Cisco 2950G 802.1X+AD+CA+IAS进行RADIUS身份验证

来源：互联网发布：apache 监听外网ip 编辑：程序博客网时间：2024/05/29 13:21

802．1x身份验证

要求：

1. 交换机支持802.1X协议。

2. 有一台RADIUS服务器。

3. 一台客户端。

网络拓扑：

验证方式：

PEAP验证：使用证书＋AD用户集成认证;

环境：

Operation System: Windows 2003 enterprise edition

Radius Server: windows IAS(Internet 验证服务，windows组件中安装)

CA Server: Windows CA证书服务(windows组件中安装)

Radius Client: Windows自带。（网络连接->属性->验证），如果没有“验证”选项卡，则是相关服务没有启用。（开始->运行->services.msc->启动” Wireless Zero Configuration”服务）

配置：

1. 安装域，域名暂时定为：test.com。过程略，查看相关文档

2. 安装IIS(Internet信息服务),IAS,CA：控制面板－>添加/删除程序->安装windows组件,如图:

注意先安装IIS->CA->IAS,顺序不能乱了.

3. 配置CA:配置过程略,参考相关资料.

4. CISCO 2950G-48-EI交换机配置:

Building configuration...

Current configuration : 4944 bytes

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname Layer_4_2

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

ip subnet-zero

spanning-tree mode mst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

dot1x system-auth-control

interface FastEthernet0/1

switchport access vlan 6

interface FastEthernet0/1.1

interface FastEthernet0/2

switchport access vlan 6

interface FastEthernet0/3

switchport access vlan 6

interface FastEthernet0/4

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/5

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/6

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/7

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/8

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/9

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/10

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/11

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/12

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/13

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/14

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/15

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/16

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/17

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/18

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/19

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/20

switchport access vlan 6

interface FastEthernet0/21

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/22

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/23

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/24

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/25

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/26

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/27

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/28

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/29

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/30

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/31

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/32

switchport access vlan 6

spanning-tree portfast

interface FastEthernet0/33

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/34

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/35

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/36

switchport mode access

dot1x port-control auto

dot1x guest-vlan 21

spanning-tree portfast

interface FastEthernet0/37

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/38

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/39

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/40

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/41

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/42

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/43

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/44

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/45

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/46

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/47

switchport access vlan 7

spanning-tree portfast

interface FastEthernet0/48

switchport access vlan 7

spanning-tree portfast

interface GigabitEthernet0/1

switchport mode trunk

interface GigabitEthernet0/2

interface Vlan1

ip address 192.168.0.1 255.255.255.0

no ip route-cache

interface Vlan6

ip address 192.168.1.1 255.255.255.0

no ip route-cache

shutdown

interface Vlan7

ip address 192.168.2.1 255.255.255.0

no ip route-cache

shutdown

ip http server

radius-server host 192.168.0.2 auth-port 1812 acct-port 1813 key test

radius-server retransmit 3

radius-server vsa send authentication

line con 0

line vty 0 4

monitor session 1 source interface Fa0/1

monitor session 1 destination interface Fa0/43

end

Layer_4_2#

5. 配置IAS:

a) 打开IAS:

b) 新建立”RADIUS客户端”:

c) 新建访问策略

d) 修改策略属性

6. 客户端设置:

a) 配置网络连接

b) 设置为自动获取IP

7. 基本上,已经设置完毕.用户加入域后,登录域时自动下载证书.

a) 如果有证书,则将获取相应VLAN的IP.

b) 如果没有IP,将获取guest-vlan的IP.

8. 一些配置步骤都已经省去,对于做网络的人来说,那些步骤应该不是什么问题吧.呵呵.有问题,有时再联系.

我的邮件:define.chang@gmail.com

MSN:fandy-zhang@hotmail.com

我的个人主页：http://www.51define.cn