原理:802.1X協議是一種基於端口的網絡接入控制協議,“基於端口的網絡接入控制”是指在局域網接入控制設備的端口這一級對所接入的設備進行認證和控制,連接在端口上的用戶設備如果能通過認證,就可以訪問局域網中的資源;如果不能通過認證。則無法訪問局域網中的資源。
802.1X的體系結構:802.1X系統爲典型的C/S體系結構,包括三個實體客戶端,設備端,認證服務器端。
802.1X的認證過程:EAP中繼方式和EAP終結方式
1. PAE (Port Access Entity,端口訪問實體)PAE 是認證機制中負責執行算法和協議操作的實體。設備端 PAE 利用認證服務器對需要接入局域網的客戶端執行認證,並根據認證結果相應地控制受控端口的授權/非授權狀態。客戶端 PAE 負責響應設備端的認證請求,向設備端提交用戶的認證信息。客戶端 PAE 也可以主動向設備端發送認證請求和下線請求
案例一:EAP終結方式
就是在設備端交換機上進行驗證,驗證的數據庫是在交換機上配置,拓撲
實驗步驟:
(1)交換機配置
<Quidway>system-v
[Quidway]sys SW1
[SW1]int vlan 1 #在vlan1上配置管理IP
[SW1-Vlan-interface1]
%Apr 2 08:09:31:258 2000 SW1 L2INF/5/VLANIF LINK STATUS CHANGE:- 1 -
Vlan-interface1: is UP
[SW1-Vlan-interface1]ip add 192.168.10.2 24
[SW1-Vlan-interface1]
%Apr 2 08:09:40:788 2000 SW1 IFNET/5/UPDOWN:- 1 -Line protocol on the interface
Vlan-interface1 is UP
[SW1-Vlan-interface1]quit
[SW1]dot1x #開啓dot1x在配置模式下開啓dot1x
802.1X is enabled globally.
[SW1]int e1/0/10
[SW1-Ethernet1/0/10]dot1x #在連接終端的接口下開啓dot1x
802.1X is enabled on port Ethernet1/0/10.
[SW1-Ethernet1/0/10]
[SW1]local-user test1 #配置本地賬號
New local user added.
[SW1-luser-test1]password cipher 123456
[SW1-luser-test1]ser
[SW1-luser-test1]service-type lan-access
[SW1-luser-test1]quit
(2)驗證:用客戶端軟件H3C802.1X測試,輸入在交換機上建立的帳號和密碼
這時PC機再ping交換機的管理IP就通了
案例二:EAP中繼方式
這種方式是 IEEE 802.1x 標準規定的,將 EAP 協議承載在其他高層協議中,如 EAP over RADIUS,以便擴展認證協議報文穿越複雜的網絡到達認證服務器。一般來說,EAP 中繼方式需要 RADIUS 服務器支持 EAP 屬性:EAP-Message (值爲79)和Message-Authenticator (值爲80)。
802.1x的工作機制:
案例:
一:組網需求:要求在各端口上對用戶接入進行AAA認證,AAA屬於VLAN30,主機又分VLAN 10和VLAN 20,VLAN 10屬於VLAN10域,VLAN 20屬於VLAN20域,本實驗實現VLAN 10和VLAN 20能夠通過用戶認證登錄,下面是拓撲圖
二:實驗步驟
(1)R1的配置
[Router]sys R1
[R1]int e0
[R1-Ethernet0]ip add 192.168.1.254 24 #配置交換機SW1的網關地址,實現交換機和AAA服務器的通訊
%01:03:53: Line protocol ip on the interface Ethernet0 is UP
[R1-Ethernet0]int e0.10 #配置VLAN 10的網關
[R1-Ethernet0.10]vlan-ty dot1q vid 10
[R1-Ethernet0.10]ip add 192.168.10.254 24
[R1-Ethernet0.10]
%01:05:06: Line protocol ip on the interface Ethernet0.10 is UP
[R1-Ethernet0.10]int e0.20 #配置VLAN 20的網關
[R1-Ethernet0.20]vlan-ty dot1q vid 20
[R1-Ethernet0.20]ip add 192.168.20.254 24
[R1-Ethernet0.20]
%01:05:31: Line protocol ip on the interface Ethernet0.20 is UP
[R1-Ethernet0.20]int e0.30 #配置VLAN 30的網關
[R1-Ethernet0.30]vlan-ty dot1q vid 30
[R1-Ethernet0.30]ip add 192.168.30.254 24
[R1-Ethernet0.30]
%01:05:56: Line protocol ip on the interface Ethernet0.30 is UP
[R1-Ethernet0.30]quit
[R1]dis ip rout #查看路由表
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Direct 0 0 192.168.1.254 Ethernet0
192.168.1.254/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.10.0/24 Direct 0 0 192.168.10.254 Ethernet0.10
192.168.10.254/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.20.0/24 Direct 0 0 192.168.20.254 Ethernet0.20
192.168.20.254/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.30.0/24 Direct 0 0 192.168.30.254 Ethernet0.30
192.168.30.254/32 Direct 0 0 127.0.0.1 LoopBack0
[R1]
(2)交換機SW1的配置
<Quidway>system-view
System View: return to User View with Ctrl+Z.
[Quidway]sys SW1
[SW1]int vlan 1 #配置交換機的IP地址
[SW1-Vlan-interface1]
%Apr 2 07:56:34:517 2000 SW1 L2INF/5/VLANIF LINK STATUS CHANGE:- 1 -
Vlan-interface1: is UP
[SW1-Vlan-interface1]ip add 192.168.1.1 24
[SW1-Vlan-interface1]
%Apr 2 07:56:44:698 2000 SW1 IFNET/5/UPDOWN:- 1 -Line protocol on the interface
Vlan-interface1 is UP
[SW1-Vlan-interface1]quit
[SW1]ip route-static
[SW1]vlan 10 #配置vlan
[SW1-vlan10]port e1/0/10 #添加端口
[SW1-vlan10]vlan 20
[SW1-vlan20]port e1/0/20
[SW1-vlan20]vlan 30
[SW1-vlan30]port e1/0/15
[SW1-vlan30]quit
[SW1]int e1/0/24 #端口24是trunk
[SW1-Ethernet1/0/24]port link-ty
[SW1-Ethernet1/0/24]port link-type trunk
[SW1-Ethernet1/0/24]port tru
[SW1-Ethernet1/0/24]port trunk permit vlan all
Please wait........................................... Done.
[SW1-Ethernet1/0/24]quit
[SW1]radius scheme zxf #配置radius方案
New Radius scheme
[SW1-radius-zxf]primary authentication 192.168.30.1 #主要的認證地址是AAA服務器IP地址
[SW1-radius-zxf]accounting optional #審計可選
[SW1-radius-zxf]key authentication 123456 #認證密鑰
[SW1-radius-zxf]server-type standard #服務類型爲標準
[SW1-radius-zxf]user-name-format without-domain #用戶名格式不帶域名,當交換機向AAA服務器發送用戶名時,不帶域名,
[SW1-radius-zxf]quit
[SW1]dot1x #在交換機上開啓dot1x
802.1X is enabled globally.
[SW1]int e1/0/10 #在VLAN 10中相應的端口開啓dot1x
[SW1-Ethernet1/0/10]dot1x
802.1X is enabled on port Ethernet1/0/10.
[SW1-Ethernet1/0/10]int e1/0/20 #在VLAN 20中端口開啓dot1x
[SW1-Ethernet1/0/20]dot1x
802.1X is enabled on port Ethernet1/0/20.
[SW1-Ethernet1/0/20]quit
[SW1]dis cu #查看配置
#
sysname SW1
#
dot1x
#
radius scheme system
radius scheme zxf
server-type standard
primary authentication 192.168.30.1
accounting optional
key authentication 123456
user-name-format without-domain
#
domain system
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet1/0/9
#
interface Ethernet1/0/10
port access vlan 10
dot1x
interface Ethernet1/0/15
port access vlan 30
interface Ethernet1/0/20
port access vlan 20
dot1x
#
interface Ethernet1/0/24
port link-type trunk
port trunk permit vlan all
ip route-static
[SW1]domain vlan10.com #建立域
New Domain added.
[SW1-isp-vlan10.com]radius-scheme zxf #引用域
[SW1-isp-vlan10.com]access-limit enable 10 #限制一個域允許的個數
[SW1-isp-vlan10.com]accounting optional #審計可選
[SW1-isp-vlan10.com]domain vlan20.com
New Domain added.
[SW1-isp-vlan20.com]ra
[SW1-isp-vlan20.com]radius-scheme zxf
[SW1-isp-vlan20.com]access-limit enable 10
[SW1-isp-vlan20.com]accounting optional
[SW1-isp-vlan20.com]quit
[SW1]dis radius scheme #查看radius方案
------------------------------------------------------------------
SchemeName =system Index=0 Type=huawei
Primary Auth IP =127.0.0.1 Port=1645
Primary Acct IP =127.0.0.1 Port=1646
Second Auth IP =
Second Acct IP =
Auth Server Encryption Key= Not configured
Acct Server Encryption Key= Not configured
Accounting method = required
Accounting-On packet disable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
nas-ip:Source-IP-address =
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
unit 1 :
------------------------------------------------------------------
SchemeName =zxf Index=1 Type=standard
Primary Auth IP =192.168.30.1 Port=1812
Primary Acct IP =
Second Auth IP =
Second Acct IP =
Auth Server Encryption Key= 123456
Acct Server Encryption Key= Not configured
Accounting method = optional
Accounting-On packet disable, send times = 15 , interval = 3s
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
nas-ip:Source-IP-address =
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
unit 1 :
------------------------------------------------------------------
Total 2 RADIUS scheme(s). 2 listed
[SW1]
(3)VLAN 10中的一臺主機的IP地址
(4)AAA服務器的IP地址
通過認證