一波三折,經過一翻折騰總算把***架了起來正常使用了,在此記錄一下,感謝h3c技術支持,感謝3290工程師的耐心幫助……
相關組網圖:
F1020相關配置:
#
version 7.1.064, Release 9313P12
#
sysname FW01
#
context Admin id 1
#
ip ***-instance management
route-distinguisher 1000000000:1
***-target 1000000000:1 import-extcommunity
***-target 1000000000:1 export-extcommunity
#
telnet server enable
#
irfmac-address persistent timer
irfauto-update enable
undoirf link-delay
irfmember 1 priority 1
#
password-recovery enable
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0 -----配置連接路由接口IP
port link-mode route
description link toroute MSR3620
ip address192.168.201.254 255.255.255.0
#
interface GigabitEthernet1/0/1 -----配置連接內網接口IP
port link-mode route
description link toSW5800
ip address192.168.202.1 255.255.255.0
#
interface GigabitEthernet1/0/2
portlink-mode route
#
interface GigabitEthernet1/0/3
portlink-mode route
#
interface GigabitEthernet1/0/4
portlink-mode route
#
interface GigabitEthernet1/0/5
portlink-mode route
#
interface GigabitEthernet1/0/6
portlink-mode route
#
interface GigabitEthernet1/0/7
portlink-mode route
#
interface GigabitEthernet1/0/8
portlink-mode route
#
interface GigabitEthernet1/0/9
portlink-mode route
#
interface GigabitEthernet1/0/10
portlink-mode route
#
interface GigabitEthernet1/0/11
portlink-mode route
#
interface GigabitEthernet1/0/12
portlink-mode route
#
interface GigabitEthernet1/0/13
portlink-mode route
#
interface GigabitEthernet1/0/14
portlink-mode route
#
interface GigabitEthernet1/0/15
portlink-mode route
#
interface GigabitEthernet1/0/16
portlink-mode route
#
interface GigabitEthernet1/0/17
portlink-mode route
#
interface GigabitEthernet1/0/18
portlink-mode route
#
interface GigabitEthernet1/0/19
portlink-mode route
#
interface GigabitEthernet1/0/20
portlink-mode route
#
interface GigabitEthernet1/0/21
portlink-mode route
#
interface GigabitEthernet1/0/22
portlink-mode route
#
interface GigabitEthernet1/0/23
portlink-mode route
#
interface SSL***-AC1 ---------創建SSL *** AC接口1,配置接口的IP地址
ip address 2.2.2.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust ----把上述兩接口加入到Trust ,否則不能互通
import interfaceGigabitEthernet1/0/0
import interfaceGigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
security-zone nameSSL*** ----SSL***-AC1加入SSL***區域,並放通策略
import interface SSL***-AC1
#
zone-pair securitysource Local destination Trust ------其它安全放通策略,下同
packet-filter 3000
#
zone-pair securitysource SSL*** destination Trust
packet-filter 3010
#
zone-pair securitysource Trust destination Local
packet-filter 3000
#
zone-pair securitysource Trust destination SSL***
packet-filter 3010
#
zone-pair securitysource Trust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-rolenetwork-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 192.168.201.1 -----下一跳路由
ip route-static 192.168.0.0 16 192.168.202.254 ------回程路由
#
sshserver enable
#
acl advanced 3000 -----------對應安全ACL
rule 199 permit ip
#
acl advanced 3010 -----------對應安全ACL
rule 0 permit ip source 2.2.2.0 0.0.0.255destination 192.168.0.0 0.0.255.255
rule 1 permit ip source 192.168.0.00.0.255.255 destination 2.2.2.0 0.0.0.255
#
ldap server ldap1 -----------------AD認證相關配置
login-dn cn=administrator,cn=users,dc=bbb,dc=com ----域管理員認證
search-base-dn dc=bbb,dc=com ------配置查詢用戶的起始目錄爲
ip 192.168.10.1 -----域IP地址
login-password cipher$c$3$RXm3/H61vuYoaD1e4JCGI8L4oXNvuxpk8xx/0QqI3iU= ---登錄域管理員對應密碼
user-parameters user-name-attributeuserprincipalname
user-parameters user-name-formatwith-domain
#
ldap scheme shm1 ------ 創建LDAP方案shml
authentication-server ldap1 -----配置LDAP認證服務器和授權服務器均爲ldap1。
authorization-server ldap1
attribute-map test1
#
ldap attribute-map test1 -----創建LDAP屬性映射表test1
map ldap-attribute memberofprefix cn= delimiter , aaa-attribute user-group
#---配置將LDAP服務器屬性memberof按照前綴爲cn=、分隔符爲逗號(,)的格式提取出的內容映射成AAA屬性User group
domain bbb.com ------創建ISP域bbb.com,爲SSL ***用戶配置AAA認證方法爲LDAP認證、LDAP授權、不計費。
authentication ssl***ldap-scheme shm1
authorization ssl*** ldap-schemeshm1
accounting ssl*** none
#
domain system
#
aaasession-limit ftp 16
aaasession-limit telnet 16
aaasession-limit ssh 16
domain default enable system
#
user-group system
#
user-group ***_users ----創建本地用戶組***_users,指定授權SSL ***策略組爲pgroup
authorization-attributessl***-policy-group pgroup
#
AD上對應用戶組如下:
local-user admin class manage
password hash$h$6$Jn5wsW9YxCZelW4q$iMkNxt5tS2in5AatDoVApxLAwLpSoIjOYCg2hsYp9fBexxHWtuXETwVdJ5miG2lSbnofdq+qB/2PnG1KrVUriw==
service-type ssh telnet terminal http https
authorization-attributeuser-role level-3
authorization-attribute user-rolenetwork-admin
authorization-attribute user-rolenetwork-operator
#
local-user test class network
password cipher$c$3$ehhvJ6iZ0EjbcvRio4reyPyuqQWmAjdrDiqE
service-type ssl***
authorization-attributeuser-role network-operator
authorization-attribute ssl***-policy-grouppgroup
#
pki domain ssl*** --------------配置PKI域ssl***
public-key rsageneral name ssl***
undo crl check enable
#
ssl server-policy ssl -----------配置SSL服務器端策略ssl
pki-domain ssl***
ciphersuitersa_aes_128_cbc_sha
client-verify enable
#
session top-statistics enable
#
iphttp enable
iphttps enable
#
inspect block-source parameter-profileips_block_default_parameter
#----創建地址池ippool,指定IP地址範圍爲2.2.2.2~2.2.5.254
ssl*** ip address-poolippool 2.2.2.2 2.2.2.254
#
ssl*** gateway gw --------配置SSL ***網關gw的IP地址爲192.168.201.254,端口號爲2000,並引用SSL服務器端策略ssl
ip address 192.168.201.254 port 2000
ssl server-policy ssl
service enable
#
ssl*** context ctx ------ 配置SSL ***訪問實例ctx引用SSL ***網關gw
gateway gw
ip-tunnel interface SSL***-AC1
ip-tunnel address-pool ippool mask255.255.255.0
ip-route-list rtlist ----創建路由列表rtlist,並添加路由表項192.168.0.0/24
include 192.168.0.0 255.255.0.0
policy-group pgroup --------創建SSL ***策略組pgroup,引用路由列表rtlist和地址池ippool,並且通過acl限制,保證只有通過ACL檢查的報文纔可以訪問IP資源
filter ip-tunnel 3000
ip-tunnel access-route ip-route-list rtlist
aaa domain bbb.com ---使用bbb.com認證
timeout idle 120
service enable
#
ips policy default
#
anti-virus policy default
#
return
注意事項:
1、配置前應準備相關證書,建立相關證書服務器(可參考網上相關案例:http://www.docin.com/p-1350607324.html)生成相關證書並導入CA證書ca.cer和服務器證書server.pfx
[F1020] pki import domain ssl*** der ca filename ca.cer
[F1020] pki import domain ssl*** p12 local filename server.pfx
2、AD服務器需要建立對應該的***用戶組,如本例中***_users用戶組在AD中應該有相對應的用戶組,並把需使用ssl***認證的用戶加入到此用戶組中;
3、防火牆及路由的回程路由應該注意下一跳的地址;
4、MSR3620路由設備上映射SSL***對外的地址及端口,此文檔中映射192.168.201.254+TCP 2000;
5、測試過程建議先關閉相關防病毒軟件。
參考:http://kms.h3c.com/case/info.aspx?id=41896