Shulou(Shulou.com)06/01 Report--

Identity authentication is the process that when a user of a computer system enters the system or accesses system resources with different levels of protection, the system confirms whether the user's identity is true, legal and unique. The main purpose of using identity authentication is to prevent unauthorized users from entering the system, and to prevent unauthorized users from accessing controlled information through abnormal operations or maliciously destroying the integrity of system data. In recent years, more and more units use identity authentication system to encrypt users' access to network resources. among many solutions, Radius authentication system is the most widely used. In a large number of enterprises, government agencies, colleges and universities, through the Radius authentication system, to achieve the authentication of users' network access identity, in order to determine whether a user has Internet access rights, and record relevant information.

Security Technology 1: AAA Server of dot1x and radius

[purpose of the experiment]

The single-arm routing of ① firewall realizes the communication between multiple Vlan.

② uses the DHCP relay of the firewall to achieve multi-Vlan dynamic address acquisition.

③ users are authenticated by AAA and access the public network.

④ remote in-band management (Telnet) of each device requires AAA authentication.

[topology Planning]

Configuration command

Switch configuration

[Quidway] dis cu

#

Sysname Quidway

#

Super password level 3 simple 123456

#

Local-server nas-ip 192.168.30.151 key 123456

#

Domain default enable ty

#

Dot1x

Dot1x authentication-method pap

#

Radius scheme system

Radius scheme xxx

Server-type standard

Primary authentication 192.168.30.151

Accounting optional

Key authentication 123456

User-name-format without-domain

#

Domain system

Domain ty

Scheme radius-scheme xxx

Access-limit enable 10

Accounting optional

#

Vlan 1

#

Vlan 10

#

Vlan 20

#

Vlan 30

#

Interface Vlan-interface1

Ip address 192.168.1.1 255.255.255.0

#

Interface Aux1/0/0

#

Interface Ethernet1/0/1

Port access vlan 10

Dot1x

#

Interface Ethernet1/0/2

Port access vlan 20

Dot1x

#

Interface Ethernet1/0/3

Port access vlan 30

#

Interface Ethernet1/0/4

Port link-type trunk

Port trunk permit vlan all

#

Interface Ethernet1/0/5

#

Interface Ethernet1/0/6

#

Interface NULL0

#

Ip route-static 0.0.0.0 0.0.0.0 192.168.1.254 preference 60

#

User-interface aux 0

User-interface vty 0 4

Authentication-mode scheme

#

Return

Firewall configuration

% Aug 12 18V 10v 37R 367 2013 H3C SHELL/4/LOGIN: Console login from con0

Sys

System View: return to User View with Ctrl+Z.

[H3C] dis cu

#

Sysname H3C

#

Super password level 3 simple 123456

#

Domain default enable ty

#

Firewall packet-filter enable

Firewall packet-filter default permit

#

Undo insulate

#

Firewall statistic system enable

#

Radius scheme system

Server-type extended

Radius scheme ty

Server-type standard

Primary authentication 192.168.30.151

Key authentication 123456

User-name-format without-domain

#

Domain system

Domain ty

Scheme radius-scheme ty

Authentication local

Access-limit enable 10

Accounting optional

#

Local-user admin

Password cipher.] @ USE=B,53Q= ^ Q`MAF4

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.