- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
09-端口安全和AAA綜合使用典型配置舉例
本章節下載: 09-端口安全和AAA綜合使用典型配置舉例 (226.48 KB)
目 錄
在網絡環境中,對於打印機等啞終端,管理員一般為其分配靜態IP地址。對於這類用戶,為了更加靈活地進行認證,我們可以將其配置為靜態用戶。配置為靜態用戶後,隻要在靜態用戶所連接的接口上使能了802.1X認證、MAC地址認證以及Web認證中的任意一種,設備就能夠使用靜態用戶的IP地址等信息作為用戶名進行認證。
用戶認證過程中,如果出現認證方案下的所有RADIUS服務器不可達狀況,設備發出的RADIUS認證請求報文將無法得到回應,從而影響用戶正常上線。通過在當前認證域下配置逃生域,可以在RADIUS服務器不可達時,保證用戶能夠“逃離”當前認證域域,在新域中進行上線,從新域中獲得部分網絡資源的訪問權限。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文假設您已了解端口安全和AAA認證域特性。
如圖3-1所示,某公司希望部分網段內的主機能使用靜態IP地址完成認證上線,且在RADIUS服務器不可達時,仍能訪問部分網絡資源。
現要求實現如下需求:
· 僅IP地址處於192.168.2.29~192.168.2.49範圍內的用戶可以作為靜態用戶觸發認證。
· RADIUS服務器可達時,Host A作為靜態用戶認證成功後被授權加入VLAN 100。
· RADIUS服務器變不可達時,已上線的Host A保持在線,新接入的Host B作為靜態用戶觸發認證後進入逃生域,並被授權加入VLAN 200,以及對逃生用戶不計費。
· RADIUS服務器恢複可達後,Host B作為靜態用戶重新觸發認證並成功上線。
· 在Device上創建並配置RADIUS方案以及認證域,並在認證域下綁定RADIUS方案。
· 在Device上創建並配置逃生域,並在認證域下配置逃生功能。
· 指定靜態用戶的地址範圍,並在靜態用戶的接入端口開啟802.1X認證功能,使得靜態用戶攜帶IP的未知源報文能夠觸發認證流程。
表3-1 適用產品及版本
|
產品 |
軟件版本 |
|
S12500G-AF係列交換機 |
Release 7639P01及以上版本 |
|
S10500X係列交換機 |
Release 7639P01及以上版本 |
|
S12500-XS係列交換機 |
Release 7639P01及以上版本 |
|
S7600E-X係列交換機 |
Release 7639P01及以上版本 |
|
S7500X-X係列交換機 |
Release 7639P01及以上版本 |
|
S10500係列交換機 |
Release 7639P01及以上版本 |
|
S7600-X係列交換機 |
Release 7639P01及以上版本 |
|
S12500-S係列交換機 |
Release 7639P01及以上版本 |
|
S7500E-X係列交換機 |
Release 7639P01及以上版本 |
|
S7500E係列交換機 |
Release 7639P01及以上版本 |
|
S7500X係列交換機 |
Release 7639P01及以上版本 |
|
S7600係列交換機 |
Release 7639P01及以上版本 |
|
S7000ET係列交換機 |
Release 7639P01及以上版本 |
· 用戶主機發送的首個報文不可控,當主機發送的首個報文不攜帶IP時,如果端口同時配置了其它認證功能(如MAC地址認證等),可能會先觸發其它認證流程。
· 端口開啟802.1X功能時,為了避免部分靜態用戶無法主動發送認證報文,建議開啟802.1X單播觸發認證功能。
請在RADIUS服務器上完成靜態用戶創建以及認證服務等相關配置,並對認證成功上線的靜態用戶授權VLAN 100。
(1) 配置RADIUS方案
# 創建RADIUS方案,並配置RADIUS方案主認證/計費服務器及其通信密鑰,發送給RADIUS服務器的用戶名不攜帶域名。
<Device> system
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 192.168.56.10
[Device-radius-radius1] primary accounting 192.168.56.10
[Device-radius-radius1] key authentication simple 123456
[Device-radius-radius1] key accounting simple 123456
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
(2) 配置認證域
# 創建認證域bbb,並配置認證用戶使用RADIUS方案radius1進行認證、授權、計費。
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
[Device-isp-bbb] authorization lan-access radius-scheme radius1
[Device-isp-bbb] accounting lan-access radius-scheme radius1
[Device-isp-bbb] quit
(3) 配置逃生域
# 創建逃生域critical,並為逃生用戶授權VLAN 200,以及對逃生用戶不計費。
[Device] domain critical
[Device-isp-critical] authorization-attribute vlan 200
[Device-isp-critical] accounting lan-access none
[Device-isp-critical] quit
(4) 配置逃生功能
# 配置用戶認證過程中,RADIUS服務器不可達時的逃生域為critical,以及服務器恢複可達時,對逃生用戶進行重認證。
[Device] domain bbb
[Device-isp-bbb] authen-radius-unavailable online domain critical
[Device-isp-bbb] authen-radius-recover re-authen
[Device-isp-bbb] quit
# 配置靜態用戶的IP地址範圍為192.168.2.29~192.168.2.49,以及靜態用戶采用的認證域為bbb。
[Device] port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
# 配置靜態用戶的用戶名格式為IP地址,密碼為明文123456。
[Device] port-security static-user user-name-format ip-address
[Device] port-security static-user password simple 123456
# 開啟端口GigabitEthernet1/0/1的802.1X認證。
[Device] interface GigabitEthernet1/0/1
[Device-GigabitEthernet1/0/1] dot1x
# 開啟802.1X單播觸發功能。
[Device-GigabitEthernet1/0/1] dot1x unicast-trigger
[Device-GigabitEthernet1/0/1] quit
# 開啟全局802.1X。
[Device] dot1x
[Device] ip route-static 192.168.56.0 24 192.168.56.20
# Host A和Host C均發起認證,且RADIUS服務器可達,靜態用戶Host A認證成功上線,被授權VLAN 100,Host C無法通過靜態用戶認證方式上線。
<Sysname> display port-security static-user connection
Total connections: 1
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:43:37
Online duration: 0h 4m 8s
Port-down keep online: Disabled (offline)
# Host B發起認證,此時RADIUS服務器不可達,在RADIUS服務器不可達之前已認證成功上線的Host A保持在線;未完成認證的Host B進入逃生域critical,且被授權VLAN 200。
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: critical domain
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 200
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 10:59:05
Online duration: 0h 0m 58s
Port-down keep online: Disabled (offline)
# RADIUS服務器從不可達恢複可達時,逃生靜態用戶Host B進行重認證,並認證成功上線。
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
#
dot1x
#
port-security static-user password cipher $c$3$ozaGPAIK8wBDwF9rXSdkBqk10lXJBbrdpg==
port-security static-user user-name-format ip-address
port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
#
vlan 2
#
interface Vlan-interface1
ip address 192.168.56.20 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.220 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-mode bridge
port access vlan 2
dot1x
dot1x unicast-trigger
#
ip route-static 192.168.56.0 24 192.168.56.20
#
radius scheme radius1
primary authentication 192.168.56.10
primary accounting 192.168.56.10
key authentication cipher $c$3$ZR6Jz13mrYRSvW91VRUZVtuTIBsyK6Le8A==
key accounting cipher $c$3$qAgtx0xzADC9RFRI7nQ6LbGoYefOwmFtjg==
user-name-format without-domain
#
domain bbb
authen-radius-unavailable online domain critical
authen-radius-recover re-authen
authentication lan-access radius-scheme radius1
authorization lan-access radius-scheme radius1
accounting lan-access radius-scheme radius1
#
domain critical
authorization-attribute vlan 200
accounting lan-access none
#
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
