- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
09-端口安全和AAA综合使用典型配置举例
本章节下载: 09-端口安全和AAA综合使用典型配置举例 (226.79 KB)
目 录
在网络环境中,对于打印机等哑终端,管理员一般为其分配静态IP地址。对于这类用户,为了更加灵活地进行认证,我们可以将其配置为静态用户。配置为静态用户后,只要在静态用户所连接的接口上使能了802.1X认证、MAC地址认证以及Web认证中的任意一种,设备就能够使用静态用户的IP地址等信息作为用户名进行认证。
用户认证过程中,如果出现认证方案下的所有RADIUS服务器不可达状况,设备发出的RADIUS认证请求报文将无法得到回应,从而影响用户正常上线。通过在当前认证域下配置逃生域,可以在RADIUS服务器不可达时,保证用户能够“逃离”当前认证域域,在新域中进行上线,从新域中获得部分网络资源的访问权限。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文假设您已了解端口安全和AAA认证域特性。
如图3-1所示,某公司希望部分网段内的主机能使用静态IP地址完成认证上线,且在RADIUS服务器不可达时,仍能访问部分网络资源。
现要求实现如下需求:
· 仅IP地址处于192.168.2.29~192.168.2.49范围内的用户可以作为静态用户触发认证。
· RADIUS服务器可达时,Host A作为静态用户认证成功后被授权加入VLAN 100。
· RADIUS服务器变不可达时,已上线的Host A保持在线,新接入的Host B作为静态用户触发认证后进入逃生域,并被授权加入VLAN 200,以及对逃生用户不计费。
· RADIUS服务器恢复可达后,Host B作为静态用户重新触发认证并成功上线。
· 在Device上创建并配置RADIUS方案以及认证域,并在认证域下绑定RADIUS方案。
· 在Device上创建并配置逃生域,并在认证域下配置逃生功能。
· 指定静态用户的地址范围,并在静态用户的接入端口开启802.1X认证功能,使得静态用户携带IP的未知源报文能够触发认证流程。
|
产品 |
软件版本 |
|
S6805系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S6825系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S6850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S9850系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S9820-64H |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S9820-8C |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S6800系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S6860系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S6826系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
|
S9826系列 |
Release 6710Pxx版本,Release 6715及以上版本 |
· 用户主机发送的首个报文不可控,当主机发送的首个报文不携带IP时,如果端口同时配置了其它认证功能(如MAC地址认证等),可能会先触发其它认证流程。
· 端口开启802.1X功能时,为了避免部分静态用户无法主动发送认证报文,建议开启802.1X单播触发认证功能。
请在RADIUS服务器上完成静态用户创建以及认证服务等相关配置,并对认证成功上线的静态用户授权VLAN 100。
(1) 配置RADIUS方案
# 创建RADIUS方案,并配置RADIUS方案主认证/计费服务器及其通信密钥,发送给RADIUS服务器的用户名不携带域名。
<Device> system
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 192.168.56.10
[Device-radius-radius1] primary accounting 192.168.56.10
[Device-radius-radius1] key authentication simple 123456
[Device-radius-radius1] key accounting simple 123456
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
(2) 配置认证域
# 创建认证域bbb,并配置认证用户使用RADIUS方案radius1进行认证、授权、计费。
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
[Device-isp-bbb] authorization lan-access radius-scheme radius1
[Device-isp-bbb] accounting lan-access radius-scheme radius1
[Device-isp-bbb] quit
(3) 配置逃生域
# 创建逃生域critical,并为逃生用户授权VLAN 200,以及对逃生用户不计费。
[Device] domain critical
[Device-isp-critical] authorization-attribute vlan 200
[Device-isp-critical] accounting lan-access none
[Device-isp-critical] quit
(4) 配置逃生功能
# 配置用户认证过程中,RADIUS服务器不可达时的逃生域为critical,以及服务器恢复可达时,对逃生用户进行重认证。
[Device] domain bbb
[Device-isp-bbb] authen-radius-unavailable online domain critical
[Device-isp-bbb] authen-radius-recover re-authen
[Device-isp-bbb] quit
# 配置静态用户的IP地址范围为192.168.2.29~192.168.2.49,以及静态用户采用的认证域为bbb。
[Device] port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
# 配置静态用户的用户名格式为IP地址,密码为明文123456。
[Device] port-security static-user user-name-format ip-address
[Device] port-security static-user password simple 123456
# 开启端口Ten-GigabitEthernet1/0/1的802.1X认证。
[Device] interface Ten-GigabitEthernet1/0/1
[Device-Ten-GigabitEthernet1/0/1] dot1x
# 开启802.1X单播触发功能。
[Device-Ten-GigabitEthernet1/0/1] dot1x unicast-trigger
[Device-Ten-GigabitEthernet1/0/1] quit
# 开启全局802.1X。
[Device] dot1x
[Device] ip route-static 192.168.56.0 24 192.168.56.20
# Host A和Host C均发起认证,且RADIUS服务器可达,静态用户Host A认证成功上线,被授权VLAN 100,Host C无法通过静态用户认证方式上线。
<Sysname> display port-security static-user connection
Total connections: 1
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: Ten-GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:43:37
Online duration: 0h 4m 8s
Port-down keep online: Disabled (offline)
# Host B发起认证,此时RADIUS服务器不可达,在RADIUS服务器不可达之前已认证成功上线的Host A保持在线;未完成认证的Host B进入逃生域critical,且被授权VLAN 200。
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: Ten-GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: Ten-GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: critical domain
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 200
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 10:59:05
Online duration: 0h 0m 58s
Port-down keep online: Disabled (offline)
# RADIUS服务器从不可达恢复可达时,逃生静态用户Host B进行重认证,并认证成功上线。
<Sysname> display port-security static-user connection
Total connections: 2
Slot ID: 1
User MAC address: 9c7b-ef28-cd89
Access interface: Ten-GigabitEthernet1/0/1
Username: 192.168.2.49
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.49
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
Slot ID: 1
User MAC address: ecb1-d73d-be70
Access interface: Ten-GigabitEthernet1/0/1
Username: 192.168.2.29
User access state: Successful
Authentication domain: bbb
IPv4 address: 192.168.2.29
IPv4 address source: User packet
Initial VLAN: 2
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization dynamic ACL name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2023/02/11 08:44:37
Online duration: 0h 5m 8s
Port-down keep online: Disabled (offline)
#
dot1x
#
port-security static-user password cipher $c$3$ozaGPAIK8wBDwF9rXSdkBqk10lXJBbrdpg==
port-security static-user user-name-format ip-address
port-security static-user ip 192.168.2.29 192.168.2.49 domain bbb
#
vlan 2
#
interface Vlan-interface1
ip address 192.168.56.20 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.220 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port access vlan 2
dot1x
dot1x unicast-trigger
#
ip route-static 192.168.56.0 24 192.168.56.20
#
radius scheme radius1
primary authentication 192.168.56.10
primary accounting 192.168.56.10
key authentication cipher $c$3$ZR6Jz13mrYRSvW91VRUZVtuTIBsyK6Le8A==
key accounting cipher $c$3$qAgtx0xzADC9RFRI7nQ6LbGoYefOwmFtjg==
user-name-format without-domain
#
domain bbb
authen-radius-unavailable online domain critical
authen-radius-recover re-authen
authentication lan-access radius-scheme radius1
authorization lan-access radius-scheme radius1
accounting lan-access radius-scheme radius1
#
domain critical
authorization-attribute vlan 200
accounting lan-access none
#
请参考对应产品和版本的如下手册:
· 安全配置指导
· 安全命令参考
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
