背景:
某局点需要将数台Cisco Catalyst 2960接入交换机替换为Huawei S5731/H3C S5130交换机。
本人的职责是负责检查及补充由Cisco翻译后的Huawei/H3C配置,现场支持设备割接。
Cisco Catalyst 2960(IOS 12.2)安全准入相关(现有)配置梳理:
aaa new-model //启用AAA认证
!
aaa authentication login default line none //创建缺省登录认证列表;采用line password
aaa authentication dot1x default group radius none //AAA缺省通过802.1X,使用radius认证服务
aaa authorization network default group radius //AAA缺省通过radius网络授权
!
no ip domain-lookup
ip domain-name xxxx.com
vtp mode transparent
!
dot1x system-auth-control //全局启用802.1X
dot1x guest-vlan supplicant //允许客户端切换到guest-vlan
dot1x critical eapol
!
interface GigabitEthernet1/0/1 //普通Dot1x接口
switchport access vlan A
switchport mode access
authentication event no-response action authorize vlan B //设置逃生Vlan
authentication host-mode multi-auth
//端口配置多认证模式:
不支持vlan切换(按需配置),
单主机模式,
multi-host多主机模式(其中一台认证通过全放行),
multi-domain多域模式(IP电话场景应用)
authentication port-control auto
//当端口接入设备时自动进行认证
mab eap //端口开启MAB认证功能
dot1x pae authenticator //端口使能802.1x认证
spanning-tree portfast
!
interface GigabitEthernet1/0/45 //MAC绑定接口
switchport access vlan A
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1111.2222.3333 vlan access
authentication event no-response action authorize vlan B
//如上,只允许MAC地址为1111.2222.3333的终端接入并做认证
spanning-tree portfast
!
radius-server host 192.168.x.y auth-port 1812 acct-port 1813 key 7 0701224E4Fxxxx
radius-server host 192.168.x.z auth-port 1812 acct-port 1813 key 7 020807590Axxxx
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 3
radius-server vsa send authentication
!
H3C S5130(Comware_V7)安全准入相关(预)配置梳理:
本割接预配置脚本由局点方提供,需要笔者进行梳理。
#
dot1x //全局使能dot1x功能
dot1x authentication-method eap //设备采用eap中继认证方式
#
mac-authentication //全局使能MAC地址认证
mac-authentication domain XXXX.com //指定MAC地址认证用户使用的认证域
#
interface GigabitEthernet1/0/1 //普通Dot1x接口
port access vlan A
stp edged-port
dot1x
mac-authentication
#
interface GigabitEthernet1/0/32 //MAC绑定接口
port access vlan A
stp edged-port
mac-address static 1111-2222-3333 vlan A
#
radius scheme XXXX.com
primary authentication 192.168.x.y
primary accounting 192.168.x.y
secondary authentication 192.168.x.z
secondary accounting 192.168.x.z
key authentication cipher XXXXXXXXXX
key accounting cipher XXXXXXXXXX
user-name-format without-domain
#
radius scheme system
user-name-format without-domain
#
domain XXXX.com
authentication lan-access radius-scheme XXXX.com local
authorization lan-access radius-scheme XXXX.com local
accounting lan-access radius-scheme XXXX.com local
#
domain default enable XXXX.com
#
return
Huawei S5731(VRP 7)安全准入相关(预)配置梳理:
本割接预配置脚本由局点方提供,需要笔者进行梳理。
#
authentication-profile name auth-new
dot1x-access-profile dot1x-test
mac-access-profile mac-auth
access-domain XXXX.cn force
authentication-profile name default_authen_profile
authentication-profile name dot1x-test
dot1x-access-profile dot1x-test
mac-access-profile mac_access_profile
authentication mode multi-authen max-user 50
access-domain XXXX.cn force
authentication-profile name dot1x_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name mac-auth
mac-access-profile mac_access_profile
authentication mode multi-authen max-user 100
access-domain XXXX.cn force
authentication-profile name mac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name portal_authen_profile
#
radius-server template XX-test
radius-server shared-key cipher xxxxxxxxxx
radius-server authentication 192.168.x.y 1812 weight 80
radius-server authentication 192.168.x.z 1812 weight 80
radius-server accounting 192.168.x.y 1813 weight 80
radius-server accounting 192.168.x.z 1813 weight 80
#
aaa
domain XXXX.cn
authentication-scheme acs
accounting-scheme default
radius-server XX-test
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan A
stp edged-port enable
authentication-profile dot1x-test
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan A
stp edged-port enable
port-security enable
port-security mac-address sticky
#
dot1x-access-profile name dot1x-test
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac-auth
mac-access-profile name mac_access_profile
梳理:
- H3C/Huawei设备上似乎没有配置接口的逃生功能,即类似Cisco上,在Radius服务器无响应时,将该接口划入Vlan B,保障其未认证时也能够访问一定资源。
- Huawei设备的MAC绑定接口下没有指定明确的MAC地址。
针对如上两项编写脚本:
H3C:
interface GigabitEthernet1/0/x
port access vlan A
stp edged-port
dot1x
mac-authentication
dot1x guest-vlan B ----新增内容----
#
interface GigabitEthernet1/0/y
port access vlan A
stp edged-port
mac-address static 1111-2222-3333 vlan A
dot1x guest-vlan B ----新增内容----
Huawei:
interface GigabitEthernet0/0/1
port link-type access
port default vlan A
stp edged-port enable
authentication-profile dot1x-test
authentication critical-vlan B ----新增内容----
authentication critical eapol-success ----新增内容----
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan A
stp edged-port enable
port-security enable
port-security mac-address sticky
authentication critical-vlan B ----新增内容----
authentication critical eapol-success ----新增内容----
port-security mac-address 2222-3333-4444 vlan B ----新增内容----
暂时就这样好了,有什么事情现场再说好了(^^)
版权归原作者 筐瓢大师小吕 所有, 如有侵权,请联系我们删除。