需求:各个部门使用无线的用户,只能连接到部门所属的VLAN。
环境:
网络设备 :核心交换H3C S5500(192.168.10.254),接入层POE H3C S5130(192.168.10.253), AC为H3C WX2560H(192.168.10.252),AP为WA4320;
服务器:域/DHCP服务器(192.168.20.1),NPS服务器(192.168.20.2)
VLAN分为10、20、30、40、50、60,其中10为网络设备网段,20为Windows服务器网段,30为AP网段,40\50\60为用户所属生产网段;10\20\30由核心交换机分配地址,40\50\60由核心交换中继到Windows DHCP服务器进行分配IP地址。
一、交换机配置:
核心交换S5500:
dis cur # version 7.1.045, Release 3116 # sysname S5500 # clock timezone Lisbon add 00:00:00 clock protocol none # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable dhcp server forbidden-ip 192.168.10.1 192.168.10.10 dhcp server forbidden-ip 192.168.20.1 192.168.20.10 # lldp global enable # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 30 # vlan 40 # vlan 50 # vlan 60 #10 stp global enable # dhcp server ip-pool 10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.20.1 # dhcp server ip-pool 20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.20.1 # dhcp server ip-pool 30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.20.1 option 43 hex 8007000001c0a80afc #AP网段为30,AC网段为10,AP跨网段注册时在DHCP上要配置optin43选项,即AC的16进制地址 # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.233 255.255.255.0 # interface Vlan-interface10 ip address 192.168.10.254 255.255.255.0 # interface Vlan-interface20 ip address 192.168.20.254 255.255.255.0 # interface Vlan-interface30 ip address 192.168.30.254 255.255.255.0 # interface Vlan-interface40 ip address 192.168.40.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface Vlan-interface50 ip address 192.168.50.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface Vlan-interface60 ip address 192.168.60.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/2 # interface GigabitEthernet1/0/3 # interface GigabitEthernet1/0/4 # interface GigabitEthernet1/0/5 # interface GigabitEthernet1/0/6 # interface GigabitEthernet1/0/7 # interface GigabitEthernet1/0/8 # interface GigabitEthernet1/0/9 # interface GigabitEthernet1/0/10 # interface GigabitEthernet1/0/11 # interface GigabitEthernet1/0/12 # interface GigabitEthernet1/0/13 # interface GigabitEthernet1/0/14 # interface GigabitEthernet1/0/15 # interface GigabitEthernet1/0/16 # interface GigabitEthernet1/0/17 #下联S5130 port link-type trunk port trunk permit vlan all combo enable copper # interface GigabitEthernet1/0/18 #下联AC WX2560H port link-type trunk port trunk permit vlan all combo enable copper # interface GigabitEthernet1/0/19 combo enable copper # interface GigabitEthernet1/0/20 combo enable copper # interface GigabitEthernet1/0/21 combo enable copper # interface GigabitEthernet1/0/22 combo enable copper # interface GigabitEthernet1/0/23 port access vlan 10 combo enable copper # interface GigabitEthernet1/0/24 port access vlan 20 combo enable copper # interface GigabitEthernet1/0/25 # interface GigabitEthernet1/0/26 # interface GigabitEthernet1/0/27 # interface GigabitEthernet1/0/28 # scheduler logfile size 16 # line class aux user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin user-role network-operator idle-timeout 0 0 # snmp-agent snmp-agent local-engineid 800063A2803CF5CC29A26100000001 snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all # domain system # aaa session-limit http 6 aaa session-limit https 6 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$m6G0XrvVo3KCxzlo$ZiSUweumlOHswdjZOF9eac28c8rKCP4001GBXyfQp444n0ETJiRF6TJJNHE9Sh+eEChM11nlVTbZ5v6c8juKyA== service-type telnet terminal http https authorization-attribute user-role network-admin authorization-attribute user-role network-operator # netconf soap http enable netconf soap https enable # ip http enable ip https enable # return
POE S5130:
具体配置省略,关键信息为: 1、开启端口POE功能; 2、由于要配置AP自动上线,所以此交换机连接AP的端口模式均配置为access模式,VLAN为AP所属VLAN30;
AC WX2560H:
dis cur # version 7.1.064, Release 5215P01 # sysname WX2560H # telnet server enable # dot1x #启用dot1x,配置802.1x系统认证方位为EAP dot1x authentication-method eap # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 30 # vlan 40 # vlan 50 # wlan service-template 1 #无线模版配置 ssid service1 akm mode dot1x cipher-suite ccmp security-ie rsn client-security authentication-mode dot1x dot1x domain dm01 service-template enable # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0 # interface Vlan-interface10 ip address 192.168.10.252 255.255.255.0 # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/1 #AC上联端口 port link-mode bridge port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/2 port link-mode bridge # interface GigabitEthernet1/0/3 port link-mode bridge # interface GigabitEthernet1/0/4 port link-mode bridge # interface GigabitEthernet1/0/5 port link-mode bridge # interface GigabitEthernet1/0/6 port link-mode bridge # scheduler logfile size 16 # line class console user-role network-admin # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 31 authentication-mode scheme user-role network-operator # ip route-static 192.168.10.0 24 192.168.10.254 #静态路由 ip route-static 192.168.20.0 24 192.168.10.254 #添加静态路由,否则验证无法通过 ip route-static 192.168.30.0 24 192.168.10.254 #添加静态路由,否则AP无法注册至AC # undo info-center logfile enable # radius session-control enable #使能radius session-control功能 # radius scheme rd01 #新建radius服务,授权及认证服务器和密钥 primary authentication 192.168.20.2 key cipher $c$3$H/oG+QiqvYDHlrCjYQtLXoWoKXbOf9mSuU1N primary accounting 192.168.20.2 key cipher $c$3$4/xA5b5wob1GLTAt+J4pxJJf8NuaSzQOiYn2 key authentication cipher $c$3$bCmB/bA01ZFxZnpa1xxpBCLeIZnQ2uhhp4Ee key accounting cipher $c$3$NXsfRNwLjlhQw0YMKdmAgf2L2oQFVFGGIGpp nas-ip 192.168.10.252 #指定Nas-ip,即AC地址 # radius dynamic-author server #开启并配置Radius DAE client ip 192.168.20.2 key cipher $c$3$GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd # domain dm01 #新建本地isp authentication lan-access radius-scheme rd01 authorization lan-access radius-scheme rd01 accounting lan-access radius-scheme rd01 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$D5QsfpSiuEZF2/U4$8Q1ajQ+0kHYMJjx5sJESu48zPA+O9o+txSM7JQP3MJP6o4DXCQ+PeGwqXGX39NRJZX8HsGSCC1YdCZJCtzUYsg== service-type telnet http https authorization-attribute user-role network-admin # ip http enable ip https enable # wlan auto-ap enable wlan auto-persistent enable # wlan global-configuration # wlan ap-group default-group vlan 1 # wlan ap 38ad-be58-d860 model WA4320H serial-id 219801A0YG8178E08438 radio 1 radio 2 # wlan ap 38ad-be58-d6a0 model WA4320H serial-id 219801A0YG8178E08424 radio 1 radio enable service-template 1 radio 2 # cloud-management server domain oasis.h3c.com # return
二、服务器配置
1、域服务器配置省略
常规安装完毕域服务器后,安装证书服务。
在AD服务器上配置证书服务:
添加证书颁发几个和证书web注册
证书服务安装成功
在Radius服务器上申请证书
有效期为365天
2、Radius服务器配置
Radius服务器配置,分为四个部分。
2.1、新建共享模版
2.2、新建Radius客户端。
Radius客户端通常即为AC的地址,部分品牌使用软AC的无线AP,Radius客户端为所有AP的IP地址(此种情况下,需要把AP的地址设置为固定IP)
2.3、连接请求策略
连接请求策略和网络策略互相对应的,通常情况下是一个部门(或一个VLAN)对应一条策略
2.3、网络策略
网络策略中,主要设置以下几个重要的参数:
对应的安全组:此条策略对应的Windows组,通常为一个部门的安全组;
身份验证方式:EAP类型
framed-protocol:PPP
service-type :framed
tunnel-medium-type: 隧道承载媒介类型为802
tunnel-pvt-group-id:定义所属的vlan
至此,Radius实现无线用户动态VLAN配置完成。