- 1每天5分钟复习OpenStack(三)_每天5分钟学习openstack
- 2【GitLab】-HTTP Basic: Access denied.remote:You must use a personal access token_remote: http basic: access denied. the provided pa
- 3堆与堆排序与topK问题_heapsort解决公交车数量问题c
- 4深度解读数据库引入LLVM技术后如何提升性能
- 5PythonCharm运行Django项目_pycharm运行django项目
- 6服务打包,报错无法删除target目录:Failed to delete E:....\target\classes\ip2region\ip2region.db -> [Help 1]_idea target无法删除
- 7【单元测试】Junit 4(二)--eclipse配置Junit+Junit基础注解_eclipse的junit配置
- 8SOLIDWORKS PDM 2021安装步骤_solidworks pdm安装
- 9word embedding理解_word embedding是什么
- 10基于PSO粒子群优化的CNN-LSTM的时间序列回归预测matlab仿真_cnn-pso-lstm
简单对比H3C/Huawei 802.1x+Radius/AAA配置差异_802.1x eap透传
赞
踩
1 802.1X基本概念
802.1x属于准入控制技术,又称EAPoE(Extensible Authentication Protocol Over Ethernet)
本地验证(交换机本地建立用户数据库)
CLient与Device之间跑的802.1x(EAP)
Device与Server之间跑的Radius(Radius也是C/S架构)
1.1 认证模式
基于接口:接口下第一个用户验证后,后续用户无需验证
基于MAC:每个用户都需要认证
1.2 认证方式
EAP终结:用户认证信息先交给设备,再由设备交给Server
EAP透传(EAP中继):用户上传用户名至设备后,后续认证信息直接传递给Server
1.3 端口控制方式
自动识别(默认)
强制授权(无论验证成功与否,都给予授权)
强制非授权(与前者相反)
2 802.1X认证触发机制
2.1 客户端主动触发(组播与广播方式)
组播:客户端向局域网内发送EAPOL-Start报文,目标MAC:0180.C200.0003
广播:以广播形式发送EAPOL-Start
2.2 设备端主动触发(组播与单播方式)
用于支持不能主动发送EAPOL-Start报文的客户端
组播:每30s发送EAP-Request/Identity报文
单播:受到到未处于MAC表中的设备,单播EAP-Request报文
3 EAP体系架构
MD5、TLS、TTLS、REAP、MS-CHAPv2
EAP(EAP可以承载如上协议)
802.1x
PPP、802.11
4 802.1x:EAP终结认证
Step1:Client→Device,EAPOL-Start
Step2:Client←Device,EAP-Request/Identity,设备询问用户名
Step3:Client→Device,EAP-Response/Identity,主机提供用户名
Step4:Client←Device,EAP-Request/MD5 Challenge,设备提供随机数,询问密码
Step5:Client→Device,EAP-Response/MD5 Challenge,设备提供密码+随机数生成的Hash值
Step6:Device→Server,Radius Access-Request(CHAP-Response/MD5 Challenge)
设备将数据承载在Radius协议上(Radius 79属性)交给Server认证
Step7:Device←Server,Radius Access-Accept(CHAP-Success)
服务端宣告认证成功
Step8:Client←Device,EAP-Success,设备告知用户认证成功(Port-Authorized)
......
Client→←Device,Handshake Request/Response[EAP-Request/Response/Identity],确定是否在线
......
Client→Device,EAPOL-Logoff,申请下线(Port Unauthorized)
5 EAP透传(即EAP中继)认证(略)
6 H3C Dot1x配置(HCL S6850 version7)
准入认证配置(Radius)
- <H3C>sys
- System View: return to User View with Ctrl+Z.
-
- [H3C]radius scheme A
- New RADIUS scheme.
- //创建一个radius域并进入视图,命名为A
-
- [H3C-radius-a]primary authentication 10.0.0.1
- //设置主认证Radius服务器地址及端口,端口可以不添加
-
- [H3C-radius-a]primary accounting 10.0.0.1
- //设置主计费Radius服务器地址及端口,端口可以不添加
-
- [H3C-radius-a]key authentication simple ayanami2022
- //设置系统与认证RADIUS服务器交互报文时的加密密码,命名如上
-
- [H3C-radius-a]user-name-format without-domain
- //用户名格式不带域名,交换机向3A服务器发送用户名时,不带域名,即不带下列配置的域名B
-
- [H3C-radius-a]quit
配置ISP域(Domain)与认证方案
- [H3C]domain B
- //创建域并进入(名称可以与radius域不一致)
-
- [H3C-isp-b]authorization lan-access radius-scheme A none
-
- [H3C-isp-b]authentication lan-access radius-scheme A
-
- [H3C-isp-b]accounting lan-access radius-scheme A
- //配置 802.1x用户使用 RADIUS 方案uniaccess进行认证、授权、计费
-
- [H3C-isp-b]quit
配置全局Dot1x
- [H3C]dot1x
-
- [H3C]domain default enable B
- //开启默认ISP域为B
配置接口Dot1x
- [H3C]int GigabitEthernet 1/0/1
-
- [H3C-GigabitEthernet1/0/1]dot1x port-method portbased
-
- [H3C-GigabitEthernet1/0/1]dot1x port-control auto
-
- [H3C-GigabitEthernet1/0/1]dot1x re-authenticate
-
- [H3C-GigabitEthernet1/0/1]quit
相关配置一览
- #
- radius scheme a
- primary authentication 10.0.0.1
- primary accounting 10.0.0.1
- key authentication cipher $c$3$dR9G70UJ7Bn8+mkOtakzZVXqVbN9f3q5AiXqQkRz
- user-name-format without-domain
- #
- domain b
- authentication lan-access radius-scheme a
- authorization lan-access radius-scheme a none
- accounting lan-access radius-scheme a
- #
- domain system
- #
- domain default enable b
- #
- interface GigabitEthernet1/0/1
- port link-mode bridge
- combo enable fiber
- dot1x port-method portbased
- dot1x re-authenticate
7 Huawei Dot1x配置(eNSP S5700 version5)
准入认证配置
- [Huawei]radius-server template A
-
- [Huawei-radius-a]radius-server shared-key simple ayanami2022
- //配置RADIUS服务器的共享密钥,此处是明文显示,建议密文
-
- [Huawei-radius-a]radius-server authentication 10.0.0.1 1812
- //指定认证服务器地址及端口(端口必须添加,认证端口为UDP 1812,H3C可以不强制添加端口)
-
- [Huawei-radius-a]radius-server accounting 10.0.0.1 1813
- //指定计费服务器地址及端口(如上)
-
- [Huawei-radius-a]undo radius-server user-name domain-included
- //用户名格式不带域名
配置ISP域-创建Radius认证/授权/计费方案
- [Huawei]aaa
- [Huawei-aaa]authentication-scheme B
- [Huawei-aaa-authen-b]authentication-mode radius
- [Huawei-aaa-authen-b]qu
- ----如上为认证方案(已经包括授权)----
-
- [Huawei-aaa]accounting-scheme B
- [Huawei-aaa-accounting-b]accounting-mode radius
- [Huawei-aaa-accounting-b]qu
- ----如上为计费方案----
-
- [Huawei-aaa]domain C
- //创建域“C”,并指定其为全局默认普通域。
-
- [Huawei-aaa-domain-c]radius-server A
-
- [Huawei-aaa-domain-c]authentication-scheme B
-
- [Huawei-aaa-domain-c]accounting-scheme B
配置全局Dot1x
- [Huawei]dot1x enable
-
- [Huawei]dot1x authentication-method eap
- //模式为EAP终结
-
- [Huawei]dot1x timer tx-period 5
- //配置发送认证请求的时间间隔为90秒配置发送认证请求的时间间隔为5s
配置接口Dot1x
- [Huawei]int GigabitEthernet 0/0/1
-
- [Huawei-GigabitEthernet0/0/1]dot1x enable
-
- [Huawei-GigabitEthernet0/0/1]dot1x port-control auto
-
- [Huawei-GigabitEthernet0/0/1]dot1x port-method mac
-
- [Huawei-GigabitEthernet0/0/1]dot1x reauthenticate
相关配置一览
- dot1x enable
- dot1x authentication-method eap
- dot1x timer tx-period 5
-
- #
- radius-server template a
- radius-server shared-key simple ayanami2022
- radius-server authentication 10.0.0.1 1812
- radius-server accounting 10.0.0.1 1813
- undo radius-server user-name domain-included
- #
- aaa
- authentication-scheme b
- authentication-mode radius
-
- accounting-scheme b
- accounting-mode radius
-
- domain c
- authentication-scheme b
- authorization-scheme b
- radius-server a
-
- #
- interface GigabitEthernet0/0/1
- dot1x enable
- dot1x reauthenticate
