赞
踩
某局点需要将数台Cisco Catalyst 2960接入交换机替换为Huawei S5731/H3C S5130交换机。
本人的职责是负责检查及补充由Cisco翻译后的Huawei/H3C配置,现场支持设备割接。
- aaa new-model //启用AAA认证
- !
- aaa authentication login default line none //创建缺省登录认证列表;采用line password
- aaa authentication dot1x default group radius none //AAA缺省通过802.1X,使用radius认证服务
- aaa authorization network default group radius //AAA缺省通过radius网络授权
- !
- no ip domain-lookup
- ip domain-name xxxx.com
- vtp mode transparent
- !
- dot1x system-auth-control //全局启用802.1X
- dot1x guest-vlan supplicant //允许客户端切换到guest-vlan
- dot1x critical eapol
- !
- interface GigabitEthernet1/0/1 //普通Dot1x接口
- switchport access vlan A
- switchport mode access
- authentication event no-response action authorize vlan B //设置逃生Vlan
- authentication host-mode multi-auth
- //端口配置多认证模式:
- 不支持vlan切换(按需配置),
- 单主机模式,
- multi-host多主机模式(其中一台认证通过全放行),
- multi-domain多域模式(IP电话场景应用)
- authentication port-control auto
- //当端口接入设备时自动进行认证
- mab eap //端口开启MAB认证功能
- dot1x pae authenticator //端口使能802.1x认证
- spanning-tree portfast
- !
- interface GigabitEthernet1/0/45 //MAC绑定接口
- switchport access vlan A
- switchport mode access
- switchport port-security
- switchport port-security mac-address sticky
- switchport port-security mac-address sticky 1111.2222.3333 vlan access
- authentication event no-response action authorize vlan B
- //如上,只允许MAC地址为1111.2222.3333的终端接入并做认证
- spanning-tree portfast
- !
- radius-server host 192.168.x.y auth-port 1812 acct-port 1813 key 7 0701224E4Fxxxx
- radius-server host 192.168.x.z auth-port 1812 acct-port 1813 key 7 020807590Axxxx
- radius-server retransmit 2
- radius-server timeout 3
- radius-server deadtime 3
- radius-server vsa send authentication
- !
本割接预配置脚本由局点方提供,需要笔者进行梳理。
- #
- dot1x //全局使能dot1x功能
- dot1x authentication-method eap //设备采用eap中继认证方式
- #
- mac-authentication //全局使能MAC地址认证
- mac-authentication domain XXXX.com //指定MAC地址认证用户使用的认证域
- #
- interface GigabitEthernet1/0/1 //普通Dot1x接口
- port access vlan A
- stp edged-port
- dot1x
- mac-authentication
- #
- interface GigabitEthernet1/0/32 //MAC绑定接口
- port access vlan A
- stp edged-port
- mac-address static 1111-2222-3333 vlan A
- #
- radius scheme XXXX.com
- primary authentication 192.168.x.y
- primary accounting 192.168.x.y
- secondary authentication 192.168.x.z
- secondary accounting 192.168.x.z
- key authentication cipher XXXXXXXXXX
- key accounting cipher XXXXXXXXXX
- user-name-format without-domain
- #
- radius scheme system
- user-name-format without-domain
- #
- domain XXXX.com
- authentication lan-access radius-scheme XXXX.com local
- authorization lan-access radius-scheme XXXX.com local
- accounting lan-access radius-scheme XXXX.com local
- #
- domain default enable XXXX.com
- #
- return
本割接预配置脚本由局点方提供,需要笔者进行梳理。
- #
- authentication-profile name auth-new
- dot1x-access-profile dot1x-test
- mac-access-profile mac-auth
- access-domain XXXX.cn force
-
- authentication-profile name default_authen_profile
-
- authentication-profile name dot1x-test
- dot1x-access-profile dot1x-test
- mac-access-profile mac_access_profile
- authentication mode multi-authen max-user 50
- access-domain XXXX.cn force
-
- authentication-profile name dot1x_authen_profile
-
- authentication-profile name dot1xmac_authen_profile
-
- authentication-profile name mac-auth
- mac-access-profile mac_access_profile
- authentication mode multi-authen max-user 100
- access-domain XXXX.cn force
-
- authentication-profile name mac_authen_profile
-
- authentication-profile name multi_authen_profile
-
- authentication-profile name portal_authen_profile
- #
- radius-server template XX-test
- radius-server shared-key cipher xxxxxxxxxx
- radius-server authentication 192.168.x.y 1812 weight 80
- radius-server authentication 192.168.x.z 1812 weight 80
- radius-server accounting 192.168.x.y 1813 weight 80
- radius-server accounting 192.168.x.z 1813 weight 80
- #
- aaa
- domain XXXX.cn
- authentication-scheme acs
- accounting-scheme default
- radius-server XX-test
- #
- interface GigabitEthernet0/0/1
- port link-type access
- port default vlan A
- stp edged-port enable
- authentication-profile dot1x-test
- #
- interface GigabitEthernet0/0/7
- port link-type access
- port default vlan A
- stp edged-port enable
- port-security enable
- port-security mac-address sticky
- #
- dot1x-access-profile name dot1x-test
- dot1x-access-profile name dot1x_access_profile
- #
- mac-access-profile name mac-auth
- mac-access-profile name mac_access_profile
针对如上两项编写脚本:
H3C:
- interface GigabitEthernet1/0/x
- port access vlan A
- stp edged-port
- dot1x
- mac-authentication
- dot1x guest-vlan B ----新增内容----
- #
- interface GigabitEthernet1/0/y
- port access vlan A
- stp edged-port
- mac-address static 1111-2222-3333 vlan A
- dot1x guest-vlan B ----新增内容----
Huawei:
- interface GigabitEthernet0/0/1
- port link-type access
- port default vlan A
- stp edged-port enable
- authentication-profile dot1x-test
- authentication critical-vlan B ----新增内容----
- authentication critical eapol-success ----新增内容----
- #
- interface GigabitEthernet0/0/7
- port link-type access
- port default vlan A
- stp edged-port enable
- port-security enable
- port-security mac-address sticky
- authentication critical-vlan B ----新增内容----
- authentication critical eapol-success ----新增内容----
- port-security mac-address 2222-3333-4444 vlan B ----新增内容----
暂时就这样好了,有什么事情现场再说好了(^^)
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。