一波三折,经过一翻折腾总算把***架了起来正常使用了,在此记录一下,感谢h3c技术支持,感谢3290工程师的耐心帮助……
相关组网图:
F1020相关配置:
#
version 7.1.064, Release 9313P12
#
sysname FW01
#
context Admin id 1
#
ip ***-instance management
route-distinguisher 1000000000:1
***-target 1000000000:1 import-extcommunity
***-target 1000000000:1 export-extcommunity
#
telnet server enable
#
irfmac-address persistent timer
irfauto-update enable
undoirf link-delay
irfmember 1 priority 1
#
password-recovery enable
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0 -----配置连接路由接口IP
port link-mode route
description link toroute MSR3620
ip address192.168.201.254 255.255.255.0
#
interface GigabitEthernet1/0/1 -----配置连接内网接口IP
port link-mode route
description link toSW5800
ip address192.168.202.1 255.255.255.0
#
interface GigabitEthernet1/0/2
portlink-mode route
#
interface GigabitEthernet1/0/3
portlink-mode route
#
interface GigabitEthernet1/0/4
portlink-mode route
#
interface GigabitEthernet1/0/5
portlink-mode route
#
interface GigabitEthernet1/0/6
portlink-mode route
#
interface GigabitEthernet1/0/7
portlink-mode route
#
interface GigabitEthernet1/0/8
portlink-mode route
#
interface GigabitEthernet1/0/9
portlink-mode route
#
interface GigabitEthernet1/0/10
portlink-mode route
#
interface GigabitEthernet1/0/11
portlink-mode route
#
interface GigabitEthernet1/0/12
portlink-mode route
#
interface GigabitEthernet1/0/13
portlink-mode route
#
interface GigabitEthernet1/0/14
portlink-mode route
#
interface GigabitEthernet1/0/15
portlink-mode route
#
interface GigabitEthernet1/0/16
portlink-mode route
#
interface GigabitEthernet1/0/17
portlink-mode route
#
interface GigabitEthernet1/0/18
portlink-mode route
#
interface GigabitEthernet1/0/19
portlink-mode route
#
interface GigabitEthernet1/0/20
portlink-mode route
#
interface GigabitEthernet1/0/21
portlink-mode route
#
interface GigabitEthernet1/0/22
portlink-mode route
#
interface GigabitEthernet1/0/23
portlink-mode route
#
interface SSL×××-AC1 ---------创建SSL ××× AC接口1,配置接口的IP地址
ip address 2.2.2.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust ----把上述两接口加入到Trust ,否则不能互通
import interfaceGigabitEthernet1/0/0
import interfaceGigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
security-zone nameSSL××× ----SSL×××-AC1加入SSL×××区域,并放通策略
import interface SSL×××-AC1
#
zone-pair securitysource Local destination Trust ------其它安全放通策略,下同
packet-filter 3000
#
zone-pair securitysource SSL××× destination Trust
packet-filter 3010
#
zone-pair securitysource Trust destination Local
packet-filter 3000
#
zone-pair securitysource Trust destination SSL×××
packet-filter 3010
#
zone-pair securitysource Trust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-rolenetwork-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 192.168.201.1 -----下一跳路由
ip route-static 192.168.0.0 16 192.168.202.254 ------回程路由
#
sshserver enable
#
acl advanced 3000 -----------对应安全ACL
rule 199 permit ip
#
acl advanced 3010 -----------对应安全ACL
rule 0 permit ip source 2.2.2.0 0.0.0.255destination 192.168.0.0 0.0.255.255
rule 1 permit ip source 192.168.0.00.0.255.255 destination 2.2.2.0 0.0.0.255
#
ldap server ldap1 -----------------AD认证相关配置
login-dn cn=administrator,cn=users,dc=bbb,dc=com ----域管理员认证
search-base-dn dc=bbb,dc=com ------配置查询用户的起始目录为
ip 192.168.10.1 -----域IP地址
login-password cipher$c$3$RXm3/H61vuYoaD1e4JCGI8L4oXNvuxpk8xx/0QqI3iU= ---登录域管理员对应密码
user-parameters user-name-attributeuserprincipalname
user-parameters user-name-formatwith-domain
#
ldap scheme shm1 ------ 创建LDAP方案shml
authentication-server ldap1 -----配置LDAP认证服务器和授权服务器均为ldap1。
authorization-server ldap1
attribute-map test1
#
ldap attribute-map test1 -----创建LDAP属性映射表test1
map ldap-attribute memberofprefix cn= delimiter , aaa-attribute user-group
#---配置将LDAP服务器属性memberof按照前缀为cn=、分隔符为逗号(,)的格式提取出的内容映射成AAA属性User group
domain bbb.com ------创建ISP域bbb.com,为SSL ×××用户配置AAA认证方法为LDAP认证、LDAP授权、不计费。
authentication ssl***ldap-scheme shm1
authorization ssl*** ldap-schemeshm1
accounting ssl*** none
#
domain system
#
aaasession-limit ftp 16
aaasession-limit telnet 16
aaasession-limit ssh 16
domain default enable system
#
user-group system
#
user-group ***_users ----创建本地用户组***_users,指定授权SSL ×××策略组为pgroup
authorization-attributessl***-policy-group pgroup
#
AD上对应用户组如下:
local-user admin class manage
password hash$h$6$Jn5wsW9YxCZelW4q$iMkNxt5tS2in5AatDoVApxLAwLpSoIjOYCg2hsYp9fBexxHWtuXETwVdJ5miG2lSbnofdq+qB/2PnG1KrVUriw==
service-type ssh telnet terminal http https
authorization-attributeuser-role level-3
authorization-attribute user-rolenetwork-admin
authorization-attribute user-rolenetwork-operator
#
local-user test class network
password cipher$c$3$ehhvJ6iZ0EjbcvRio4reyPyuqQWmAjdrDiqE
service-type ssl***
authorization-attributeuser-role network-operator
authorization-attribute ssl***-policy-grouppgroup
#
pki domain ssl*** --------------配置PKI域ssl***
public-key rsageneral name ssl***
undo crl check enable
#
ssl server-policy ssl -----------配置SSL服务器端策略ssl
pki-domain ssl***
ciphersuitersa_aes_128_cbc_sha
client-verify enable
#
session top-statistics enable
#
iphttp enable
iphttps enable
#
inspect block-source parameter-profileips_block_default_parameter
#----创建地址池ippool,指定IP地址范围为2.2.2.2~2.2.5.254
ssl*** ip address-poolippool 2.2.2.2 2.2.2.254
#
ssl*** gateway gw --------配置SSL ×××网关gw的IP地址为192.168.201.254,端口号为2000,并引用SSL服务器端策略ssl
ip address 192.168.201.254 port 2000
ssl server-policy ssl
service enable
#
ssl*** context ctx ------ 配置SSL ×××访问实例ctx引用SSL ×××网关gw
gateway gw
ip-tunnel interface SSL×××-AC1
ip-tunnel address-pool ippool mask255.255.255.0
ip-route-list rtlist ----创建路由列表rtlist,并添加路由表项192.168.0.0/24
include 192.168.0.0 255.255.0.0
policy-group pgroup --------创建SSL ×××策略组pgroup,引用路由列表rtlist和地址池ippool,并且通过acl限制,保证只有通过ACL检查的报文才可以访问IP资源
filter ip-tunnel 3000
ip-tunnel access-route ip-route-list rtlist
aaa domain bbb.com ---使用bbb.com认证
timeout idle 120
service enable
#
ips policy default
#
anti-virus policy default
#
return
注意事项:
1、配置前应准备相关证书,建立相关证书服务器(可参考网上相关案例:http://www.docin.com/p-1350607324.html)生成相关证书并导入CA证书ca.cer和服务器证书server.pfx
[F1020] pki import domain ssl*** der ca filename ca.cer
[F1020] pki import domain ssl*** p12 local filename server.pfx
2、AD服务器需要建立对应该的×××用户组,如本例中***_users用户组在AD中应该有相对应的用户组,并把需使用ssl***认证的用户加入到此用户组中;
3、防火墙及路由的回程路由应该注意下一跳的地址;
4、MSR3620路由设备上映射SSL×××对外的地址及端口,此文档中映射192.168.201.254+TCP 2000;
5、测试过程建议先关闭相关防病毒软件。
参考:http://kms.h3c.com/case/info.aspx?id=41896