Shulou(Shulou.com)05/31 Report--

How to carry out ACS verification and MAC address binding, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Preface

Apply the ACS authentication scheme:

Topological graph

Equipment requirements:

1 switch quidway 2403H-HI

Firewall H3C F100PUE C 1

4 mainframes

DHCP Server (CentOS6.4 system)

AAA Server (win server2003 system)

The software required for the experiment:

Jdk-7-windows-i586

Acs4.0-build-24

H3C_8021XClient

Address Planning:

Eth0/0 1.1.1.2/24

Eth0/0.1 192.168.10.1/24 vlan10

Eth0/0.2 192.168.20.1/24 vlan20

Eth0/0.3 192.168.30.1/24 vlan30

DHCP Server 192.168.30.100/24

AAA Server 192.168.30.200/24

PC1 192.168.10.100/24

PC2 192.168.20.100/24

Specific configuration steps:

DHCP server configuration

Just add the following to / etc/dhcp/dhcpd.conf.

Option domain-name-servers 222.88.88.88, 222.85.85.85

Default-lease-time 600

Max-lease-time 7200

Log-facility local7

Subnet 192.168.30.0 netmask 255.255.255.0 {

}

Subnet 192.168.10.0 netmask 255.255.255.0 {

Range 192.168.10.2 192.168.10.254

Option routers 192.168.10.1

Option domain-name "tec.com"

}

Subnet 192.168.20.0 netmask 255.255.255.0 {

Range 192.168.20.2 192.168.20.254

Option routers 192.168.20.1

Option domain-name "mkt.com"

}

FW-1 configuration:

System-view

System View: return to User View with Ctrl+Z.

[FW-1] int eth0/0

[FW-1-Ethernet0/0] ip add 1.1.1.2 24

[FW-1-Ethernet0/0] quit

[FW-1] int eth0/0.1

[FW-1-Ethernet0/0.1] vlan-type dot1q vid 10

[FW-1-Ethernet0/0.1] ip add 192.168.10.1 24

[FW-1-Ethernet0/0.1] int eth0/0.2

[FW-1-Ethernet0/0.2] vlan-type dot1q vid 20

[FW-1-Ethernet0/0.2] ip add 192.168.20.1 24

[FW-1-Ethernet0/0.2] int eth0/0.3

[FW-1-Ethernet0/0.3] vlan-type dot1q vid 30

[FW-1-Ethernet0/0.3] ip add 192.168.30.1 24

[FW-1-Ethernet0/0.3] quit

[FW-1] firewall zone trust

[FW-1-zone-trust] add int eth0/0

[FW-1-zone-trust] add int eth0/0.1

[FW-1-zone-trust] add int eth0/0.2

[FW-1-zone-trust] add int eth0/0.3

[FW-1-zone-trust] quit

[FW-1] undo insulate

[FW-1] dhcp enable

DHCP task has already been started!

[FW-1] dhcp select relay interface eth0/0.1 to eth0/0.2

[FW-1] int eth0/0.1

[FW-1-Ethernet0/0.1] ip relay add 192.168.30.100

[FW-1-Ethernet0/0.1] int eth0/0.2

[FW-1-Ethernet0/0.2] ip relay add 192.168.30.100

[FW-1] radius scheme abc

New Radius scheme

[FW-1-radius-abc] primary authentication 192.168.30.200

[FW-1-radius-abc] key authentication 123456

[FW-1-radius-abc] server-type extended

[FW-1-radius-abc] user-name-format without-domain

[FW-1-radius-abc] accounting optional

[FW-1-radius-abc] quit

[FW-1] domain tyedu.com

New Domain added.

[FW-1-isp-tyedu.com] radius-scheme abc

[FW-1-isp-tyedu.com] accounting optional

[FW-1-isp-tyedu.com] access-limit enable 100

SW1 configuration:

[Quidway] sysname SW1

[SW1] int vlan 1

[SW1-Vlan-interface1] ip add 1.1.1.1 24

[SW1-Vlan-interface1] quit

[SW1] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

[SW1] vlan 10

[SW1-vlan10] port e1/0/10

[SW1-vlan10] vlan 20

[SW1-vlan20] port e1/0/20

[SW1-vlan20] vlan 30

[SW1-vlan30] port e1/0/23 e1/0/24

[SW1-vlan30] quit

[SW1] int e1/0/22

[SW1-Ethernet1/0/22] port link-type trunk

[SW1-Ethernet1/0/22] port trunk permit vlan all

[SW1-Ethernet1/0/22] dis vlan

Now, the following VLAN exist (s):

1 (default), 10, 20, 30

[SW1] dot1x

802.1X is enabled globally.

[SW1] int e1/0/10

[SW1-Ethernet1/0/10] dot1x

802.1X is enabled on port Ethernet1/0/10.

[SW1-Ethernet1/0/10] quit

[SW1] int e1/0/20

[SW1-Ethernet1/0/20] dot1x

802.1X is enabled on port Ethernet1/0/20.

[SW1-Ethernet1/0/20] quit

[SW1] radius scheme xxx

New Radius scheme

[SW1-radius-xxx] primary authentication 192.168.30.200

[SW1-radius-xxx] key authentication 123456

[SW1-radius-xxx] server-type huawei

[SW1-radius-xxx] user-name-format without-domain

[SW1-radius-xxx] accounting optional

[SW1-radius-xxx] quit

[SW1] domain tyedu.com

New Domain added.

[SW1-isp-tyedu.com] radius-scheme xxx

[SW1-isp-tyedu.com] accounting optional

[SW1-isp-tyedu.com] access-limit enable 100

Install ACS in server2003 (you need to install JDK first):

Add Huawei private attribute

Copy the h4c.ini file to the root directory of the C disk.

The following is the h4c.ini text (you can copy and save as h4c.ini directly)

[User Defined Vendor]

Name=Huawei

IETF Code=2011

VSA 29=hw_Exec_Privilege

[hw_Exec_Privilege]

Type=INTEGER

Profile=IN OUT

Enums=hw_Exec_Privilege-Values

[hw_Exec_Privilege-Values]

0=Access

1=Monitor

2=Manager

3=Administrator

Add Huawei private attributes to the acs installation directory bin.

View, added successfully.

Configure ACS:

Configure AAA Server to keep the server's key consistent with the client's key.

Configure AAA Client-SW1 and select Huawei private attribute.

Configure AAA Client-FW-1 and select Huawei private attribute.

View the configuration.

Add two accounts, test1 for verifying the host (belonging to Default Group) and test2 for authenticating the device (belonging to Group 1).

Install H3C_8021XClient in the test host and log in to the test.

Vlan 10 (Technical Department) PC1 test results.

Vlan 20 (Marketing Department) PC2 test results.

The test host is required to telnet the device, and the account must be verified by ACS (with Super Admin privileges).

First apply Huawei private attributes in Network Configuration → RADIUS (Huawei).

If the test host wants telnet remote management devices (SW1 and FW-1), you must enter the group, turn on telnet, and apply Huawei private properties.

Open telnet

Apply Huawei private properties and select administrator privileges.

Telnet SW1, logged in using the test2 account, tested successfully, and has Super Admin privileges.

Telnet FW-1 (telnet 1.1.1.2 can also be entered), login using the test2 account, the test is successful, and has Super Admin privileges.

Apply the MAC address verification scheme:

Specific configuration steps:

[SW1] mac-authentication

MAC-authentication is enabled globally.

[SW1] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen

[SW1] int e1/0/20

[SW1-Ethernet1/0/20] mac-authentication

MAC-authentication is enabled on port Ethernet1/0/20

[SW1-Ethernet1/0/20] int e1/0/10

[SW1-Ethernet1/0/10] mac-authentication

MAC-authentication is enabled on port Ethernet1/0/10

[SW1-Ethernet1/0/10] quit

[SW1] dis mac-authentication int e1/0/20

Ethernet1/0/20 is link-up

MAC address authentication is Enabled

Authenticate success: 1, failed: 0

Current online user number is 1

MAC ADDR Authenticate state AuthIndex

001c-2596-2e0e MAC_AUTHENTICATOR_SUCCESS 21

Add the MAC address of the test host to ACS as the account and password.

Test host results:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.