802.1X环境测试
支持的设备和功能描述
CISCO:MAC旁路认证特性(MAB) H3C:MAC认证旁路功能
思路 当终端发送无EAPOL认证信息的数据包通过交换机时,交换机若开启了基于MAC的认证功能(MAB),则交换机等待802.1X认证超时后会启动MAB认证以终端MAC作为帐号密码进行认证,如果在RADIUS服务器上已授权许可该MAC地址表,则认证成功,PXE协议通过,PHANTOSYS终端启动,终端进入操作系统后,进行再认证过程,此时先以域帐号进行认证,若不能以域帐号通过认证,则认证失败,再次以MAB通过认证这种方式的好处,不需要在交换机上取消802.1X认证,不用为了避免其它设备接入网络进行MAC与端口绑定,不影响正常的802.1X认证 测试环境 WIN2003SER(X86)SP2+CISCOACSSERVERv4.2认证服务器一 WIN2003SER(X86)SP2+DNS+AD+IAS+IIS+CA认证服务器二 CISCO3560(Version12.2(55)SE3)网络设备
参考资料
ConfiguretheRADIUSServerwithClientMACAddressesACS配置
HYPERLINK"http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.html"http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.htmlACS4.0手册
HYPERLINK"http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7e2.html"http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7e2.html HYPERLINK"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
MACAuthenticationBypass HYPERLINK"http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf"http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
以下内容摘自CISCO3560命令手册YoucanconfiguretheswitchtoauthorizeclientsbasedontheclientMACaddress(seeFigure9-2onpage9-5)byusingtheMACauthenticationbypassfeature.Forexample,youcanenablethisfeatureon802.1xportsconnectedtodevicessuchasprinters.If802.1xauthenticationtimesoutwhilewaitingforanEAPOLresponsefromtheclient,theswitchtriestoauthorizetheclientbyusingMACauthenticationbypass.WhentheMACauthenticationbypassfeatureisenabledonan802.1xport,theswitchusestheMACaddressastheclientidentity.TheauthenticationserverhasadatabaseofclientMACaddressesthatareallowednetworkaccess.Afterdetectingaclientonan802.1xport,theswitchwaitsforanEthernetpacketfromtheclient.TheswitchsendstheauthenticationserveraRADIUS-access/requestframewithausernameandpasswordbasedontheMACaddress.Ifauthorizationsucceeds,theswitchgrantstheclientaccesstothenetwork.Ifauthorizationfails,theswitchassignstheporttotheguestVLANifoneisconfigured. 以下内容摘自QuidwayS5300系列以太网交换机配置指南 2.4.4(可选)使能MAC旁路认证功能 背景信息 MAC旁路认证,指当终端进行802.1x认证失败后,把它的MAC地址作为用户名和密码上送RADIUS服务器进行认证。对于某些特殊终端,例如打印机等,无法使用和安装802.1x终端软件,可以通过基于MAC的旁路认证方式进行认证。 配置MAC旁路认证,有以下两种配置方法: 操作步骤 系统视图下 执行命令system-view,进入系统视图。 执行命令dot1xmac-bypassinterface{interface-typeinterface-number1[tointerface-number2]}&<1-10>,使能接口MAC旁路认证功能。 系统视图下执行dot1xmac-bypass命令时指定接口列表,可以批量配置接口MAC旁路认证功能。 接口视图下 执行命令system-view,进入系统视图。 执行命令interfaceinterface-typeinterface-number,进入接口视图。 执行命令dot1xmac-bypass,在接口下使能MAC旁路认证功能。 执行本命令将包含并覆盖该接口下的802.1x使能命令,即 如果接口下原来没有使能802.1x,执行dot1xmac-bypass命令后,802.1x使能了。 如果接口下原来已经使能802.1x,执行dot1xmac-bypass命令后,覆盖原来的配置,即接口的认证方式为MAC旁路认证。 去使能MAC旁路认证功能,使用undodot1xenable命令。注意同时也将去使能802.1x功能。
CISCOACSSERVER 操作步骤
先在ACSSERVER上建立以终端MAC为用户名密码的帐号(小写)
ACSSERVER设置
首次运行ACS后需要设置网络,选择networkconfiguration选项,再选择AAACLIENTS菜单下的ADDENTRY添加AAA终端(交换机),如图所示
设置AAA设备名(不能有空格),IP,共享密钥,认证模式选择RADIUS(IETF)设置好后选择界面下的提交和保存
设置好后如图所示 再根据实际情况更改AAASERVER与交换机通信的端口(默认1645,1646),本次案例使用1812,1813
设置接口界面选项
添加允许组设置使用的选项
进行组设置
注意:081的值是需要的实际VLANID,点击提交保存即可
WINOWS2003IASSERVER 依次添加DNS,AD,IAS,IIS,CA组件
新建用于认证的组(802.1X)和用户(用户名和密码为终端MAC)
设置用户远程拨入权限
将用户添加到802.1X组
设置IAS 设置RADIUS客户端(交换机),默认AUTH-PORT1812,ACCT-PORT1813
新建IAS访问策略
设置该策略用于交换机认证
选择用于该策略的用户组
设置验证类型
设置策略远程访问权限
设置策略IP分配规则
设置身份认证方式(MAB认证为PAP验证方式)
添加连接策略,TUNNEL-TYPE为VLAN,TUNNEL-MEDIUM-TYPE为802,TUNNEL-PVT-GROUP-ID为认证后要分配的VLANID号,案例为300
终端加入域后,安装证书(浏览器输入HYPERLINK"http://radius-server"http://radius-server-ip/certsrv)后开启认证即可
附: IAS事件记录 PXE 用户000ae46b78f2被授予了访问权。 Fully-Qualified-User-Name=phantosys.biz/Users/000ae46b78f2 NAS-IP-Address=192.168.1.254 NAS-Identifier=<不存在> Client-Friendly-Name=cisco3560 Client-IP-Address=192.168.1.254 Calling-Station-Identifier=00-0A-E4-6B-78-F2 NAS-Port-Type=Ethernet NAS-Port=50009 Proxy-Policy-Name=对所有用户使用 Authentication-Provider=Windows Authentication-Server=<未确定> Policy-Name=802.1x Authentication-Type=PAP EAP-Type=<未确定> 域帐号 用户PHANTOSYSB\test被授予了访问权。 Fully-Qualified-User-Name=phantosys.biz/Users/test NAS-IP-Address=192.168.1.254 NAS-Identifier=<不存在> Client-Friendly-Name=cisco3560 Client-IP-Address=192.168.1.254 Calling-Station-Identifier=00-0A-E4-6B-78-F2 NAS-Port-Type=Ethernet NAS-Port=50009 Proxy-Policy-Name=对所有用户使用 Authentication-Provider=Windows Authentication-Server=<未确定> Policy-Name=802.1x Authentication-Type=PEAP EAP-Type=受保护的密码(EAP-MSCHAPv2)
交换机配置命令参考
若不是以CONSOLE线连接交换机,需要先设置帐号(设置端口认证后需要输入)
conft user用户名pass密码
在交换机上设置认证服务器 Switch#Conft Switch(config)#aaanew-model Switch(config)#aaaauthenticationdot1xdefaultgroupradius dot1xsystem-auth-control aaaauthorizationnetworkdefaultgroupradius radius-serverhostipauth-port1812acct-port1813keystring设置要使用的认证服务器IP,端口,密钥(与认证服务器中终端设置相同) radius-servervsasendauthentication按标准参数划分VLAN 开启端口认证 intinterface配置要使用的端口 switchportmodeaccess dox1tport-controlauto Dot1xmac-auth-bypasseap若认证服务器不支持EAP认证,则不输入EAP(IAS不支持EAP) Dot1xtimeouttx-period1认证超时调整,最小值为1 Dot1xtimeoutauth-period1认证时间调整 End Switch#showdot1xintinterface查看端口认证设置
恢复端口缺省设置 Conft Intinterface Dot1xdefault End
3560交换机配置参考
jiqimao#showrun Buildingconfiguration...
Currentconfiguration:4218bytes ! version12.2 noservicepad servicetimestampsdebugdatetimemsec servicetimestampslogdatetimemsec noservicepassword-encryption ! hostnamejiqimao ! boot-start-marker boot-end-marker ! enablesecret5$1$WUN0$RdztIryAB2avFHWED95R3. ! usernameciscopassword0cisco ! ! aaanew-model ! ! aaaauthenticationdot1xdefaultgroupradius aaaauthorizationnetworkdefaultgroupradius ! ! ! aaasession-idcommon systemmturouting1500 iprouting ! ! ! ! dot1xsystem-auth-control ! ! ! spanning-treemodepvst spanning-treeextendsystem-id ! vlaninternalallocationpolicyascending ! ! ! interfaceFastEthernet0/1 spanning-treeportfast ! interfaceFastEthernet0/2 spanning-treeportfast ! interfaceFastEthernet0/3 spanning-treeportfast ! interfaceFastEthernet0/4 spanning-treeportfast ! interfaceFastEthernet0/5 spanning-treeportfast ! interfaceFastEthernet0/6 spanning-treeportfast ! interfaceFastEthernet0/7 spanning-treeportfast ! interfaceFastEthernet0/8 spanning-treeportfast ! interfaceFastEthernet0/9 switchportmodeaccess authenticationport-controlauto mab dot1xpaeauthenticator dot1xtimeouttx-period1 dot1xtimeoutauth-period1 spanning-treeportfast ! interfaceFastEthernet0/10 spanning-treeportfast ! interfaceFastEthernet0/11 spanning-treeportfast ! interfaceFastEthernet0/12 spanning-treeportfast ! interfaceFastEthernet0/13 spanning-treeportfast ! interfaceFastEthernet0/14 spanning-treeportfast ! interfaceFastEthernet0/15 spanning-treeportfast ! interfaceFastEthernet0/16 spanning-treeportfast ! interfaceFastEthernet0/17 spanning-treeportfast ! interfaceFastEthernet0/18 spanning-treeportfast ! interfaceFastEthernet0/19 spanning-treeportfast ! interfaceFastEthernet0/20 spanning-treeportfast ! interfaceFastEthernet0/21 spanning-treeportfast ! interfaceFastEthernet0/22 spanning-treeportfast ! interfaceFastEthernet0/23 spanning-treeportfast ! interfaceFastEthernet0/24 spanning-treeportfast ! interfaceGigabitEthernet0/1 ! interfaceGigabitEthernet0/2 ! interfaceVlan1 ipaddress192.168.1.254255.255.255.0 ! interfaceVlan300 ipaddress172.16.100.100255.255.255.0 iphelper-address192.168.1.251 ! ipclassless ipforward-protocoludp4011 ipforward-protocoludp14372 iphttpserver iphttpsecure-server ! ipslaenablereaction-alerts radius-serverhost192.168.1.110auth-port1812acct-port1813keyphantosys radius-servervsasendauthentication ! ! linecon0 loggingsynchronous linevty04 passwordcisco linevty515 passwordcisco ! end
PXE寻址,启动正常
以下为交换机记录(端口fa0/9,MAC000ae46b78f2)
16:13:17:%AUTHMGR-5-START:Starting''dot1x''forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:18:%DOT1X-5-FAIL:Authenticationfailedforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionID 16:13:18:%AUTHMGR-7-RESULT:Authenticationresult''no-response''from''dot1x''forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 1 Switch(config-if)#6:13:18:%AUTHMGR-7-FAILOVER:Failingoverfrom''dot1x''forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:18:%AUTHMGR-5-START:Starting''mab''forclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:18:%MAB-5-SUCCESS:Authenticationsuccessfulforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:18:%AUTHMGR-7-RESULT:Authenticationresult''success''from''mab''forclient(000a.e46b.78 Switch(config-if)#f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:18:%AUTHMGR-5-VLANASSIGN:VLAN300assignedtoInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A 16:13:19:%LINEPROTO-5-UPDOWN:LineprotocolonInterfaceFastEthernet0/9,changedstatetoup 16:13:19:%AUTHMGR-5-SUCCESS:Authorizationsucceededforclient(000a.e46b.78f2)onInterfaceFa0/9AuditSessionIDC0A801FE00000039037B095A |
|