S5700与Cisco ACS做802.1x认证
来源 https://forum.huawei.com/enterprise/zh/thread-273549-1-1.html
S5700-52C-PWR-EI
Cisco ACS 做为Radius server
!Software Version V200R003C00SPC300
#
#
vlan batch 2 to 3 10 100 300
#
dot1x enable
dot1x authentication-method eap
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
dhcp enable
#
dhcp snooping max-user-number 1024
#
radius-server template dot1x
radius-server shared-key cipher %@%@g^m]+bAZwN1+bfY-=4‘,-:,{%@%@
radius-server authentication 10.24.128.126 1645 source LoopBack 0 weight 80
radius-server authentication 10.25.145.126 1645 source LoopBack 0 weight 40
radius-server accounting 10.24.128.126 1646 source LoopBack 0 weight 80
radius-server accounting 10.25.145.126 1646 source LoopBack 0 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included
#
dhcp server group dhcpgroup1
dhcp-server 10.24.188.18 0
dhcp-server 10.24.128.62 1
#
aaa
authentication-scheme default
authentication-scheme system
authentication-mode hwtacacs local
authentication-scheme dot1x-auth
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme dot1x-acc
accounting-mode radius
domain default
authentication-scheme dot1x-auth
accounting-scheme dot1x-acc
radius-server dot1x
domain default_admin
domain sc.net
authentication-scheme system
hwtacacs-server system
#
interface Vlanif1
#
interface Vlanif100
description DATA
ip address 10.25.164.1 255.255.255.128
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Vlanif300
description VOIP
ip address 10.25.74.193 255.255.255.192
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/2
undo negotiation auto
speed 100
port link-type access
port default vlan 300
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/3
undo negotiation auto
speed 100
port link-type access
port default vlan 300
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/4
undo negotiation auto
speed 100
port link-type access
port default vlan 300
stp bpdu-filter enable
stp edged-port enable
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/5
undo negotiation auto
speed 100
voice-vlan 300 enable
port hybrid pvid vlan 100
port hybrid tagged vlan 300
port hybrid untagged vlan 100
stp bpdu-filter enable
stp edged-port enable
authentication event authen-server-down vlan 100
dot1x mac-bypass
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/6
undo negotiation auto
speed 100
voice-vlan 300 enable
port hybrid pvid vlan 100
port hybrid tagged vlan 300
port hybrid untagged vlan 100
stp bpdu-filter enable
stp edged-port enable
authentication event authen-server-down vlan 100
dot1x mac-bypass
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
其中在第5口和第6口配置了dot1x enable,但是命令不显示,1-4口没有启用dot1x.
authentication event authen-server-down vlan 100 是为了交换机与radius server链路有问题后可以让终端设备接入vlan 100继续使用
Radius server上只允许eap-md5,eap-tls,不允许pap或者chap
PC上有专门的证书来做认证,目前PC认证正常
但是端口下面连接的Avaya IP电话无法正常使用,型号:9608,电话起来后输入认证的用户名和密码后一直在连接call server,从radius server上看到的日志中发现:话机会先用pap协议发起认证,里面携带的vlan id=300,但是pap在radius server上没有启用所以认证不通过,之后发现话机认证通过了,但是里面携带的vlan id=100,不是Voice Vlan而是Data Vlan,虽然在radius server上看到了这样的认证成功消息,但是实际上话机还是无法使用,界面上一直在显示连接call server,也就是说话机没有拿到正确的Voice vlan的IP地址
查看端口的认证信息:
>display dot1x interface GigabitEthernet 0/0/5
GigabitEthernet0/0/5 status: UP 802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication mode is MAC-based
Authentication method is EAP
Reauthentication is disabled
Maximum users: 256
Current users: 1
Guest VLAN is disabled
Critical VLAN is disabled
Restrict VLAN is disabled
Authentication Success: 421 Failure: 11
EAPOL Packets: TX : 1300 RX : 1281
Sent EAPOL Request/Identity Packets : 447
EAPOL Request/Challenge Packets : 424
Multicast Trigger Packets : 0
EAPOL Success Packets : 421
EAPOL Failure Packets : 8
Received EAPOL Start Packets : 430
EAPOL Logoff Packets : 3
EAPOL Response/Identity Packets : 424
EAPOL Response/Challenge Packets: 424
Online user(s) info:
UserId MAC/VLAN AccessTime UserName
------------------------------------------------------------------------------
241 a425-1b4f-97dc/100 2015/09/14 10:09:59 12345
------------------------------------------------------------------------------
Total 1,1 printed
>display mac-address authen
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
a425-1b4f-96f9 100/- GE0/0/6 authen
a425-1b4f-97dc 100/- GE0/0/5 authen
-------------------------------------------------------------------------------
Total items displayed = 2
另外,MAC bypass的功能也无法实现,试着连接了一台打印机,并且在radius server上添加了打印机的mac地址,但是连接好之后没有反应,重启打印机也没效果。
============= End