交换机802.1x配置文档

桌面防御及网络准入系统培训文档设置交换机IEEE802.1x协议,.,思科交换机的配置Ciscoswitchconfiguration,.,CiscoIOS,IEEE802.1x的功能只有在CiscoIOS12.1以上的版本中可用，如果交换机的IOS版本是12.0或12.0以下，所有关于dot1x的选项和命令将不可用。,.,配置IEEE802.1X认证,1）进入全局模式configureterminal2）启用AAAaaanew-model3）建立IEEE802.1x认证列表aaaauthenticationdot1xdefaultmethod1default:将后面指定的身份验证方法作为默认配置，自动作用于所有IEEE802.1xmethod1:指定身份验证的方法4）启用IEEE802.1x授权dot1xsystem-auth-control,.,配置IEEE802.1X认证,5）建立授权（可选）aaaauthorizationnetworkdefaultgroupradius指定通过RADIUS服务起来建立授权6）指定RADIUS服务器的地址radius-serverhostIP地址7）指定密钥radius-serverkey密钥8）进入接口模式interface接口9）启用IEEE802.1x认证switchportmodeaccessdot1xport-controlauto10）验证结果showdot1x,.,配置交换机域RADIUS服务器之间通信,1）进入全局模式configureterminal2）配置RADIUS服务器特征radius-serverhost主机名|IP地址auth-port端口号key密钥auth-port:UDP端口号,.,配置重认证周期,1）进入全局模式configureterminal2）进入接口模式interface接口3）启用IEEE802.1x重认证dot1xreauthentication4）设置重认证周期dot1xtimeoutreauth-period秒数秒数：默认为3600秒，取值为1-655355）验证结果showdot1xinterface接口,.,配置安静周期,交换机在与客户的一次失败验证交换之后保持安静状态的时间1）进入全局模式configureterminal2）进入接口模式interface接口3）配置安静周期Quietperioddot1xtimeoutquiet-period秒数秒数：默认为60秒，取值为1-65535,.,配置实践,配置AAA的认证和授权cisco2950cisco2950enablecisco2950#conftcisco2950(config)#aaanew-modelcisco2950(config)#aaaauthenticationlogindefaultlocalcisco2950(config)#aaaauthenticationdot1xdefaultgroupradiuscisco2950(config)#aaaauthorizationnetworkdefaultgroupradiuscisco2950(config)#dot1xsystem-auth-controlcisco2950(config)#end,.,配置实践,配置radius服务器cisco2950cisco2950enablecisco2950#conftcisco2950(config)#radius-serverhost192.168.9.5auth-port1812acct-port1813keySyg123$cisco2950(config)#radius-serverretransmit3cisco2950(config)#end,.,配置实践,在端口Fa0/2上启用802.1x验证cisco2950cisco2950enablecisco2950#conftcisco2950(config)#interfacefa0/2cisco2950(config-if)#swichportmodeaccesscisco2950(config-if)#dot1xport-controlautocisco2950(config-if)#dot1xtimeoutquiet-period30cisco2950(config-if)#dot1xtimeoutreauth-period30cisco2950(config-if)#dot1xreauthenticatoncisco2950(config-if)#dot1xguest-vlanvlan4cisco2950(config-if)#end,.,配置实践,在多个端口Fa0/3-18上启用802.1x验证cisco2950cisco2950enablecisco2950#conftcisco2950(config)#interfacerangefa0/3-18cisco2950(config-if)#swichportmodeaccesscisco2950(config-if)#dot1xport-controlautocisco2950(config-if)#dot1xtimeoutquiet-period30cisco2950(config-if)#dot1xtimeoutreauth-period30cisco2950(config-if)#dot1xreauthenticatoncisco2950(config-if)#dot1xguest-vlanvlan4cisco2950(config-if)#end,.,配置实践,在交换机上添加Vlan:添加三个Vlan:Vlan2gongzuo(正常工作Vlan)、Vlan3geli（隔离Vlan)、Vlan4guestvlan(来宾vlan)cisco2950cisco2950enablecisco2950#vlandatabasecisco2950(vlan)#vlan2namegongzuoVLAN2added:Name:gongzuocisco2950(vlan)#vlan3namegeliVLAN3added:Name:gelicisco2950(vlan)#vlan4nameguestvlanVLAN4added:Name:guestvlancisco2950(vlan)#exit,.,配置实践,跨交换机Vlan设置1:一个Vlan跨多个交换机时，需要分别把交换机的某一个端口模式设为trunck，以Vlan跨一台3750交换机和一台2950交换机为例，3750交换机操作为添加三个Vlan:Vlan2gongzuo(正常工作Vlan)、Vlan3geli（隔离Vlan)、Vlan4guestvlan(来宾vlan)cisco3750cisco3750enablecisco3750#vlandatabasecisco3750(vlan)#vlan2namegongzuoVLAN2added:Name:gongzuocisco2950(vlan)#vlan3namegeliVLAN3added:Name:gelicisco3750(vlan)#vlan4nameguestvlanVLAN4added:Name:guestvlancisco3750(vlan)#exitcisco3750#conftcisco3750(config)#interfacefa0/1cisco3750(config-if)#swichportmodetrunckcisco3750(config-if)#end,.,配置实践,跨交换机Vlan设置2:一个Vlan跨多个交换机时，需要分别把交换机的某一个端口模式设为trunck，以Vlan跨一台3750交换机和一台2950交换机为例，2950交换机操作为添加三个Vlan:Vlan2gongzuo(正常工作Vlan)、Vlan3geli（隔离Vlan)、Vlan4guestvlan(来宾vlan)cisco2950cisco2950enablecisco2950#vlandatabasecisco2950(vlan)#vlan2namegongzuoVLAN2added:Name:gongzuocisco2950(vlan)#vlan3namegeliVLAN3added:Name:gelicisco2950(vlan)#vlan4nameguestvlanVLAN4added:Name:guestvlancisco2950(vlan)#exitcisco2950#conftcisco2950(config)#interfacefa0/1cisco2950(config-if)#swichportmodetrunckcisco2950(config-if)#end,.,配置实践,跨交换机Vlan设置2:一个Vlan跨多个交换机时，需要分别把交换机的某一个端口模式设为trunck，以Vlan跨一台3750交换机和一台2950交换机为例，2950交换机操作为添加三个Vlan:Vlan2gongzuo(正常工作Vlan)、Vlan3geli（隔离Vlan)、Vlan4guestvlan(来宾vlan)cisco2950cisco2950enablecisco2950#vlandatabasecisco2950(vlan)#vlan2namegongzuoVLAN2added:Name:gongzuocisco2950(vlan)#vlan3namegeliVLAN3added:Name:gelicisco2950(vlan)#vlan4nameguestvlanVLAN4added:Name:guestvlancisco2950(vlan)#exitcisco2950#conftcisco2950(config)#interfacefa0/1cisco2950(config-if)#swichportmodetrunckcisco2950(config-if)#end,.,配置实践,为Vlan2设置IP地址:cisco2950cisco2950enablecisco2950#conftcisco2950(config)#interfacevlan2cisco2950(config-if)#ipaddress192.168.64.32255.255.255.0cisco2950(config-if)#noshutdowncisco2950(config-if)#end,.,配置实践,把多个端口加入Vlan2:cisco2950cisco2950enablecisco2950#conftcisco2950(config)#interfacerangefa0/3-18cisco2950(config-if)#swichportmodeaccesscisco2950(config-if)#swichportaccessvlan2cisco2950(config-if)#noshutdowncisco2950(config-if)#end,.,华为交换机的配置Huaweiswitchconfiguration,.,华为交换机配置,启用全局802.1x认证Dot1x认证方法为EAPDot1xauthentication-methodeap创建名为radius1的Radius方案Radiusschemeradius1主认证服务器IPPrimaryauthentication192.168.64.221645/1812主计费服务器IPPrimaryaccounting192.168.64.221646/1813,.,华为交换机配置,Radius认证功能的密码为symantecKeyauthenticationsymantecRadius计费功能的密码为symantecKeyaccountingsymantec退出Quit启用接口的802.1x认证Dot1xinterfaceeth0/1toeth0/10引用radius1的Radius方案DomainsystemSchemeradius-schemeradius1,.,华为交换机配置,开启所有接口的802.1x认证Dot1xinterface设置认证方式（缺省就是macbased，不用做这个命令）Dot1xport-methodmacbasedinterfaceeth0/1toeth0/10,.,23,&,ANSWERS,QUESTIONS,.,ThankYou,Copyright2007SymantecCorporation.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetradema