Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
802
.
1x
身份验证
要求:
1.
交换机支持
802.1X
协议。
2.
有一台
RADIUS
服务器。
3.
一台客户端。
网络拓扑:
验证方式:
PEAP
验证:使用证书+
AD
用户集成认证
;
环境:
Operation System: Windows 2003 enterprise edition
Radius Server: windows IAS(Internet
验证服务,
windows
组件中安装
)
CA Server: Windows CA
证书服务
(windows
组件中安装
)
Radius Client: Windows
自带。(网络连接
->
属性
->
验证),如果没有“验证”选项卡,则是相关服务没有启用。(开始
->
运行
->services.msc->
启动
” Wireless Zero Configuration”
服务)
配置:
1.
安装域,域名暂时定为:
test.com
。过程略,查看相关文档
2.
安装
IIS(Internet
信息服务
),IAS,CA
:控制面板-
>
添加
/
删除程序
->
安装
windows
组件
,
如图
:
注意先安装
IIS->CA->IAS,
顺序不能乱了
.
3.
配置
CA:
配置过程略
,
参考相关资料
.
4.
CISCO 2950G-48-EI
交换机配置
:
Building configuration...
Current configuration : 4944 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Layer_4_2
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip subnet-zero
!
!
!
spanning-tree mode mst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport access vlan 6
!
interface FastEthernet0/1.1
!
interface FastEthernet0/2
switchport access vlan 6
!
interface FastEthernet0/3
switchport access vlan 6
!
interface FastEthernet0/4
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 6
!
interface FastEthernet0/21
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/25
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/26
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/27
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/28
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/29
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/30
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/31
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/32
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/33
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/34
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/35
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/36
switchport mode access
dot1x port-control auto
dot1x guest-vlan 21
spanning-tree portfast
!
interface FastEthernet0/37
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/38
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/39
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/40
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/41
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/42
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/43
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/44
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/45
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/46
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/47
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/48
switchport access vlan 7
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
no ip route-cache
!
interface Vlan6
ip address 192.168.1.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan7
ip address 192.168.2.1 255.255.255.0
no ip route-cache
shutdown
!
ip http server
radius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key test
radius-server retransmit 3
radius-server vsa send authentication
!
line con 0
line vty 0 4
!
!
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/43
end
Layer_4_2#
5.
配置
IAS:
a)
打开
IAS:
b)
新建立
”RADIUS
客户端
”:
c)
新建访问策略
d)
修改策略属性
6.
客户端设置
:
a)
配置网络连接
b)
设置为自动获取
IP
7.
基本上
,
已经设置完毕
.
用户加入域后
,
登录域时自动下载证书
.
a)
如果有证书
,
则将获取相应
VLAN
的
IP.
b)
如果没有
IP,
将获取
guest-vlan
的
IP.
8.
一些配置步骤都已经省去
,
对于做网络的人来说
,
那些步骤应该不是什么问题吧
.
呵呵
.
有问题
,
有时再联系
.
我的邮件
:[email protected]