Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
2009-03-17 10:11
549 查看
802.1x身份验证要求:1. 交换机支持802.1X协议。2. 有一台RADIUS服务器。3. 一台客户端。网络拓扑: 验证方式: PEAP验证:使用证书+AD用户集成认证;环境: Operation System: Windows 2003 enterprise edition Radius Server: windows IAS(Internet 验证服务,windows组件中安装) CA Server: Windows CA证书服务(windows组件中安装) Radius Client: Windows自带。(网络连接->属性->验证),如果没有“验证”选项卡,则是相关服务没有启用。(开始->运行->services.msc->启动” Wireless Zero Configuration”服务)配置:1. 安装域,域名暂时定为:test.com。过程略,查看相关文档2. 安装IIS(Internet信息服务),IAS,CA:控制面板->添加/删除程序->安装windows组件,如图:
注意先安装IIS->CA->IAS,顺序不能乱了.3. 配置CA:配置过程略,参考相关资料.
4. CISCO 2950G-48-EI交换机配置:Building configuration... Current configuration : 4944 bytes!version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Layer_4_2!aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius!ip subnet-zero!!!spanning-tree mode mstno spanning-tree optimize bpdu transmissionspanning-tree extend system-iddot1x system-auth-control!!!!interface FastEthernet0/1 switchport access vlan 6!interface FastEthernet0/1.1!interface FastEthernet0/2 switchport access vlan 6!interface FastEthernet0/3 switchport access vlan 6!interface FastEthernet0/4 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/5 switchport access vlan 6 spanning-tree portfast! interface FastEthernet0/6 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/7 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/8 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/9 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/10 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/11 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/12 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/13 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/14 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/15 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/16 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/17 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/18 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/19 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/20 switchport access vlan 6!interface FastEthernet0/21 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/22 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/23 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/24 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/25 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/26 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/27 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/28 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/29 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/30 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/31 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/32 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/33 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/34 switchport access vlan 7 spanning-tree portfast! interface FastEthernet0/35 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/36 switchport mode access dot1x port-control auto dot1x guest-vlan 21 spanning-tree portfast!interface FastEthernet0/37 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/38 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/39 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/40 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/41 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/42 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/43 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/44 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/45 switchport access vlan 7 spanning-tree portfast! interface FastEthernet0/46 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/47 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/48 switchport access vlan 7 spanning-tree portfast!interface GigabitEthernet0/1 switchport mode trunk!interface GigabitEthernet0/2!interface Vlan1 ip address 192.168.0.1 255.255.255.0 no ip route-cache!interface Vlan6 ip address 192.168.1.1 255.255.255.0 no ip route-cache shutdown!interface Vlan7 ip address 192.168.2.1 255.255.255.0 no ip route-cache shutdown!ip http serverradius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key testradius-server retransmit 3radius-server vsa send authentication!line con 0line vty 0 4!!!monitor session 1 source interface Fa0/1monitor session 1 destination interface Fa0/43end Layer_4_2#5. 配置IAS:a) 打开IAS:
b) 新建立”RADIUS客户端”:
c) 新建访问策略
d) 修改策略属性
6. 客户端设置:a) 配置网络连接 b) 设置为自动获取IP7. 基本上,已经设置完毕.用户加入域后,登录域时自动下载证书.a) 如果有证书,则将获取相应VLAN的IP.b) 如果没有IP,将获取guest-vlan的IP.8. 一些配置步骤都已经省去,对于做网络的人来说,那些步骤应该不是什么问题吧.呵呵.有问题,有时再联系.我的邮件:define.chang@gmail.com MSN:autonavi@live.cn本文出自 “define_myself” 博客,转载请与作者联系!
注意先安装IIS->CA->IAS,顺序不能乱了.3. 配置CA:配置过程略,参考相关资料.
4. CISCO 2950G-48-EI交换机配置:Building configuration... Current configuration : 4944 bytes!version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Layer_4_2!aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius!ip subnet-zero!!!spanning-tree mode mstno spanning-tree optimize bpdu transmissionspanning-tree extend system-iddot1x system-auth-control!!!!interface FastEthernet0/1 switchport access vlan 6!interface FastEthernet0/1.1!interface FastEthernet0/2 switchport access vlan 6!interface FastEthernet0/3 switchport access vlan 6!interface FastEthernet0/4 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/5 switchport access vlan 6 spanning-tree portfast! interface FastEthernet0/6 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/7 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/8 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/9 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/10 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/11 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/12 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/13 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/14 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/15 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/16 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/17 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/18 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/19 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/20 switchport access vlan 6!interface FastEthernet0/21 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/22 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/23 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/24 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/25 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/26 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/27 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/28 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/29 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/30 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/31 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/32 switchport access vlan 6 spanning-tree portfast!interface FastEthernet0/33 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/34 switchport access vlan 7 spanning-tree portfast! interface FastEthernet0/35 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/36 switchport mode access dot1x port-control auto dot1x guest-vlan 21 spanning-tree portfast!interface FastEthernet0/37 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/38 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/39 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/40 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/41 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/42 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/43 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/44 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/45 switchport access vlan 7 spanning-tree portfast! interface FastEthernet0/46 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/47 switchport access vlan 7 spanning-tree portfast!interface FastEthernet0/48 switchport access vlan 7 spanning-tree portfast!interface GigabitEthernet0/1 switchport mode trunk!interface GigabitEthernet0/2!interface Vlan1 ip address 192.168.0.1 255.255.255.0 no ip route-cache!interface Vlan6 ip address 192.168.1.1 255.255.255.0 no ip route-cache shutdown!interface Vlan7 ip address 192.168.2.1 255.255.255.0 no ip route-cache shutdown!ip http serverradius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key testradius-server retransmit 3radius-server vsa send authentication!line con 0line vty 0 4!!!monitor session 1 source interface Fa0/1monitor session 1 destination interface Fa0/43end Layer_4_2#5. 配置IAS:a) 打开IAS:
b) 新建立”RADIUS客户端”:
c) 新建访问策略
d) 修改策略属性
6. 客户端设置:a) 配置网络连接 b) 设置为自动获取IP7. 基本上,已经设置完毕.用户加入域后,登录域时自动下载证书.a) 如果有证书,则将获取相应VLAN的IP.b) 如果没有IP,将获取guest-vlan的IP.8. 一些配置步骤都已经省去,对于做网络的人来说,那些步骤应该不是什么问题吧.呵呵.有问题,有时再联系.我的邮件:define.chang@gmail.com MSN:autonavi@live.cn本文出自 “define_myself” 博客,转载请与作者联系!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行802.1x身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行RADIUS身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行RADIUS身份验证
- Cisco 2950G 802.1X+AD+CA+IAS进行RADIUS身份验证
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- 使用FormsAuthentication进行身份验证的优缺点
- Rails使用has_secure_password进行身份验证
- 解决WCF 调用方未由服务器进行身份验证或消息包含无效或过期的安全上下文令牌
- Win8开启802.1x身份验证即启用IEEE 802.1X网络认证功能
- fiddler 手机代理上网 通过代理服务器进行身份验证失败