要求:
1. 交換機支持802.1X協議。
2. 有一臺RADIUS服務器。
3. 一臺客戶端。
網絡拓撲:
驗證方式:
PEAP驗證:使用證書+AD用戶集成認證;
環境:
Operation System: Windows 2003 enterprise edition
Radius Server: windows IAS(Internet 驗證服務,windows組件中安裝)
CA Server: Windows CA證書服務(windows組件中安裝)
Radius Client: Windows自帶。(網絡連接->屬性->驗證),如果沒有“驗證”選項卡,則是相關服務沒有啓用。(開始->運行->services.msc->啓動” Wireless Zero Configuration”服務)
配置:
1. 安裝域,域名暫時定爲:test.com。過程略,查看相關文檔
2. 安裝IIS(Internet信息服務),IAS,CA:控制面板->添加/刪除程序->安裝windows組件,如圖:![]()
意
先安裝IIS->CA->IAS,順序不能亂了.
3. 配置CA:配置過程略,參考相關資料.
4. CISCO 2950G-48-EI交換機配置:
Building configuration...
Current configuration : 4944 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Layer_4_2
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
ip subnet-zero
!
!
!
spanning-tree mode mst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport access vlan 6
!
interface FastEthernet0/1.1
!
interface FastEthernet0/2
switchport access vlan 6
!
interface FastEthernet0/3
switchport access vlan 6
!
interface FastEthernet0/4
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 6
!
interface FastEthernet0/21
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/25
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/26
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/27
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/28
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/29
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/30
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/31
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/32
switchport access vlan 6
spanning-tree portfast
!
interface FastEthernet0/33
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/34
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/35
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/36
switchport mode access
dot1x port-control auto
dot1x guest-vlan 21
spanning-tree portfast
!
interface FastEthernet0/37
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/38
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/39
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/40
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/41
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/42
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/43
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/44
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/45
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/46
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/47
switchport access vlan 7
spanning-tree portfast
!
interface FastEthernet0/48
switchport access vlan 7
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
no ip route-cache
!
interface Vlan6
ip address 192.168.1.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan7
ip address 192.168.2.1 255.255.255.0
no ip route-cache
shutdown
!
ip http server
radius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key test
radius-server retransmit 3
radius-server vsa send authentication
!
line con 0
line vty 0 4
!
!
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/43
end
Layer_4_2#
5. 配置IAS:
a) 打開IAS:
b) 新建立”RADIUS客戶端”:
c) 新建訪問策略
d) 修改策略屬性
6. 客戶端設置:
a) 配置網絡連接
b) 設置爲自動獲取IP
7. 基本上,已經設置完畢.用戶加入域後,登錄域時自動下載證書.
a) 如果有證書,則將獲取相應VLAN的IP.
b) 如果沒有IP,將獲取guest-vlan的IP.