网络拓扑:
H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证_第1张图片
dis cu
#
 sysname layer_2_3
#
 domain default enable autonavi.com       //使能自己建立的域
#
 loopback-detection enable
#
 gvrp
#
 dot1x      //全局启用802.1x
 dot1x authentication-method eap     //使用EAP验证方式
#
radius scheme system
radius scheme test                        //建立test 
 server-type standard
 primary authentication 192.168.0.2   //指定主验证服务器,还可以指定辅验证服务器
 accounting optional                           //计费可选项,注意,当没有计费服务器,必须加上这条命令,否则无法验证通过
 key authentication test                    //验证密码:test
#
domain test.com                              //建立域test.com
 scheme radius-scheme test             //使用上面建立的radius schem:test
 vlan-assignment-mode string         //指定VLAN匹配模式为字符型(string),也可以指定匹配模式为×××(integer),这个与radius server属性里面的设置是相关联的。
domain system
#                                         
 stp enable
#
#
vlan 1
#
vlan 3
name test
#
vlan 21
name guest-vlan
#                                        
interface Vlan-interface1
 ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface7
#
interface Aux1/0/0
#
interface Ethernet1/0/1
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/2
 broadcast-suppression 40
 port access vlan 3
#
 interface Ethernet1/0/3
 broadcast-suppression 40    //广播抑制,无关紧要。
 dot1x port-method portbased
 dot1x guest-vlan 21            //验证不通过时,将获得vlan21的内容。
 dot1x
#
interface Ethernet1/0/4                  
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/5
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/6
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/7
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/8
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/9
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/10                 
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/11
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/12
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/13
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/14
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/15
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/16                 
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/17
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/18
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/19
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/20
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/21
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/22                 
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/23
 broadcast-suppression 40
 port access vlan 3
#
interface Ethernet1/0/24
 broadcast-suppression 40
 port access vlan 3
#
interface GigabitEthernet1/1/1
 port link-type trunk
 port trunk permit vlan all
 broadcast-suppression 40
 gvrp
#
interface GigabitEthernet1/1/2
 port link-type trunk
 port trunk permit vlan all
 broadcast-suppression 40
#
interface GigabitEthernet1/1/3
 port link-type trunk                    
 port trunk permit vlan all
 broadcast-suppression 40
 gvrp
#
interface GigabitEthernet1/1/4
 broadcast-suppression 40
 port access vlan 3
#
 undo irf-fabric authentication-mode
#
interface NULL0
#
 voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000
#
#
#
user-interface aux 0 7
user-interface vty 1 4                   
#
return