动态VLAN.docx

1、动态VLAN8021x身份验证要求：1. 交换机支持802.1X协议。2. 有一台RADIUS服务器。3. 一台客户端。网络拓扑：验证方式： PEAP验证：使用证书AD用户集成认证;环境： Operation System: Windows 2003 enterprise edition Radius Server: windows IAS(Internet 验证服务，windows组件中安装) CA Server: Windows CA证书服务(windows组件中安装) Radius Client: Windows自带。（网络连接-属性-验证），如果没有“验证”选项卡，则是相关服务没有启用

2、。（开始-运行-services.msc-启动” Wireless Zero Configuration”服务）配置：1. 安装域，域名暂时定为：。过程略，查看相关文档2. 安装IIS(Internet信息服务),IAS,CA：控制面板添加/删除程序-安装windows组件,如图:注意先安装IIS-CA-IAS,顺序不能乱了.3. 配置CA:配置过程略,参考相关资料.4. CISCO 2950G-48-EI交换机配置:Building configuration.Current configuration : 4944 bytes!version 12.1no service padservi

3、ce timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Layer_4_2!aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius!ip subnet-zero!spanning-tree mode mstno spanning-tree optimize bpdu transmissionspanning-t

4、ree extend system-iddot1x system-auth-control!switchport access vlan 6!interface FastEthernet0/1.1!interface FastEthernet0/2switchport access vlan 6!interface FastEthernet0/3switchport access vlan 6!interface FastEthernet0/4switchport access vlan 6spanning-tree portfast!interface FastEthernet0/5swit

5、chport access vlan 6spanning-tree portfast!interface FastEthernet0/6switchport access vlan 6spanning-tree portfast!interface FastEthernet0/7switchport access vlan 6spanning-tree portfast!interface FastEthernet0/8switchport access vlan 6spanning-tree portfast!interface FastEthernet0/9switchport acces

6、s vlan 6spanning-tree portfast!interface FastEthernet0/10switchport access vlan 6spanning-tree portfast!interface FastEthernet0/11switchport access vlan 6spanning-tree portfast!interface FastEthernet0/12switchport access vlan 6spanning-tree portfast!interface FastEthernet0/13switchport access vlan 6

7、spanning-tree portfast!interface FastEthernet0/14switchport access vlan 6spanning-tree portfast!interface FastEthernet0/15switchport access vlan 6spanning-tree portfast!interface FastEthernet0/16switchport access vlan 6spanning-tree portfast!interface FastEthernet0/17switchport access vlan 6spanning

8、-tree portfast!interface FastEthernet0/18switchport access vlan 6spanning-tree portfast!interface FastEthernet0/19switchport access vlan 6spanning-tree portfast!interface FastEthernet0/20switchport access vlan 6!interface FastEthernet0/21switchport access vlan 6spanning-tree portfast!interface FastE

9、thernet0/22switchport access vlan 6spanning-tree portfast!interface FastEthernet0/23switchport access vlan 6spanning-tree portfast!interface FastEthernet0/24switchport access vlan 6spanning-tree portfast!interface FastEthernet0/25switchport access vlan 6spanning-tree portfast!interface FastEthernet0

10、/26switchport access vlan 6spanning-tree portfast!interface FastEthernet0/27switchport access vlan 6spanning-tree portfast!interface FastEthernet0/28switchport access vlan 6spanning-tree portfast!interface FastEthernet0/29switchport access vlan 6spanning-tree portfast!interface FastEthernet0/30switc

11、hport access vlan 6spanning-tree portfast!interface FastEthernet0/31switchport access vlan 6spanning-tree portfast!interface FastEthernet0/32switchport access vlan 6spanning-tree portfast!interface FastEthernet0/33switchport access vlan 7spanning-tree portfast!interface FastEthernet0/34switchport ac

12、cess vlan 7spanning-tree portfast!interface FastEthernet0/35switchport access vlan 7spanning-tree portfast!switchport mode accessdot1x port-control autodot1x guest-vlan 21spanning-tree portfast!interface FastEthernet0/37switchport access vlan 7spanning-tree portfast!interface FastEthernet0/38switchp

13、ort access vlan 7spanning-tree portfast!interface FastEthernet0/39switchport access vlan 7spanning-tree portfast!interface FastEthernet0/40switchport access vlan 7spanning-tree portfast!interface FastEthernet0/41switchport access vlan 7spanning-tree portfast!interface FastEthernet0/42switchport acce

14、ss vlan 7spanning-tree portfast!interface FastEthernet0/43switchport access vlan 7spanning-tree portfast!interface FastEthernet0/44switchport access vlan 7spanning-tree portfast!interface FastEthernet0/45switchport access vlan 7spanning-tree portfast!interface FastEthernet0/46switchport access vlan

15、7spanning-tree portfast!interface FastEthernet0/47switchport access vlan 7spanning-tree portfast!interface FastEthernet0/48switchport access vlan 7spanning-tree portfast!interface GigabitEthernet0/1switchport mode trunk!interface GigabitEthernet0/2!interface Vlan1ip address 192.168.0.1 255.255.255.0

16、no ip route-cache!interface Vlan6ip address 192.168.1.1 255.255.255.0no ip route-cacheshutdown!interface Vlan7ip address 192.168.2.1 255.255.255.0no ip route-cacheshutdown!ip http serverradius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key testradius-server retransmit 3radius-server vsa s

17、end authentication!line con 0line vty 0 4!monitor session 1 source interface Fa0/1monitor session 1 destination interface Fa0/43endLayer_4_2#5. 配置IAS:a) 打开IAS:b) 新建立”RADIUS客户端”:c) 新建访问策略d) 修改策略属性配置接入设备PC1. 将终端设备加入域.2. 在终端设备上手动安装根证书登录域后在浏览器上键入http:/192.168.10.8/certsrv进入证书WEB申请页面,登录用户采用域管理用户账号. 选择申请一

18、个证书 用户证书点击提交（当遇到提示时选择是）点安装此证书进行证书安装，按下一步结束证书安装。3. 进行PC上的802.1x认证设置:在网卡的连接属性中选择“验证为此网络启用 IEEE 802.1x 验证”,EAP类型选为“受保护的(PEAP)”,勾选“当计算机信息可用时验证为计算机”,然后再点“属性”,在EAP属性窗口中选择“验证服务器证书”,选择“连接到下列服务器”这里是192.168.10.8。钩选“不提示用户验证新服务器或受信任的证书授权机构”同时在“在受信任的根证书颁发机构”窗口中选择对应的ROOT CA,这里为bjlzj,认证方法选成“EAP-MSCHAPv2”.再点“设定”按钮勾选选项即可