【割接梳理】Cisco设备替换为Huawei/H3C的安全准入（AAA/Radius/Dot1X/MAC绑定）配置梳理_authentication mode multi-authen

背景：

某局点需要将数台Cisco Catalyst 2960接入交换机替换为Huawei S5731/H3C S5130交换机。

本人的职责是负责检查及补充由Cisco翻译后的Huawei/H3C配置，现场支持设备割接。

Cisco Catalyst 2960（IOS 12.2）安全准入相关（现有）配置梳理：

aaa new-model        //启用AAA认证
!
aaa authentication login default line none        //创建缺省登录认证列表;采用line password
aaa authentication dot1x default group radius none        //AAA缺省通过802.1X，使用radius认证服务
aaa authorization network default group radius         //AAA缺省通过radius网络授权
!
no ip domain-lookup
ip domain-name xxxx.com
vtp mode transparent
!
dot1x system-auth-control        //全局启用802.1X
dot1x guest-vlan supplicant        //允许客户端切换到guest-vlan
dot1x critical eapol
!
interface GigabitEthernet1/0/1        //普通Dot1x接口
 switchport access vlan A
 switchport mode access
 authentication event no-response action authorize vlan B        //设置逃生Vlan
 authentication host-mode multi-auth
//端口配置多认证模式:
不支持vlan切换（按需配置），
单主机模式，
multi-host多主机模式（其中一台认证通过全放行），
multi-domain多域模式（IP电话场景应用）
 authentication port-control auto
//当端口接入设备时自动进行认证
 mab eap        //端口开启MAB认证功能
 dot1x pae authenticator        //端口使能802.1x认证
 spanning-tree portfast
!
interface GigabitEthernet1/0/45        //MAC绑定接口
 switchport access vlan A
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 1111.2222.3333 vlan access
 authentication event no-response action authorize vlan B
//如上，只允许MAC地址为1111.2222.3333的终端接入并做认证
 spanning-tree portfast
!
radius-server host 192.168.x.y auth-port 1812 acct-port 1813 key 7 0701224E4Fxxxx
radius-server host 192.168.x.z auth-port 1812 acct-port 1813 key 7 020807590Axxxx
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 3
radius-server vsa send authentication
!

H3C S5130（Comware_V7）安全准入相关（预）配置梳理：

本割接预配置脚本由局点方提供，需要笔者进行梳理。

#
 dot1x        //全局使能dot1x功能
 dot1x authentication-method eap        //设备采用eap中继认证方式
#
 mac-authentication        //全局使能MAC地址认证
 mac-authentication domain XXXX.com        //指定MAC地址认证用户使用的认证域
#
interface GigabitEthernet1/0/1        //普通Dot1x接口
 port access vlan A
 stp edged-port
 dot1x
 mac-authentication
#
interface GigabitEthernet1/0/32        //MAC绑定接口
 port access vlan A
 stp edged-port
 mac-address static 1111-2222-3333 vlan A
#
radius scheme XXXX.com
 primary authentication 192.168.x.y
 primary accounting 192.168.x.y
 secondary authentication 192.168.x.z
 secondary accounting 192.168.x.z
 key authentication cipher XXXXXXXXXX
 key accounting cipher XXXXXXXXXX
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain XXXX.com
 authentication lan-access radius-scheme XXXX.com local
 authorization lan-access radius-scheme XXXX.com local
 accounting lan-access radius-scheme XXXX.com local
#
 domain default enable XXXX.com
#
return

Huawei S5731（VRP 7）安全准入相关（预）配置梳理：

本割接预配置脚本由局点方提供，需要笔者进行梳理。

#
authentication-profile name auth-new
 dot1x-access-profile dot1x-test
 mac-access-profile mac-auth
 access-domain XXXX.cn force
 
authentication-profile name default_authen_profile
 
authentication-profile name dot1x-test
 dot1x-access-profile dot1x-test
 mac-access-profile mac_access_profile
 authentication mode multi-authen max-user 50
 access-domain XXXX.cn force
 
authentication-profile name dot1x_authen_profile
 
authentication-profile name dot1xmac_authen_profile
 
authentication-profile name mac-auth
 mac-access-profile mac_access_profile
 authentication mode multi-authen max-user 100
 access-domain XXXX.cn force
 
authentication-profile name mac_authen_profile
 
authentication-profile name multi_authen_profile
 
authentication-profile name portal_authen_profile
#
radius-server template XX-test
 radius-server shared-key cipher xxxxxxxxxx
 radius-server authentication 192.168.x.y 1812 weight 80
 radius-server authentication 192.168.x.z 1812 weight 80
 radius-server accounting 192.168.x.y 1813 weight 80
 radius-server accounting 192.168.x.z 1813 weight 80
#
aaa
 domain XXXX.cn
  authentication-scheme acs
  accounting-scheme default
  radius-server XX-test
#
interface GigabitEthernet0/0/1            
 port link-type access
 port default vlan A
 stp edged-port enable
 authentication-profile dot1x-test
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan A
 stp edged-port enable
 port-security enable
 port-security mac-address sticky
#
dot1x-access-profile name dot1x-test
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac-auth
mac-access-profile name mac_access_profile

梳理：

1. H3C/Huawei设备上似乎没有配置接口的逃生功能，即类似Cisco上，在Radius服务器无响应时，将该接口划入Vlan B，保障其未认证时也能够访问一定资源。
2. Huawei设备的MAC绑定接口下没有指定明确的MAC地址。

针对如上两项编写脚本：

H3C：

interface GigabitEthernet1/0/x
 port access vlan A
 stp edged-port
 dot1x
 mac-authentication
 dot1x guest-vlan B        ----新增内容----
#
interface GigabitEthernet1/0/y
 port access vlan A
 stp edged-port
 mac-address static 1111-2222-3333 vlan A
 dot1x guest-vlan B        ----新增内容----

Huawei：

interface GigabitEthernet0/0/1            
 port link-type access
 port default vlan A
 stp edged-port enable
 authentication-profile dot1x-test
 authentication critical-vlan B          ----新增内容----
 authentication critical eapol-success        ----新增内容----
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan A
 stp edged-port enable
 port-security enable
 port-security mac-address sticky
 authentication critical-vlan B       ----新增内容----   
 authentication critical eapol-success        ----新增内容----
 port-security mac-address 2222-3333-4444 vlan B        ----新增内容----

暂时就这样好了，有什么事情现场再说好了（^^）