您的位置:360文档中心› Cisco C3560 C3570 RADIUS MAB 802.1X认证配置脚本

Cisco C3560 C3570 RADIUS MAB 802.1X认证配置脚本

根据官方文档及项目资料整理,详细介绍参见(3560/3750交换机配置指导12.2(50)以上版本radius/802.1x配置)

1、交换机启用radius认证:

aaa new-model
//交换机radius及tacacs认证配置都需要启用AAA

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization exec default group radius(可选)
aaa accounting dot1x default start-stop group radius
//启用802.1x认证、授权与审计

aaa sever radius dynamic-author
client 10.1.11.161 sever-key mindray
//很重要,全是关键字,10.1.11.161(服务器地址)。
12.2(50)版本后CoA(Change of Authorization)配置开启命令,AAA服务器主动推送CoA包,当授权状态变化时交换机接收动态授权包

dot1x system-auth-control
//(很重要)交换机全局启用dot1x,必须开启,否则MAB认证后不会主动进行802.1x认证

ip device tracking
//很重要,跟踪设备的IP地址,替换download访问控制列表(radius服务器上配置)原IP,没跟踪上,ping等操作都会出现问题

radius-server attribute 6 on-for-login-auth
//属性6,接入请求时发送服务类型参数,在登陆认证时,发第一个request请求,发用户名密码时附上服务类型,AAA服务器根据服务类型决定如有线无线如何操作

radius-server attribute 8 include-in-access-req
//属性8,接入请求时发送IP地址数据帧,与以前不同,可能开始时网已经通了,在进行802.1x认证,radius服务器也可以根据发送的IP地址进行有线无线等的操作

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3
//判断radius是否有问题标准,尝试3次,每次5秒,通过15秒相应,判断radius是否有问题,并做相应策略

radius-server host 10.1.11.161 auth-port 1812 acct-port 1813
radius-server key mindray
//radius服务器ip,认证审计端口配置,交换机与radius服务器通信关键字

radius-server vsa send accounting(可选)

radius-server vsa send authentication
//很重要,vsa(厂商特殊属性),ISE等radius服务器有些厂商特殊属性需要下发,不开启只会下发标准属性,download访问控制列表可能会无法下发

全局模式 mac move配置:

authentication mac-move permit
//缺省情况当一个mac地址已经在一个交换机端口下认证过,再转移到另一个端口时会被拒绝,启用mac-move,可以使交换机端口快速开启认证,
如IP电话后接PC转接交换机其他端口时快速认证(12.2(50)以后版本默认开启,12.2(50)以前版本无此配置),authentication open模
式下,一个mac地址可以立即从原始端口move到新端口,并且不需要在新端口请求授权


两个重要的基本访问控制列表配置:

(1)简单列表配置(可选):(交换机802.1X认

证通过前放行部分基本流量)

ip access-list extended ACL-DEFAULT
remark dhcp
permit udp any eq bootpc any eq bootps
remark dns
permit udp any any eq domain
remark ping
permit icmp any any
remark tftp
permit udp any any eq tftp
remark drop all the rest
deny ip any any log

(2)Web重定向列表配置(可选):(用于web认证配置时决定什么样的流量做重定向)

ip access-list extended WEB-REDIRECT
deny udp any any eq domain
deny udp any host 10.1.11.161 eq 8905
deny udp any host 10.3.220.254 eq 8905(接交换机设备网关,web认证时客户端会首先发包到网关,交换机做后续处理)
deny udp any host 10.1.11.161 eq 8906
deny udp any host 10.1.11.161 eq 8909
deny tcp any host 10.1.11.161 eq 8443
deny tcp any host 10.1.11.161 eq 8905
deny tcp any host 10.1.11.161 eq 8909
deny tcp any host 10.3.220.254 eq 8905(接交换机设备网关)
permit ip any any

2、端口0/x启用MAB和802.1x认证:

MAB: mac address bypass,mac地址旁路,用于不能做802.1x认证如打印机,AP,Avaya IP电话等设备做认证

interface g0/x
description To XXX
switchport mode access

switchport access vlan 220
//(可选)数据vlan,当802.1x用户名密码认证根据用户名密码决定vlan下发时可不用配置

switchport voice vlan 221
//接IP电话等语音设备时必须配置,mutil-auth端口下只能有一个voice valn

可选配置:

ip access-group ACL-DEFAULT in
//调用简单列表(见上文),与authentication open模式配合使用可降低认证风险

authentication event fail action next-method
//认证失败时采用下一中认证方式,如mab失败后采用802.1x

authentication event sever dead action authorize vlan XXX
//服务器down掉时接入指定的valn

authentication event sever alive action reinitiaize
//服务器alive时,重新开始认证

authentication event no-response action authorize vlan YYY
//认证没有响应时接入指定vlan(guest vlan,mutil-auth端口下不可以配置guest vlan和auth-fail valn)

authentication host-mode multi-auth
//四种主机模式,mutil-auth功能最为强大,详情请参考官方交换机文档

authentication open
//低风险模式(需要配置简单的列表(见上文)并调用)

authentication order mab dot1x
//先做mac地址旁路,再做802.1x(更改顺序如dot1x mab无意义)

authentication priority dot1x mab
//当两个认证都通过并获得授权,dot1x授权起效(更改顺序如mab dot1x无意义)

authentication port-control auto
//启用802.1x

authentication violation restrict
//交换机端口安全配置,违反限制,会发送警报信息(默认开启)

mab
//启用mab

dot1x pae authenticator
//(12.

2(50)以前版本默认交换机是认证者,12.2(50)以后可以是客户端也可以是认证者)

spanning-tree portfast


3、查看接口认证结果:

(1)show authentication session interface g0/x
//查看接口mab/dot1x认证、授权状态信息
如:
Test-3560(config-if)#do show auth sess int f0/48
Interface: FastEthernet0/48
MAC Address: 001b.4f50.9392
IP Address: 10.5.222.70
User-Name: 00-1B-4F-50-93-92
Status: Authz Success
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Session timeout: 120s (local), Remaining: 52s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A03DCF0000000010044F8BD
Acct Session ID: 0x00000004
Handle: 0xCF000001

Runnable methods list:
Method State
mab Authc Success
dot1x Not run


(2)show ip access-lists interface g0/x
//查看接口访问控制列表下发情况,认证成功,会主动替换源IP,如permit any any变为permit x.x.x.x any

如:
Test-3560#show ip access-lists int f0/48
permit ip host 10.5.222.70 any


(3)show ip device tracking intface g0/x
//查看接口ip地址跟踪信息,可以看到valn下发状况

如:
Test-3560#show ip device tracking int f0/48
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
10.5.222.70 001b.4f50.9392 222 FastEthernet0/48 ACTIVE

Total number interfaces enabled: 1
Enabled interfaces:
Fa0/48

4、其他可选配置

no authentication logging verbose
no dot1x logging verbose
no mab logging verbose

//过滤冗余认证log信息


5、示例

(1)完整的交换机radius配置示例:

Test-3560#show run | in radius
aaa authentication dot1x default group radius
aaa authorization exec default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.11.161 auth-port 1812 acct-port 1813
radius-server key mindray
radius-server vsa send accounting
rad

ius-server vsa send authentication

(2)完整的交换机接口配置示例:

Test-3560(config-if)#do show run int f0/48
Building configuration...

Current configuration : 789 bytes
!
interface FastEthernet0/48
description To Avaya IP Phone
switchport access vlan 220
switchport mode access
switchport voice vlan 222
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 221
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 60
authentication timer reauthenticate 120
authentication violation restrict
mab
dot1x pae authenticator
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
spanning-tree portfast
end


相关主题
相关文档
最新文档