In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to carry out ACS verification and MAC address binding, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.
Preface
Apply the ACS authentication scheme:
Topological graph
Equipment requirements:
1 switch quidway 2403H-HI
Firewall H3C F100PUE C 1
4 mainframes
DHCP Server (CentOS6.4 system)
AAA Server (win server2003 system)
The software required for the experiment:
Jdk-7-windows-i586
Acs4.0-build-24
H3C_8021XClient
Address Planning:
Eth0/0 1.1.1.2/24
Eth0/0.1 192.168.10.1/24 vlan10
Eth0/0.2 192.168.20.1/24 vlan20
Eth0/0.3 192.168.30.1/24 vlan30
DHCP Server 192.168.30.100/24
AAA Server 192.168.30.200/24
PC1 192.168.10.100/24
PC2 192.168.20.100/24
Specific configuration steps:
DHCP server configuration
Just add the following to / etc/dhcp/dhcpd.conf.
Option domain-name-servers 222.88.88.88, 222.85.85.85
Default-lease-time 600
Max-lease-time 7200
Log-facility local7
Subnet 192.168.30.0 netmask 255.255.255.0 {
}
Subnet 192.168.10.0 netmask 255.255.255.0 {
Range 192.168.10.2 192.168.10.254
Option routers 192.168.10.1
Option domain-name "tec.com"
}
Subnet 192.168.20.0 netmask 255.255.255.0 {
Range 192.168.20.2 192.168.20.254
Option routers 192.168.20.1
Option domain-name "mkt.com"
}
FW-1 configuration:
System-view
System View: return to User View with Ctrl+Z.
[FW-1] int eth0/0
[FW-1-Ethernet0/0] ip add 1.1.1.2 24
[FW-1-Ethernet0/0] quit
[FW-1] int eth0/0.1
[FW-1-Ethernet0/0.1] vlan-type dot1q vid 10
[FW-1-Ethernet0/0.1] ip add 192.168.10.1 24
[FW-1-Ethernet0/0.1] int eth0/0.2
[FW-1-Ethernet0/0.2] vlan-type dot1q vid 20
[FW-1-Ethernet0/0.2] ip add 192.168.20.1 24
[FW-1-Ethernet0/0.2] int eth0/0.3
[FW-1-Ethernet0/0.3] vlan-type dot1q vid 30
[FW-1-Ethernet0/0.3] ip add 192.168.30.1 24
[FW-1-Ethernet0/0.3] quit
[FW-1] firewall zone trust
[FW-1-zone-trust] add int eth0/0
[FW-1-zone-trust] add int eth0/0.1
[FW-1-zone-trust] add int eth0/0.2
[FW-1-zone-trust] add int eth0/0.3
[FW-1-zone-trust] quit
[FW-1] undo insulate
[FW-1] dhcp enable
DHCP task has already been started!
[FW-1] dhcp select relay interface eth0/0.1 to eth0/0.2
[FW-1] int eth0/0.1
[FW-1-Ethernet0/0.1] ip relay add 192.168.30.100
[FW-1-Ethernet0/0.1] int eth0/0.2
[FW-1-Ethernet0/0.2] ip relay add 192.168.30.100
[FW-1] radius scheme abc
New Radius scheme
[FW-1-radius-abc] primary authentication 192.168.30.200
[FW-1-radius-abc] key authentication 123456
[FW-1-radius-abc] server-type extended
[FW-1-radius-abc] user-name-format without-domain
[FW-1-radius-abc] accounting optional
[FW-1-radius-abc] quit
[FW-1] domain tyedu.com
New Domain added.
[FW-1-isp-tyedu.com] radius-scheme abc
[FW-1-isp-tyedu.com] accounting optional
[FW-1-isp-tyedu.com] access-limit enable 100
SW1 configuration:
[Quidway] sysname SW1
[SW1] int vlan 1
[SW1-Vlan-interface1] ip add 1.1.1.1 24
[SW1-Vlan-interface1] quit
[SW1] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
[SW1] vlan 10
[SW1-vlan10] port e1/0/10
[SW1-vlan10] vlan 20
[SW1-vlan20] port e1/0/20
[SW1-vlan20] vlan 30
[SW1-vlan30] port e1/0/23 e1/0/24
[SW1-vlan30] quit
[SW1] int e1/0/22
[SW1-Ethernet1/0/22] port link-type trunk
[SW1-Ethernet1/0/22] port trunk permit vlan all
[SW1-Ethernet1/0/22] dis vlan
Now, the following VLAN exist (s):
1 (default), 10, 20, 30
[SW1] dot1x
802.1X is enabled globally.
[SW1] int e1/0/10
[SW1-Ethernet1/0/10] dot1x
802.1X is enabled on port Ethernet1/0/10.
[SW1-Ethernet1/0/10] quit
[SW1] int e1/0/20
[SW1-Ethernet1/0/20] dot1x
802.1X is enabled on port Ethernet1/0/20.
[SW1-Ethernet1/0/20] quit
[SW1] radius scheme xxx
New Radius scheme
[SW1-radius-xxx] primary authentication 192.168.30.200
[SW1-radius-xxx] key authentication 123456
[SW1-radius-xxx] server-type huawei
[SW1-radius-xxx] user-name-format without-domain
[SW1-radius-xxx] accounting optional
[SW1-radius-xxx] quit
[SW1] domain tyedu.com
New Domain added.
[SW1-isp-tyedu.com] radius-scheme xxx
[SW1-isp-tyedu.com] accounting optional
[SW1-isp-tyedu.com] access-limit enable 100
Install ACS in server2003 (you need to install JDK first):
Add Huawei private attribute
Copy the h4c.ini file to the root directory of the C disk.
The following is the h4c.ini text (you can copy and save as h4c.ini directly)
[User Defined Vendor]
Name=Huawei
IETF Code=2011
VSA 29=hw_Exec_Privilege
[hw_Exec_Privilege]
Type=INTEGER
Profile=IN OUT
Enums=hw_Exec_Privilege-Values
[hw_Exec_Privilege-Values]
0=Access
1=Monitor
2=Manager
3=Administrator
Add Huawei private attributes to the acs installation directory bin.
View, added successfully.
Configure ACS:
Configure AAA Server to keep the server's key consistent with the client's key.
Configure AAA Client-SW1 and select Huawei private attribute.
Configure AAA Client-FW-1 and select Huawei private attribute.
View the configuration.
Add two accounts, test1 for verifying the host (belonging to Default Group) and test2 for authenticating the device (belonging to Group 1).
Install H3C_8021XClient in the test host and log in to the test.
Vlan 10 (Technical Department) PC1 test results.
Vlan 20 (Marketing Department) PC2 test results.
The test host is required to telnet the device, and the account must be verified by ACS (with Super Admin privileges).
First apply Huawei private attributes in Network Configuration → RADIUS (Huawei).
If the test host wants telnet remote management devices (SW1 and FW-1), you must enter the group, turn on telnet, and apply Huawei private properties.
Open telnet
Apply Huawei private properties and select administrator privileges.
Telnet SW1, logged in using the test2 account, tested successfully, and has Super Admin privileges.
Telnet FW-1 (telnet 1.1.1.2 can also be entered), login using the test2 account, the test is successful, and has Super Admin privileges.
Apply the MAC address verification scheme:
Specific configuration steps:
[SW1] mac-authentication
MAC-authentication is enabled globally.
[SW1] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen
[SW1] int e1/0/20
[SW1-Ethernet1/0/20] mac-authentication
MAC-authentication is enabled on port Ethernet1/0/20
[SW1-Ethernet1/0/20] int e1/0/10
[SW1-Ethernet1/0/10] mac-authentication
MAC-authentication is enabled on port Ethernet1/0/10
[SW1-Ethernet1/0/10] quit
[SW1] dis mac-authentication int e1/0/20
Ethernet1/0/20 is link-up
MAC address authentication is Enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate state AuthIndex
001c-2596-2e0e MAC_AUTHENTICATOR_SUCCESS 21
Add the MAC address of the test host to ACS as the account and password.
Test host results:
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.