本地及集中式MAC地址[ACS]认证操作
简介:
示意图:
本地MAC认证:
客户机配置:
交换机配置:
<Quidway>dis version
Huawei Versatile Routing Platform Software.
VRP software, Version V3.10, Release 0008
Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.
Quidway S2403H-HI uptime is 0 week, 0 day, 0 hour, 1 minute
Quidway S2403H-HI with 1 MIPS Processor
64M bytes SDRAM
8M bytes Flash Memory
Config Register points to FLASH
Hardware Version is VER.C
Bootrom Version is 397
[Subslot 0] 24FE Hardware Version is VER.C
<Quidway>system-view
System View: return to User View with Ctrl+Z.
[Quidway]sysname sw2
[sw2]int vlan-interface 1
[sw2-Vlan-interface1]ip add 192.168.101.33 24
[sw2-Vlan-interface1]quit
查看客户机MAC地址:
查看服务器mac地址:
查看成功与失败的认证次数!
创建本地用户:
[sw2]local-user 04-7d-7b-6f-91-2b
创建了一个新的本地用户
[sw2-luser-04-7d-7b-6f-91-2b]password simple 04-7d-7b-6f-91-2b
[sw2-luser-04-7d-7b-6f-91-2b]service-type lan-access
[sw2]mac-authentication authmode ?
usernameasmacaddress 设置MAC 认证认证时用户名和密码为认证的mac地址
usernamefixed 设置MAC 认证认证时用户名和密码由用户指定
[sw2]mac-authentication authmode usernameasmacaddress ?
usernameformat 用户名格式
<cr>
[sw2]mac-authentication authmode usernameasmacaddress usernameformat ?
with-hyphen MAC 地址格式带'-', 如: XX-XX-XX-XX-XX-XX
without-hyphen MAC 地址格式不带'-',如: XXXXXXXXXXXX
[sw2]mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
telnet一闪而过,因为默认的认证模式是password
增加以下蓝色字体内容:
user-interface vty 0 4
authentication-mode scheme
local-user 04-7d-7b-6f-91-2b
password simple 04-7d-7b-6f-91-2b
service-type lan-access
service-type telnet
level 3
[sw2]rsa local-key-pair create
本地密钥对将要产生.
% 已经存在本地密钥对.
请确认是否替换它们? [Y/N]:y
RSA密钥位数的允许范围: (512 ~ 2048).
请注意:如果选择大于512的密钥模可能需要几分钟的时间来生成密钥.
请输入模的位数[缺省=1024]:
正在产生RSA密钥对...
....................++++++
.........................++++++
......Done!
[sw2]ssh authentication-type default password
[sw2]local-user ?
STRING<1-80> 指定用户名, 格式为'纯用户名@域名',
其中纯用户名最大长度为55个字符,
域名最大长度为24个字符.
password-display-mode 设置密码显示方式
[sw2]local-user 04-7d-7b-6f-91-2b
[sw2-luser-04-7d-7b-6f-91-2b]service-type ssh
只要E1/0/8拔插,验证成功次数会依次增加!
远程MAC认证:(利用ACS服务器验证)【radius验证,集中验证
需要:radius方案,isp域,账号库在radius服务器
拓扑图:
ACS服务器配置:
[Quidway]dis mac-address
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
88ae-1dd5-4506 1 Learned Ethernet1/0/14 AGING
添加账号:
密码与用户名相同,都是MAC地址,注意MAC地址的格式!
添加radius客户端:
交换机配置:
配ip:
[sw2]int Vlan-interface 1
[sw2-Vlan-interface1]ip add 192.168.101.33 24
分别查看交换机是否与服务器及客户端联通
[sw2]dis mac-address
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000c-2964-2e61 1 Learned Ethernet1/0/8 AGING 服务器i
047d-7b6f-912b 1 Learned Ethernet1/0/8 AGING
[sw2]mac-authentication
MAC-authentication is enabled globally.
[sw2]int e1/0/8
[sw2-Ethernet1/0/8]mac-authentication
MAC-authentication is enabled on port Ethernet1/0/8
[sw2-Ethernet1/0/8]quit
[sw2]mac-authentication authmode usernameasmacaddress usernameformat ?
with-hyphen MAC address with '-', just like XX-XX-XX-XX-XX-XX
without-hyphen MAC address without '-', just like XXXXXXXXXXXX
[sw2]mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
[sw2]ping 192.168.101.8
PING 192.168.101.8: 56 data bytes, press CTRL_C to break
Request time out
[sw2]ping 192.168.101.22
PING 192.168.101.22: 56 data bytes, press CTRL_C to break
Request time out
配的方案:查看配置文件如下:
#
radius scheme system
radius scheme gjp
server-type standard
primary authentication 192.168.101.22
key authentication 654321
user-name-format without-domain
#
domain system
scheme radius-scheme gjp
access-limit enable 10
accounting optional
#
客户端:192.168.101.8,借助的是外面一台实体机,mac:
[Quidway]dis mac-add
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000c-2964-2e61 1 Learned Ethernet1/0/18 AGING
88ae-1dd5-4506 1 Learned Ethernet1/0/8 AGING
047d-7b6f-912b 1 Learned Ethernet1/0/18 AGING
查看认证通过的日志:
注意:如果查看ACS服务器日志,没有获得任何信息,ACS服务器一定要启动
在
中
要变为restart状态