一、世博局老楼华为交换机配置:
radius scheme exporadius
server-type standard
primary authentication 172.16.102.194
primary accounting 172.16.102.194
secondary authentication 172.16.102.195
secondary accounting 172.16.102.195
key authentication Expo2010
key accounting Expo2010
user-name-format without-domain
q
#
domain expodomain
scheme radius-scheme exporadius
q
domain default enable expodomain
#
dot1x
dot1x authentication-method eap
二、8号楼华为交换机3352-配置命令:
radius-server template expo
radius-server shared-key Expo2010
radius-server authentication 172.16.102.194 1812
radius-server accounting 172.16.102.194 1813
undo radius-server user-name domain-included
q
aaa
authentication-scheme default
authentication-scheme expo1
authentication-mode radius
q
authorization-scheme default
authorization-scheme expo2
q
accounting-scheme default
accounting-scheme expo3
accounting-mode radius
q
domain default
authentication-scheme expo1
authorization-scheme expo2
accounting-scheme expo3
radius-server expo
q
q
dot1x
dot1x authentication-method eap
interface ethernet 0/0/1
dot1x
三、华为3352交换机配置说明:
1. 开启dot1x,配置dot1x验证的用户名
dot1x
dot1x authentication-method eap
interface ethernet 0/0/1
dot1x
2.配置认证模版为huawei,验证密码是test,认证服务器IP地址和端口号
radius-server template huawei
radius-server shared-key test
radius-server authentication 1.1.1.3 1645
undo radius-server user-name domain-included 配置认证不带radius认证不带域名,
3.配置radius的认证方式,
authentication-scheme default
authentication-scheme huawei1 创建一个认证名为huawei1 authentication-mode radius 配置认证方式用radius
#
authorization-scheme default
authorization-scheme huawei2 创建一个授权名为huawei2,授权方式缺省为local #
accounting-scheme default
accounting-scheme huawei3 创建一个计费名为huawei3,授权方式缺省为none
accounting-mode radius 用内部文件夹里的raiuds软件做实验,此地方配置none #
domain default
authentication-scheme huawei1 认证方式huawei1
authorization-scheme huawei2 授权方式huawei2
accounting-scheme huawei3 计费方式huawei3
radius-server huawei(创建的验证模版)
四、cisco交换机配置802.1x命令:
Enable
config t
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 172.16.102.194 key Expo2010
radius-server host 172.16.102.195 key Expo2010
radius-server vsa send authentication
radius-server retraymit 3
dot1x system-auth-control
int range f0/1 – 3
dot1x port-control auto
switchport mode access
五、cisco交换机配置802.1x命令配置说明:
Enable /*进入特权模式*/
config t /*进入全局配置模式*/
aaa new-model /*启用aaa认证*/
aaa authentication dot1x default group radius /*配置802.1x认证使用radius服务器数据库*/
aaa authorization network default group radius/*VLAN分配必须*/
radius-server host 192.168.1.132 key vrv /*指定radius服务器地址为192.168.1.132,通信密钥为vrv,端口不用制定,默认1812和1813*/
radius-server vsa send authentication /*配置VLAN分配必须使用IETF所规定的VSA值*/
int range f0/1 - 11
dot1x port-control auto
switchport mode access
/*为1到11端口配置dot1x,12端口不配*/
dot1x guest-vlan ID (VLAN跳转命令)
exit
/*退回全局配置模式*/
dot1x system-auth-control
/*全局启动dot1x*/