五、(H3C)基于802.1x+AD+DHCP+NPS动态下发vlan 华三交换机配置

一、配置网络设备

以下为拓扑图

1、配置核心交换机（华为S7712）

sysname Core-Switch                         更改主机名

vlan batch 31 32 222 223                    批量创建vlan

int vlan 32                                 创建管理vlan 32虚拟接口

ip address 172.16.32.254 24                 配置管理vlan 32 网关地址

int vlan 31                                  创建服务器vlan 31虚拟接口

ip address 172.16.31.254 24                 配置服务器vlan 31 网关地址

int vlan 222                                创建业务vlan 222虚拟接口

ip address 172.16.222.254 24                 配置业务vlan 222 网关地址

dhcp select relay

dhcp relay server-ip 172.16.31.66           配置DHCP中服继务器为172.16.31.66

int vlan 223                                创建业务vlan 223虚拟接口

ip address 172.16.223.254 24                配置业务vlan 223 网关地址

dhcp select relay

dhcp relay server-ip 172.16.31.66           配置DHCP中继服务器为172.16.31.66

开启DHCP服务

dhcp enable

G10/0/1端口配置

int G10/0/1

description To 802.1x Switch-G1/0/24

port link-type trunk

port trunk pvid vlan 32

port trunk allow-pass vlan all

G10/0/2接口配置

int G10/0/2

description To Server Switch-G0/0/48

port link-type trunk

port trunk pvid vlan 32

port trunk allow-pass vlan all

2、配置服务器端交换机（S5700）

sysname Server Switch更改主机名

vlan batch 31 32              创建vlan 31、32

int Vlan 32                   创建管理VLAN 32虚拟接口

ip address 172.16.32.252 24   配置管理IP地址

配置默认路由

ip route 0.0.0.0 0.0.0.0 172.16.32.254

上联端口G0/0/48配置

interface GigabitEthernet0/0/1

description To Core-Switch-G10/0/2

port link-type access

port default vlan 31

连接服务器端口G0/0/1配置

interface GigabitEthernet0/0/1

description To Windows Server 2008

port link-type access

port default vlan 31

     3、配置接入交换机 (华三S5120)

sysname 802.1x Switch           更改主机名

vlan 32                        创建管理VLAN 32

vlan 222 to 223                创建业务VLAN 222和223

int Vlan 32                    创建管理VLAN 32虚拟接口

ip address 172.16.32.253 24

                              配置管理IP为172.16.32.253/24

创建radius 模版为test.com

radius scheme test.com

server-type extended

primary authentication 172.16.31.66

primary accounting 172.16.31.66

keyauthentication test.com

keyaccounting test.com

创建域为test.com

domain test.com

authentication lan-access radius-schemetest.com

authorization lan-access radius-schemetest.com

accounting lan-access radius-scheme test.com

access-limit disable

stateactive

idle-cut disable

self-service-url disable

配置默认域

domain default enable test.com

全局开启dot1x

dot1x

配置dot1x验证方式

dot1x authentication-method eap

开启DHCP 服务

dhcp enable

配置默认路由

ip route 0.0.0.0 0.0.0.0 172.16.32.254

配置接入的端口G1/0/1

interface GigabitEthernet1/0/1

description To Dynamic 802.1x-huan.yan-PC

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 222 to 223 untagged

port hybrid pvid vlan 222

undo dot1x handshake

dot1x

配置接入的端口G1/0/2

interface GigabitEthernet1/0/2

description To Dynamic 802.1x-obama-PC

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 222 to 223 untagged

port hybrid pvid vlan 222

undo dot1x handshake

dot1x

配置上联端口

interface GigabitEthernet1/0/24

description To Core-Switch-G10/0/1

port link-type trunk

port trunk permit vlan all

port trunk pvid vlan 32

网络设备全部配置完毕