【割接梳理】Cisco设备替换为Huawei/H3C的安全准入(AAA/Radius/Dot1X/MAC绑定)配置梳理 |
您所在的位置:网站首页 › 华为交换机绑定Mac › 【割接梳理】Cisco设备替换为Huawei/H3C的安全准入(AAA/Radius/Dot1X/MAC绑定)配置梳理 |
|
背景:
某局点需要将数台Cisco Catalyst 2960接入交换机替换为Huawei S5731/H3C S5130交换机。 本人的职责是负责检查及补充由Cisco翻译后的Huawei/H3C配置,现场支持设备割接。 Cisco Catalyst 2960(IOS 12.2)安全准入相关(现有)配置梳理: aaa new-model //启用AAA认证 ! aaa authentication login default line none //创建缺省登录认证列表;采用line password aaa authentication dot1x default group radius none //AAA缺省通过802.1X,使用radius认证服务 aaa authorization network default group radius //AAA缺省通过radius网络授权 ! no ip domain-lookup ip domain-name xxxx.com vtp mode transparent ! dot1x system-auth-control //全局启用802.1X dot1x guest-vlan supplicant //允许客户端切换到guest-vlan dot1x critical eapol ! interface GigabitEthernet1/0/1 //普通Dot1x接口 switchport access vlan A switchport mode access authentication event no-response action authorize vlan B //设置逃生Vlan authentication host-mode multi-auth //端口配置多认证模式: 不支持vlan切换(按需配置), 单主机模式, multi-host多主机模式(其中一台认证通过全放行), multi-domain多域模式(IP电话场景应用) authentication port-control auto //当端口接入设备时自动进行认证 mab eap //端口开启MAB认证功能 dot1x pae authenticator //端口使能802.1x认证 spanning-tree portfast ! interface GigabitEthernet1/0/45 //MAC绑定接口 switchport access vlan A switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 1111.2222.3333 vlan access authentication event no-response action authorize vlan B //如上,只允许MAC地址为1111.2222.3333的终端接入并做认证 spanning-tree portfast ! radius-server host 192.168.x.y auth-port 1812 acct-port 1813 key 7 0701224E4Fxxxx radius-server host 192.168.x.z auth-port 1812 acct-port 1813 key 7 020807590Axxxx radius-server retransmit 2 radius-server timeout 3 radius-server deadtime 3 radius-server vsa send authentication ! H3C S5130(Comware_V7)安全准入相关(预)配置梳理:本割接预配置脚本由局点方提供,需要笔者进行梳理。 # dot1x //全局使能dot1x功能 dot1x authentication-method eap //设备采用eap中继认证方式 # mac-authentication //全局使能MAC地址认证 mac-authentication domain XXXX.com //指定MAC地址认证用户使用的认证域 # interface GigabitEthernet1/0/1 //普通Dot1x接口 port access vlan A stp edged-port dot1x mac-authentication # interface GigabitEthernet1/0/32 //MAC绑定接口 port access vlan A stp edged-port mac-address static 1111-2222-3333 vlan A # radius scheme XXXX.com primary authentication 192.168.x.y primary accounting 192.168.x.y secondary authentication 192.168.x.z secondary accounting 192.168.x.z key authentication cipher XXXXXXXXXX key accounting cipher XXXXXXXXXX user-name-format without-domain # radius scheme system user-name-format without-domain # domain XXXX.com authentication lan-access radius-scheme XXXX.com local authorization lan-access radius-scheme XXXX.com local accounting lan-access radius-scheme XXXX.com local # domain default enable XXXX.com # return Huawei S5731(VRP 7)安全准入相关(预)配置梳理:本割接预配置脚本由局点方提供,需要笔者进行梳理。 # authentication-profile name auth-new dot1x-access-profile dot1x-test mac-access-profile mac-auth access-domain XXXX.cn force authentication-profile name default_authen_profile authentication-profile name dot1x-test dot1x-access-profile dot1x-test mac-access-profile mac_access_profile authentication mode multi-authen max-user 50 access-domain XXXX.cn force authentication-profile name dot1x_authen_profile authentication-profile name dot1xmac_authen_profile authentication-profile name mac-auth mac-access-profile mac_access_profile authentication mode multi-authen max-user 100 access-domain XXXX.cn force authentication-profile name mac_authen_profile authentication-profile name multi_authen_profile authentication-profile name portal_authen_profile # radius-server template XX-test radius-server shared-key cipher xxxxxxxxxx radius-server authentication 192.168.x.y 1812 weight 80 radius-server authentication 192.168.x.z 1812 weight 80 radius-server accounting 192.168.x.y 1813 weight 80 radius-server accounting 192.168.x.z 1813 weight 80 # aaa domain XXXX.cn authentication-scheme acs accounting-scheme default radius-server XX-test # interface GigabitEthernet0/0/1 port link-type access port default vlan A stp edged-port enable authentication-profile dot1x-test # interface GigabitEthernet0/0/7 port link-type access port default vlan A stp edged-port enable port-security enable port-security mac-address sticky # dot1x-access-profile name dot1x-test dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac-auth mac-access-profile name mac_access_profile 梳理: H3C/Huawei设备上似乎没有配置接口的逃生功能,即类似Cisco上,在Radius服务器无响应时,将该接口划入Vlan B,保障其未认证时也能够访问一定资源。Huawei设备的MAC绑定接口下没有指定明确的MAC地址。针对如上两项编写脚本: H3C: interface GigabitEthernet1/0/x port access vlan A stp edged-port dot1x mac-authentication dot1x guest-vlan B ----新增内容---- # interface GigabitEthernet1/0/y port access vlan A stp edged-port mac-address static 1111-2222-3333 vlan A dot1x guest-vlan B ----新增内容----Huawei: interface GigabitEthernet0/0/1 port link-type access port default vlan A stp edged-port enable authentication-profile dot1x-test authentication critical-vlan B ----新增内容---- authentication critical eapol-success ----新增内容---- # interface GigabitEthernet0/0/7 port link-type access port default vlan A stp edged-port enable port-security enable port-security mac-address sticky authentication critical-vlan B ----新增内容---- authentication critical eapol-success ----新增内容---- port-security mac-address 2222-3333-4444 vlan B ----新增内容----暂时就这样好了,有什么事情现场再说好了(^^) |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |