In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Requirements: wireless users in various departments can only connect to the VLAN to which the department belongs.
Environment:
Network equipment: core exchange H3C S5500 (192.168.10.254), access layer POE H3C S5130 (192.168.10.253), AC H3C WX2560H (192.168.10.252), AP WA4320
Server: domain / DHCP server (192.168.20.1), NPS server (192.168.20.2)
The VLAN is divided into 10, 20, 30, 40, 50, 60, of which 10 is the network device network segment, 20 is the Windows server network segment, 30 is the AP network segment, 40\ 50\ 60 is the production network segment to which the user belongs; 10\ 20\ 30 is assigned by the core switch, and 40\ 50\ 60 is relayed to the Windows DHCP server by the core exchange to assign the IP address.
I. switch configuration:
Core switching S5500:
Dis cur# version 7.1.045 Release 3116# sysname S5500# clock timezone Lisbon add 00:00:00 clock protocol none# telnet server enable# irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1# dhcp enable dhcp server forbidden-ip 192.168.10.1 192.168.10.10 dhcp server forbidden-ip 192.168.20.1 192.168.20.10# lldp global enable# password-recovery enable#vlan 1# vlan 10#vlan 20#vlan 30#vlan 40#vlan 50#vlan 60#10 stp global enable#dhcp server ip-pool 10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.20.1#dhcp server ip-pool 20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.20.1#dhcp server ip-pool 30 gateway-list 192.168.30. 254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.20.1 option 43 hex 8007000001c0a80afc # AP segment is 30 The optin43 option should be configured on the DHCP when the AC segment is 10 and the AP registers across network segments. That is, the hexadecimal address of AC # interface NULL0#interface Vlan-interface1 ip address 192.168.0.233 255.255.255.0#interface Vlan-interface10 ip address 192.168.10.254 255.255.255.0#interface Vlan-interface20 ip address 192.168.20.254 255.255.255.0#interface Vlan-interface30 ip address 192.168.30.254 255.255.255.0#interface Vlan-interface40 ip address 192.168.40.254 255.255.255.0 dhcp select relay dhcp Relay server-address 192.168.20.1#interface Vlan-interface50 ip address 192.168.50.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1#interface Vlan-interface60 ip address 192.168.60.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1#interface GigabitEthernet1/0/1#interface GigabitEthernet1/0/2#interface GigabitEthernet1/0/3#interface GigabitEthernet1/0/4#interface GigabitEthernet1/0/5#interface GigabitEthernet1/0/6#interface GigabitEthernet1/0/7#interface GigabitEthernet1/0/8#interface GigabitEthernet1/0/9#interface GigabitEthernet1/0/10#interface GigabitEthernet1/0/11#interface GigabitEthernet1/0/12#interface GigabitEthernet1/0/13#interface GigabitEthernet1/0/14#interface GigabitEthernet1/0/15#interface GigabitEthernet1/0/16# interface GigabitEthernet1/0/17 # downlink S5130 port link-type trunk port trunk permit vlan all combo enable copper#interface GigabitEthernet1/0/ 18 # downlink AC WX2560H port link-type trunk port trunk permit vlan all combo enable copper#interface GigabitEthernet1/0/19 combo enable copper#interface GigabitEthernet1/0/20 combo enable copper#interface GigabitEthernet1/0/21 combo enable copper#interface GigabitEthernet1/0/22 combo enable copper#interface GigabitEthernet1/0/23 port access vlan 10 combo enable copper#interface GigabitEthernet1/0/24 port access vlan 20 combo enable copper#interface GigabitEthernet1/0/25#interface GigabitEthernet1/0/26#interface GigabitEthernet1/0/27#interface GigabitEthernet1/ 0/28# scheduler logfile size 16#line class aux user-role network-admin#line class vty user-role network-operator# line aux 0 user-role network-admin#line vty 063 authentication-mode scheme user-role network-admin user-role network-operator idle-timeout 00 # snmp-agent snmp-agent local-engineid 800063A2803CF5CC29A26100000001 snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all # domain system# aaa session-limit http 6 aaa session-limit Https 6 domain default enable system#role name level-0 description Predefined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 description Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role#role name level-5 description Predefined level-5 role#role name level-6 description Predefined level-6 role#role name level-7 description Predefined level-7 role#role name level-8 description Predefined level-8 role#role name level-9 Description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefined level-11 role#role name level-12 description Predefined level-12 role#role name level-13 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage password hash $hong6 $m6G0XrvVo3KCxzlogged ZiSUweumlOHswdjZOF9eac28c8rKCP4001GBXyfQp444n0ETJiRF6TJNHE9ShopeEChM11nlVTbZ5v6c8juKyAids = service-type telnet terminal http https authorization-attribute user-role network-admin authorization-attribute user-role network-operator# netconf soap http enable netconf soap https enable# ip http enable ip https enable#return
POE S5130:
Specific configuration omitted, the key information is: 1. Enable the port POE function; 2. Because you want to configure AP to go online automatically, the port mode of this switch connecting to AP is configured as access mode, and VLAN is the VLAN30 to which AP belongs.
AC WX2560H:
Dis cur# version 7.1.064, Release 5215P01# sysname WX2560H# telnet server enable# dot1x # enable dot1x Configure 802.1x system authentication orientation for EAP dot1x authentication-method eap# password-recovery enable#vlan 1#vlan 10#vlan 20#vlan 30#vlan 40#vlan 5 "wlan service-template" wireless template configuration ssid service1 akm mode dot1x cipher-suite ccmp security-ie rsn client-security authentication-mode dot1x dot1x domain dm01 service-template enable#interface NULL0#interface Vlan-interface1 ip address 192.168.0.100 255 .255.255.0 # interface Vlan-interface10 ip address 192.168.10.252 255.255.255.0#interface GigabitEthernet1/0/7 port link-mode route#interface GigabitEthernet1/0/8 port link-mode route#interface GigabitEthernet1/0/1 # AC uplink port port link-mode bridge port link-type trunk port trunk permit vlan all#interface GigabitEthernet1/0/2 port link-mode bridge#interface GigabitEthernet1/0/3 port link-mode bridge # interface GigabitEthernet1/0/4 port link-mode bridge#interface GigabitEthernet1/0/5 port link-mode bridge#interface GigabitEthernet1/0/6 port link-mode bridge# scheduler logfile size 16#line class console user-role network-admin#line class vty user-role network-operator#line con 0 user-role network-admin#line vty 0 31 authentication-mode scheme user-role network-operator# ip route-static 192.168.10.0 24 192.168.10.254 # static route Ip route-static 192.168.20.0 24 192.168.10.254 # add a static route Otherwise, verify that static routes cannot be added through ip route-static 192.168.30.0 24 192.168.10.254 #, otherwise AP cannot register with AC# undo info-center logfile enable# radius session-control enable# enable radius session-control feature # radius scheme rd01 # create a new radius service Authorization and authentication server and key primary authentication 192.168.20.2 key cipher $cations 3$ H/oG+QiqvYDHlrCjYQtLXoWoKXbOf9mSuU1N primary accounting 192.168.20.2 key cipher $clocks 3 $4/xA5b5wob1GLTAt+J4pxJJf8NuaSzQOiYn2 key authentication cipher $cations 3$ bCmB/bA01ZFxZnpa1xxpBCLeIZnQ2uhhp4Ee key accounting cipher $cations 3 $NXsfRNwLjlhQw0YMKdmAgf2L2oQFVFGGIGpp nas-ip 192.168.10.252 # specify Nas-ip That is, the AC address # radius dynamic-author server # enables and configures Radius DAE client ip 192.168.20.2 key cipher $GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd#domain dm01 3 $GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd#domain dm01 # New Local isp authentication lan-access radius-scheme rd01 authorization lan-access radius-scheme rd01 accounting lan-access radius-scheme rd01#domain system# domain default enable system#role name level-0 description Predefined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 description Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role#role name level-5 description Predefined level-5 role#role name level-6 description Predefined level-6 role#role name level-7 description Predefined level-7 role#role name level-8 description Predefined level-8 role#role name level-9 description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefined level-11 role#role name level-12 description Predefined level-12 role#role name level-13 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage password hash $hong6 $D5QsfpSiuEZF2/U4 $8Q1ajQroom0kHYMJjx5sJESu48zPANJJjx5sJESu48zPANJJjxSM7JP3MJP6o4DXCQroomPeGwqXGX39NRZX8HsGSCC1YdCZJCtzUYsgchains = service-type telnet http https authorization-attribute user-role network-admin# ip http enable ip https enable#wlan auto-ap enable wlan auto-persistent enable#wlan global-configuration#wlan ap-group default-group vlan 1#wlan ap 38ad-be58-d860 model WA4320H serial-id 219801A0YG8178E08438 radio 1 radio 2#wlan ap 38ad- Be58-d6a0 model WA4320H serial-id 219801A0YG8178E08424 radio 1 radio enable service-template 1 radio 2 # cloud-management server domain oasis.h4c.com#return
II. Server configuration
1. Domain server configuration omitted
After the regular installation of the Bidomain server, install the certificate service.
Configure Certificate Services on the AD server:
Add several certificates issued and certificate web enrollment
Certificate service installed successfully
Apply for a certificate on the Radius server
Valid for 365 days
2. Radius server configuration
Radius server configuration, divided into four parts.
2.1. Create a new shared template
Create a new Radius client.
The Radius client is usually the address of AC, and some brands of wireless AP,Radius clients that use soft AC are the IP addresses of all AP (in this case, the address of AP needs to be set to fixed IP)
2.3. Connection request policy
The connection request policy and the network policy correspond to each other, usually a department (or a VLAN) corresponds to a policy
2.3. Network strategy
In the network policy, the following important parameters are mainly set:
Corresponding security group: the Windows group corresponding to this policy, usually the security group of a department
Authentication method: EAP type
Framed-protocol:PPP
Service-type: framed
Tunnel-medium-type: tunnel carrier medium type is 802
Tunnel-pvt-group-id: defines the vlan to which it belongs
At this point, Radius realizes the dynamic VLAN configuration of wireless users.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
