交換機(jī)上結(jié)合IMC做802.1xPortal配置案例重點(diǎn)

1、交換機(jī)上結(jié)合IMC做802.1x+Portal配置案例提示：建議將WORD顯示比例調(diào)整為150%查看1. 配置要求：對交換機(jī)接入用戶做 802.1x+Porta l認(rèn)證 2網(wǎng)絡(luò)拓?fù)?ClMfr3.設(shè)備端配置：portaldevicedis verH3C Comware Platform SoftwareComware Software, Versio n 5.20, Release 2202P19Copyright （c 2004-2010 Han gzhou H3C Tech. Co., Ltd. All rights reserved.H3C S5500-28C-EI uptime is

2、0 week, 0 day, 20 hours, 49 min utesportaldevice s5500-EIdis cu#version 5.20, Release 2202P19domain default enable ya/指定默認(rèn)域名，并結(jié)合 user-name-format without-domain這條命令，在802.1X時不用帶域名。dot1x 全局開啟dot1x功能portal server szhp ip 00 key szhp url 00:8080/porta（指 定portal頁面）vla n 1 vl

3、an 10#via n 20#radius scheme szhprimary authe ntication 00primary accou nting 00key authe nticati on huakey acco un ti ng huauser- name-format without-doma indomain szh /portal 配置，弓丨用 radius 方案 szh. authe nticati on portal radius-scheme szh authorizati on portal radius-scheme

4、 szh acco unting portal radius-scheme szh access-limit disable state active idle-cut disable self-service-url disabledomain ya /802.1X 配置，引用 radius 方案 szh. authe nticati on Ian-access radius-scheme szh authorizati on Ian-access radius-scheme szh acco un ti ng Ian-access radius-scheme szh access-limi

5、t disable state active idle-cut disable self-service-url disable#user-group system#in terface NULLO#in terface Vla n-i nterface10ip address #in terface Vla n-in terface20 /portal 認(rèn)證 VLANip address portal server szhp method direct#in terface Gigabit

6、Ethernet1/0/4port access vla n 20dot1x#s nmp v3的配置sn mp-age ntsn mp-age nt local-e ngi neid 800063A203000FE2B23AD7sn mp-age nt com mun ity read publicsn mp-age nt com mun ity write privatesn mp-age nt sys-i nfo versi on v3sn mp-age nt group v3 test_group privacy read-view test_view write-view test_v

7、iew no tify-view test_view sn mp-age nt mib-view in cluded test_view isosn mp-age nt usm-user v3 test_user test_group authe nticati on-m ode md5 !QM%/G4DGv2=O98lL7YOQ! privacy-modedes56 !QM%/G4DG2=O981L7YOQ!2.IMC上關(guān)于802.1X的配置:(1)創(chuàng)建用戶姓名：8021xuser(2給用戶姓名添加賬號：user802,密碼：*,并與之前創(chuàng)建的服務(wù)關(guān)聯(lián)。(3) 用iNODE做客戶端驗證，先創(chuàng)

8、建一個 802.1x連接:1-1-圖(1)圖（2）圖（3）此處不帶域名需要在設(shè)備上指定默認(rèn)域名（見配置）m C * O * 13 6 D Qfi圖（4） 802.1X驗證成功3.IMC關(guān)于Portal的配置:（1接入設(shè)備添加：共享密鑰:hua ,192.168.10偽Portal設(shè)備和IMC最近的接口 IP 或者為nas-ip(2)創(chuàng)建服務(wù)(servicename(3)創(chuàng)建用戶姓名(4) 給創(chuàng)建的用戶姓名添加賬號(account,密碼(123456,將用戶姓名和服務(wù)關(guān)聯(lián) 起來。一個用戶姓名只能對應(yīng)一個賬號 I HM(5) 創(chuàng)建一個服務(wù)，注意服務(wù)類型標(biāo)識為 domain名，為交換機(jī)portal認(rèn)

9、證的域 名為szh,服務(wù)類型為描述的意思。在inode選擇服務(wù)類型即可，不用在用戶名輸 入 szho(6) portal配置：添加啟用Portal設(shè)備名，IP地址一般為做Portal認(rèn)證客戶端 的網(wǎng)關(guān)IP.密鑰：szhp.(7添加IP地址組，地址為需要Portal認(rèn)證的地址段(8)創(chuàng)建端口組，并將要認(rèn)證的地址組關(guān)聯(lián)起來9.測試認(rèn)證/ V fiDita802.1x已認(rèn)證成功。認(rèn)證之前Ping不通網(wǎng)關(guān)地址（除了 IMC服務(wù)器的地址外都不能訪問）如下圖:從該實驗中，可以看出802.1X驗證成功只相當(dāng)于插上了網(wǎng)線，而P ortal認(rèn)證是基 于三層的，在認(rèn)證通過前只能與服務(wù)器通信。在瀏覽器中隨便輸入一個

10、IP地址，會自動觸發(fā)Portal認(rèn)證頁面如下圖：PORTAL認(rèn)證頁面圖Portal認(rèn)證成功后Ping測圖小結(jié)：結(jié)合IMC做Portal認(rèn)證的基本流程:1. 添加接入設(shè)備。2. 創(chuàng)建服務(wù)。3. 創(chuàng)建用戶姓名，賬號，密碼，并將用戶與服務(wù)綁定4. 服務(wù)類型配置5. Portal的配置:設(shè)備配置。6. IP地址組配置。7. 將IP地址組與設(shè)備綁定。l.portal認(rèn)證時，如果用INODE認(rèn)證，則必須將策略服務(wù)器關(guān)閉，否則認(rèn)證后大概 十秒鐘后下線，提示安全檢查沒通過。2.802.1X默認(rèn)是CHAP認(rèn)證方式，支持 PAP,EAP,可用命令：dot1x authe nticati on-method eap

11、修 改。3.在radius認(rèn)證時，V5產(chǎn)品必須在域中做授權(quán)配置 authorization portal radiusscheme szh否則認(rèn)證不成功，并且提示：Rejected by local server錯誤。附帶：DO1X認(rèn)證時的RADIUS報文：pr 27 09:13:34:679 2000 portaldevice RDS/7/DEBUG:Recv MSG,MsgType=EAP auth request Index = 164, ulParam3=112681088*Apr 27 09:13:34:831 2000 portaldevice RDS/7/DEBUG:Se nd

12、attribute list:*Apr 27 09:13:34:923 2000 portaldevice RDS/7/DEBUG:1 User- name 41 b2Q4R0YDN3QtTho4dVF9fQbyrpM= user80212 Framed-MTU 6 145079 EAP-Message 46 0201002C01060762325134523059444E33517454686F34645646396651627972704D3 D2020757365723830324 NAS-IP-Address 6 32 NAS-Ide ntifier 14 po

13、rtaldevice*Apr 27 09:13:35:550 2000 portaldevice RDS/7/DEBUG:5 NAS-Port 6 1679362061 NAS-Port-Type 6 156 Service-Type 6 27 Framed-Protocol 6 131 Caller-ID 16 313861392D303564652D30613733*Apr 27 09:13:35:934 2000 portaldevice RDS/7/DEBUG:Send: IP=00,Userlndex=164, ID=225, RetryTimes=0, Co

14、de=1, Length=191*Apr 27 09:13:36:116 2000 portaldevice RDS/7/DEBUG:Se nd Raw Packet is:*Apr 27 09:13:36:208 2000 portaldevice RDS/7/DEBUG:01 e1 00 bf 00 00 16 4d 00 00 5f 3a 00 00 34 d400 00 25 93 01 29 06 07 62 32 51 34 52 30 59 444e 33 51 74 54 68 6f 34 64 56 46 39 66 51 62 7972 70 4d 3d 20 20 75

15、73 65 72 38 30 32 0c 06 0000 05 aa 4f 2e 02 01 00 2c 01 06 07 62 32 51 3452 30 59 44 4e 33 51 74 54 68 6f 34 64 56 46 3966 51 62 79 72 70 4d 3d 20 20 75 73 65 72 38 3032 50 12 34 53 b5 20 dd 45 07 22 d0 77 af ee 4834 c8 36 04 06 c0 a8 0a 01 20 0e 70 6f 72 74 616c 64 65 76 69 63 65 05 06 01 00 40 14

16、3d 06 0010 31 38 61 39 2d 30 35 64 65 2d 30 61 37 33*Apr 27 09:13:37:47 2000 portaldevice RDS/7/DEBUG:Recv MSG,MsgType=PKT response Index = 80, ulParam3=111623536*Apr 27 09:13:37:189 2000 portaldevice RDS/7/DEBUG:Receive Raw Packet is:*Apr 27 09:13:37:281 2000 portaldevice RDS/7/DEBUG:0b e1 00 50 4c

17、 ee 58 c7 62 2e a2 41 e3 84 5c 358f b1 f3 13 4f 18 01 02 00 16 04 10 37 63 35 4767 4d 33 63 06 07 c8 64 10 ac 3b 23 18 12 37 6231 39 64 32 34 37 54 f8 7d 7b 3e 8c c0 4c 50 1289 c0 0f 2e 3c df c8 f6 dd 8c db 81 a7 48 a0 cc*Apr 27 09:13:37:686 2000 portaldevice RDS/7/DEBUG:No pick-up Notify from Recei

18、ve Raw Packet!*Apr 27 09:13:37:808 2000 portaldevice RDS/7/DEBUG:Receive:IP=00,Code=11, Le ngth=80*Apr 27 09:13:37:930 2000 portaldevice RDS/7/DEBUG:79 EAP-Message 24 01020016041037633547674D33630607C86410AC3B2324 State 18 376231396432343754F87D7B3E8CC04C80 Message-Autheticator 18 89C00F

19、2E3CDFC8F6DD8CDB81A748A0CC*Apr 27 09:13:38:294 2000 portaldevice RDS/7/DEBUG:Recv MSG,MsgType=EAP auth request In dex = 164, ulParam3=112983184*Apr 27 09:13:38:446 2000 portaldevice RDS/7/DEBUG:Se nd attribute list:*Apr 27 09:13:38:538 2000 portaldevice RDS/7/DEBUG:1 User- name 41 b2Q4R0YDN3QtTho4dV

20、F9fQbyrpM= user80212 Framed-MTU 6 145079 EAP-Message 31 0202001D0410101DB07D72FEFD80B0D938EA1342C12D7573657238303280 Message-Autheticator 18 000000000000000000000000000000004 NAS-IP-Address 6 32 NAS-lde ntifie門14 portaldevice*Apr 27 09:13:39:124 2000 portaldevice RDS/7/DEBUG:5 NAS-Port 6

21、 1679362061 NAS-Port-Type 6 156 Service-Type 6 27 Framed-Protocol 6 131 Caller-ID 16 313861392D303564652D3061373324 State 18 376231396432343754F87D7B3E8CC04C*Apr 27 09:13:39:600 2000 portaldevice RDS/7/DEBUG:NULL*Apr 27 09:13:39:671 2000 portaldevice RDS/7/DEBUG:Send: IP=00, Userlndex=16

22、4, ID=226, RetryTimes=0, Code=1, Length=194*Apr 27 09:13:39:853 2000 portaldevice RDS/7/DEBUG:Se nd Raw Packet is:*Apr 27 09:13:39:955 2000 portaldevice RDS/7/DEBUG:01 e2 00 c2 00 00 36 9f 00 00 71 d2 00 00 6c a400 00 50 9e 01 29 06 07 62 32 51 34 52 30 59 444e 33 51 74 54 68 6f 34 64 56 46 39 66 51

23、 62 7972 70 4d 3d 20 20 75 73 65 72 38 30 32 0c 06 0000 05 aa 4f 1f 02 02 00 1d 04 10 10 1d b0 7d 72fe fd 80 b0 d9 38 ea 13 42 c1 2d 75 73 65 72 3830 32 50 12 22 02 50 a9 32 9e 56 86 3d 14 c7 5f22 dc 9b 70 04 06 c0 a8 0a 01 20 0e 70 6f 72 7461 6c 64 65 76 69 63 65 05 06 01 00 40 14 3d 0600 00 00 0f

24、06 06 00 00 00 02 07 06 00 00 00 011f 10 31 38 61 39 2d 30 35 64 65 2d 30 61 37 33 c0 4c18 12 37 62 31 39 64 32 34 37 54 f8 7d 7b 3e 8c*Apr 27 09:13:40:804 2000 portaldevice RDS/7/DEBUG:Recv MSG,MsgType=PKT response Index = 143, ulParam3=111625904*Apr 27 09:13:40:955 2000 portaldevice RDS/7/DEBUG:Re

25、ceive Raw Packet is:*Apr 27 09:13:41:46 2000 portaldevice RDS/7/DEBUG:02 e2 00 8f 22 99 b1 a6 ff 86 65 65 9c df 68 18fb c6 29 c0 06 06 00 00 00 02 18 0a 37 63 35 4767 4d 3363 1d 06 0000 00 00 1b06 00 01 518155 06 0000 02 58 1a41 00 00 63a2 3d 3b 360600 00 0000 37 06 0000 00 00 3806 00 00 00003a 06 0

26、000 00 00 4206 00 00 0000 43 11 312020 20 5230 30 36 4230 33 44 3030 33 3d 0a3763 35 47 67 4d 33 63 4f 06 03 02 00 04 50 12 1a12 df 2f 39 35 05 98 d8 40 ab 7f 08 2b 1f 87*Apr 27 09:13:41:683 2000 portaldevice RDS/7/DEBUG:Warni ng: Ven dorlD=25506 is not recog ni zed, 59 bytes is ignored*Apr 27 09:13

27、:41:825 2000 portaldevice RDS/7/DEBUG:No pick-up Notify from Receive Raw Packet!*Apr 27 09:13:41:947 2000 portaldevice RDS/7/DEBUG:Receive:IP=00,Code=2 ,L e ngth=143*Apr 27 09:13:42:69 2000 portaldevice RDS/7/DEBUG:6 Service-Type 6 224 State 10 37633547674D336329 Termi natio n-Actio n 6

28、027 Sessio n-TimeOut 6 8640185 Acct_I nterimn terval 6 60079 EAP-Message 6 03020004*Apr 27 09:13:42:504 2000 portaldevice RDS/7/DEBUG:*Apr 27 09:13:42:674 2000 portaldevice RDS/7/DEBUG:Recv MSG,MsgType=Accou nt request In dex = 164, ulParam3=0*Apr 27 09:13:42:816 2000 portaldevice RDS/7/DEBUG:Se nd

29、attribute list:*Apr 27 09:13:42:907 2000 portaldevice RDS/7/DEBUG:1 User- name 41 b2Q4R0YDN3QtTho4dVF9fQbyrpM= user80232 NAS-Ide ntifier 14 portaldevice5 NAS-Port 6 1679362061 NAS-Port-Type 6 1531 Caller-ID 16 313861392D303564652D3061373340 Acct-Status-Type 6 1*Apr 27 09:13:43:413 2000 portaldevice

30、RDS/7/DEBUG:45 Acct-Authe ntic 6 144 Acct-Sessio n-ld 17 1000327091333014 NAS-IP-Address 6 55 Eve nt-Timestamp 6 956826814*Apr 27 09:13:43:737 2000 portaldevice RDS/7/DEBUG:Send: IP=00, UserIndex=164, ID=161, RetryTimes=0, Code=4, Length=144*Apr 27 09:13:43:919 2000 portaldevice RDS/7/DEBUG:Se nd Raw Packet is:*Apr 27 09:13:44:11 2000 portaldevice RDS/7/DEBUG:04 a1 00 90 7d eb f2 35 b3 43