启dhcp-snooping，使能dhcp-snooping记录用户的option55和option60信息功能

dhcp-snooping

dhcp-snoopingbindingrecorduser-identity

#

//配置默认路由

 iproute-static0.0.0.00.0.0.0192.168.24.254

#

 snmp-agent

 snmp-agentlocal-engineid800063A203000FE2873066

 snmp-agentcommunityreadpublic

 snmp-agentcommunitywriteprivate

 snmp-agentsys-infoversionall

#

//使能dhcp

dhcpenable

#

user-interfacecon0

user-interfacevty04

 authentication-modescheme

 userprivilegelevel3

#

return                                                      

3、 iMC侧配置请参考KMS-21434《 WX系列AC与iMC配合实现无线Portal认证典型配置》，这里不再赘述。

4、 结果验证及抓包

1）AC上查看在线的客户端和portal在线用户信息：

diswlanclient

 TotalNumberofClients          :

2

                             ClientInformation

 SSID:

option55

-------------------------------------------------------------------------------------------------

MACAddress UserName APID/RID   IPAddress         VLAN

-------------------------------------------------------------------------------------------------

2477-0391-7720 -NA-       2/1     192.168.24.2           24

28e1-4cb5-8249 -NA-       2/1     192.168.24.3           24

-------------------------------------------------------------------------------------------------

disportaluserall

 Index:

12

 State:

ONLINE

 SubState:

NONE

 ACL:

NONE

 Work-mode:

stand-alone

 MAC             IP          Vlan      Interface

 ----------------------------------------------------------------------------------------------

 2477-0391-7720  192.168.24.2     24    Vlan-interface24

 Index:

13

 State:

ONLINE

 SubState:

NONE

 ACL:

NONE

 Work-mode:

stand-alone

MAC             IP          Vlan      Interface

 ----------------------------------------------------------------------------------------------

 28e1-4cb5-8249  192.168.24.3     24    Vlan-interface24

 Total2user（s）matched,2listed.

2）iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息：

3）查看AC的debugging信息，可以清楚看到Radius的code=[1]报文里携带了option55和option60的属性字段：

*Apr2616:

37:

06:

9362000WX3024-ACRDS/7/DEBUG:

Sendattributelist:

*Apr2616:

37:

06:

9462000WX3024-ACRDS/7/DEBUG:

[1 User-name                  ][8][c09467]

[60CHAP_Challenge             ][18][6EFCA7E2624584E38EA53882A4A12C90]

[4 NAS-IP-Address             ][6][172.16.0.202]

[32NAS-Identifier             ][11][WX3024-AC]

[5 NAS-Port                   ][6][16818200]

[87NAS_Port_Id                ][18][0100010000000024]

*Apr2616:

37:

06:

9862000WX3024-ACRDS/7/DEBUG:

[61NAS-Port-Type              ][6][19]

[H3C-26Connect_ID              ][6][21]

[6 Service-Type               ][6][2]

[7 Framed-Protocol            ][6][255]

[31Caller-ID                  ][19][36432D38382D31342D35392D38392D3843]

[30Called-station-Id          ][28][74-25-8A-33-81-70:

option55]

*Apr2616:

37:

07:

0272000WX3024-ACRDS/7/DEBUG:

[44Acct-Session-Id            ][16][10003261637160]

[8 Framed-Address             ][6][192.168.24.4]

[H3C-255Product-ID              ][12][H3CWX3024]

[H3C-60Ip-Host-Addr            ][32][192.168.24.46c:

88:

14:

59:

89:

8c]

[H3C-208DHCP-Option55          ][14][010F03062C2E2F1F2179F92B]

[H3C-209DHCP-Option60          ][10][4D53465420352E30]

*Apr2616:

37:

07:

0772000WX3024-ACRDS/7/DEBUG:

[H3C-59NAS-Startup-Timestamp   ][6][956750400]

*Apr2616:

37:

07:

0872000WX3024-ACRDS/7/DEBUG:

Event:

BegintoswitchRADIUSserverwhensending0packet.

*Apr2616:

37:

07:

1082000WX3024-ACRDS/7/DEBUG:

TheRDTWLtimerhasresumeed.

%Apr2616:

37:

07:

1182000WX3024-ACRDS/6/RDS_SUCC:

-IfName=Vlan-interface24-VlanId=24-MACAddr=6C:

88:

14:

59:

89:

8C-IPAddr=192.168.24.4-IPv6Addr=N/A-UserName=c09467@imc;Usergotonlinesuccessfully.

%Apr2616:

37:

07:

1382000WX3024-ACPORTAL/5/PORTAL_USER_LOGON_SUCCESS:

-UserName=c09467-IPAddr=192.168.24.4-IfName=Vlan-interface24-VlanID=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170-SSID=option55-NasId=-NasPortId=;Usergotonlinesuccessfully.

*Apr2616:

37:

07:

1692000WX3024-ACRDS/7/DEBUG:

Mallocseed:

38in172.16.0.22forUserID:

21

*Apr2616:

37:

07:

1792000WX3024-ACRDS/7/DEBUG:

Event:

ModifyNAS-IPto172.16.0.202.

*Apr2616:

37:

07:

1892000WX3024-ACRDS/7/DEBUG:

Send:

IP=[172.16.0.22],UserIndex=[21],ID=[38],RetryTimes=[0],Code=[1],Length=[279]

4）通过抓包我们也可以看到这个属性字段：

四、 配置关键点：

1、portalserver的server-type必须选择imc，radiusscheme的server-type必须选择extended。

2、全局视图下开启dhcp-snooping和dhcp-snoopingbindingrecorduser-identity。

3、AC本身并不支持终端操作系统和厂商识别，只是把相关option55和option60信息传送给iMC完成终端识别。