802.1x接入配置指南

802．1x接入配置指南

一、Cisco交换机的802.1x接入配置

采用CISCO 3560G作为802.1x 接入设备，以EAP-MD5认证业务为例，IEEE 802.1x认证配置。

组网：

终端

Cisco 3560G

配置：

Step 1 Enter Global configuration mode(进入全局模式)

Switch>enable Password: cisco

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#

Step 2 Enable AAA(启用AAA)

Switch(config)#aaa new-model

Step 3 Create IEEE 802.1x Authenticatin Method List(创建802.1x认证方法列表)

Switch(config)#aaa authentication dot1x default group radius

Step 4 Enable IEEE 802.1x authentication globally in the Switch (启用全局802.1x认证） Switch(config)#dot1x system-auth-control

Step 5 (Optional) Configure the switch to use user-RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment（创建授权网络列表）

Switch(config)#aaa authorization network default group radius

Step 6 (Optional) Specify the IP address of the RADIUS server（配置radius服务器信息包括配置配置radius认证与计费共享密钥secospace）

Switch(config)#radius-server host 172.18.100.236 auth-port 1812 acct-port 1813 key

secospace

Step 7 Enter interface configuration mode(进入接口配置模式，启用802.1x接入功能）

Switch(config)#interface gigabitEthernet 0/1

2013-4-16

华赛机密，未经许可不得扩散

第1页, 共13页

文档名称 文档密级

/* Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7 */

Switch(config-if)#switchport mode access

/* Enable IEEE 802.1x authentication on the port */

Switch(config-if)#dot1x port-control auto

Step 8 Return to privileged EXEC mode (返回模式) Switch(config-if)#end

Step 9 Verify your entries（验证802.1x配置）

Switch#show dot1x

Step 10 (Optional) Save your entries in the configuration file （保存配置文件）

To display IEEE 802.1x statistics for all ports (查看所有端口状态) Swtch#show dot1x all [details | statistics | summary]

To display IEEE 802.1x statistics for a specific port（查看指定端口状态）

Swtch#show dot1x interface [statistics | details]

[上行接口与Access口对接] !

interface GigabitEthernet0/23 switchport access vlan 10 switchport mode access spanning-tree portfast !

[上行接口与Trunk口对接] !

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q switchport mode trunk !

[终端接入端口配置] !

interface GigabitEthernet0/1 switchport access vlan 110

Switch#copy running-config startup-config

switchport mode access dot1x pae authenticator dot1x port-control auto dot1x guest-vlan 200 spanning-tree portfast

华赛机密，未经许可不得扩散

第2页, 共13页

2013-4-16

文档名称 文档密级

!

[vlan接口配置] !

Vlan 10

Name SecTSM

!

Vlan 110

Name LocalArea

!

Vlan 120 Name Island !

Vlan 130

Name WorkArea !

Vlan 200

Name CasualWard !

interface Vlan10

ip address 172.18.10.73 255.255.255.0 !

二、华为交换机的802.1x接入配置

采用Quidway S3900作为802.1x 接入设备，以EAP-MD5认证业务为例，IEEE 802.1x组网： 认证配置。

终端

配置：

Step 1 进入系统视图，

Quidway S3900

< Quidway >system-view

System View: return to User View with Ctrl+Z. [Quidway]

Step 2 启动802.1x接入功能

[Quidway]dot1x

802.1X is already enabled globally. [Quidway]dot1x authentication-method ?

2013-4-16

华赛机密，未经许可不得扩散

第3页, 共13页

文档名称 文档密级

chap CHAP(Challenge Handshake Authentication Protocol) authentication method.It's default.

eap EAP(Extensible Authentication Protocol) authentication method(support eap-tls, eap-md5, peap, eap-ttls)

pap PAP(Password Authentication Protocol) authentication method [Quidway]dot1x authentication-method eap

EAP authentication enabled already. [Quidway]

Step 3 上行接口配置 [上行与Trunk对接]

#

interface GigabitEthernet1/1/3

port link-type trunk

port trunk permit vlan all description Uplink-to-Intranet

#

[上行与Access接口对接] #

interface Ethernet1/0/24 port access vlan 10 description Uplink-to-Intranet

#

Step 4 终端接入端口配置

[基于端口]

#

interface Ethernet1/0/1

port access vlan 110 dot1x port-control auto dot1x port-method portbased dot1x guest-vlan 200 dot1x

#

[基于MAC]

#

interface Ethernet1/0/3

port access vlan 110 dot1x port-control auto dot1x port-method macbased dot1x

#

Step 5 vlan接口配置

#

2013-4-16

华赛机密，未经许可不得扩散

第4页, 共13页

文档名称 文档密级

vlan 10

name SecTSM #

vlan 110

name LocalArea # vlan 120 name Island #

vlan 130

name WorkArea #

interface Vlan-interface10

ip address 172.18.10.74 255.255.255.0

#

Step 6 RADIUS方案配置

[计费可用] #

radius scheme system primary authentication 172.18.10.240 1812 accounting optional key authentication secospace #

domain system scheme radius-scheme system authentication radius-scheme system authorization none accounting none #

[计费必选] #

radius scheme system

server-type standard

primary authentication 172.18.10.240 1812 primary accounting 172.18.10.2240 1813 key authentication secospace key accounting numen

user-name-format without-domain

#

domain system scheme radius-scheme system

authentication radius-scheme system accounting radius-scheme system

华赛机密，未经许可不得扩散

第5页, 共13页

2013-4-16

文档名称 文档密级

#

authorization none

三、H3C交换机的802.1x接入配置

采用Quidway S3600作为802.1x 接入设备，以EAP-MD5认证业务为例，IEEE 802.1x组网： 认证配置。

终端

配置：

Step 1 进入系统视图，

H3C S3600

< Quidway >system-view

System View: return to User View with Ctrl+Z. [Quidway]

Step 2 启动802.1x接入功能

[Quidway]dot1x

802.1X is already enabled globally.

[Quidway]dot1x authentication-method ?

chap CHAP(Challenge Handshake Authentication Protocol) authentication method.It's default.

eap EAP(Extensible Authentication Protocol) authentication method(support eap-tls, eap-md5, peap, eap-ttls)

pap PAP(Password Authentication Protocol) authentication method

[Quidway]dot1x authentication-method eap EAP authentication enabled already.

[Quidway]

Step 3 上行接口配置 [上行与Trunk口对接]

#

interface GigabitEthernet1/1/3

port link-type trunk

port trunk permit vlan all

description Uplink-to-Intranet #

[上行与Access口对接] #

华赛机密，未经许可不得扩散

第6页, 共13页

2013-4-16

文档名称 文档密级

interface Ethernet1/0/24 port access vlan 10

description Uplink-to-Intranet #

Step 4 终端接入端口配置 [基于端口]

#

interface Ethernet1/0/1

port access vlan 110

dot1x port-control auto

dot1x port-method portbased dot1x guest-vlan 200 dot1x

#

[基于MAC] #

interface Ethernet1/0/3

port access vlan 110

dot1x port-control auto

dot1x port-method macbased dot1x

#

Step 5 vlan接口配置

#

vlan 10

name SecTSM #

vlan 110

name LocalArea #

vlan 120 name Island #

vlan 130 name WorkArea #

interface Vlan-interface10 ip address 172.18.10.72 255.255.255.0

#

Step 6 RADIUS方案配置 [计费可用]

#

radius scheme system

2013-4-16

华赛机密，未经许可不得扩散

第7页, 共13页

文档名称 文档密级

#

primary authentication 172.18.10.240 1812 accounting optional key authentication secospace

domain system scheme radius-scheme system

authentication radius-scheme system authorization none accounting none

#

[计费必选]

#

radius scheme system

server-type standard

primary authentication 172.18.10.240 1812 primary accounting 172.18.10.2240 1813 key authentication secospace key accounting numen

user-name-format without-domain #

domain system scheme radius-scheme system #

authentication radius-scheme system accounting radius-scheme system authorization none

四、中兴交换机的802.1x接入配置

采用ZXR10 3928作为802.1x 接入设备，以EAP-MD5认证业务为例，IEEE 802.1x认证配置。 组网：

终端

配置：

Step 1 进入系统视图，

ZXR10>enable

Password：zxr10 ZXR10#

2013-4-16

ZXR10 3928

华赛机密，未经许可不得扩散 第8页, 共13页

文档名称 文档密级

Step 2 配置Radius方案

ZXR10#configure terminal

Enter configuration commands, one per line. End with CTRL/Z. ZXR10(config)#

ZXR10(config)#radius server 1 authen master 172.18.10.240 1812 secospace ZXR10(config)#radius server 1 account master 172.18.10.240 1813 secospace ZXR10(config)#radius server nas-ip-address 1 172.18.10.80 ZXR10(config)#radius server timeout 1 60 ZXR10(config)#radius server retry-time 1 5

Step 3 启动802.1x接入功能

ZXR10#configure terminal

Enter configuration commands, one per line. End with CTRL/Z. ZXR10(config)#

ZXR10config)#nas

ZXR10 (config-nas)#create aaa 1 port fei_1/1 ZXR10 (config-nas)#aaa 1 radius-server 1

ZXR10 (config-nas)#aaa 1 authentication radius ZXR10 (config-nas)#aaa 1 accounting enable | disable ZXR10 (config-nas)#aaa 1 authorization auto ZXR10 (config-nas)#aaa 1 control dot1x enable ZXR10 (config-nas)#aaa 1 multiple-hosts enable ZXR10 (config-nas)#aaa 1 default-isp SEC ZXR10 (config-nas)#aaa 1 fullaccount disable

ZXR10(config-nas)#create aaa 2 port fei_1/3 ZXR10(config-nas)#aaa 2 control dot1x enable ZXR10(config-nas)#aaa 2 radius-server 1 ZXR10(config-nas)#aaa 2 protocol eap ZXR10(config-nas)#aaa 2 authentication radius ZXR10(config-nas)#aaa 2 accounting enable ZXR10(config-nas)#AAA 2 authorization auto ZXR10(config-nas)#aaa 2 default-isp SEC.COM ZXR10(config-nas)#aaa 2 fullaccount disable

ZXR10(config-nas)#aaa 2 multiple-hosts enable Step 4 上行接口配置

[上行与Trunk口对接] !

interface fei_1/24 no negotiation auto switchport mode trunk

switchport trunk native vlan 1 switchport trunk vlan 10

华赛机密，未经许可不得扩散

第9页, 共13页

2013-4-16

文档名称 文档密级

switchport trunk vlan 110 switchport trunk vlan 120 switchport trunk vlan 130 switchport qinq normal

!

[上行与Access口对接] interface fei_1/23

negotiation auto

switchport access vlan 10

switchport qinq normal !

Step 5 终端接入端口配置

!

interface fei_1/1

no negotiation auto

switchport access vlan 110

switchport qinq normal !

interface fei_1/3 negotiation auto switchport access vlan 10 switchport qinq normal

!

Step 5 VLAN端口配置

!

vlan 10

name SecTSM

vlan 110

name LocalArea ! vlan 120

name Island !

vlan 130

name WorkArea !

vlan 200

name CasualWard !

interface vlan 10

ip address 172.18.10.80 255.255.255.0

华赛机密，未经许可不得扩散

第10页, 共13页

2013-4-16

文档名称 文档密级

五．华为城域以太系列（S3300 S5300） 1．802.1X配置

采用S3300作为802.1x 接入设备，以EAP-MD5认证业务为例，IEEE 802.1x认证配置。

组网：

终端

配置：

Step 1 进入系统视图，

Quidway S3900

< Quidway >system-view

System View: return to User View with Ctrl+Z. [Quidway]

Step 2 启动802.1x接入功能

[Quidway]dot1x

802.1X is already enabled globally.

[Quidway]dot1x authentication-method ?

chap CHAP(Challenge Handshake Authentication Protocol) authentication

method.It's default.

eap EAP(Extensible Authentication Protocol) authentication method(support eap-tls, eap-md5, peap, eap-ttls)

pap PAP(Password Authentication Protocol) authentication method [Quidway]dot1x authentication-method eap

EAP authentication enabled already. [Quidway]

Step 3 上行接口配置

[上行与Trunk对接] #

interface GigabitEthernet1/1/3

port link-type trunk

port trunk permit vlan all description Uplink-to-Intranet

#

[上行与Access接口对接] #

interface Ethernet1/0/24

2013-4-16

华赛机密，未经许可不得扩散 第11页, 共13页

文档名称 文档密级

port access vlan 10

description Uplink-to-Intranet

#

Step 4 终端接入端口配置

[基于端口] #

interface Ethernet1/0/1

port access vlan 110 dot1x port-control auto dot1x port-method port dot1x guest-vlan 200

dot1x #

[基于MAC]

#

interface Ethernet1/0/3

port access vlan 110 dot1x port-control auto dot1x port-method mac dot1x

#

Step 6 RADIUS方案配置

radius-server template yx

radius-server authentication 172.18.12.234 1812 radius-server shared-key secospace undo radius-server user-name domain-included #

配置4A属性：

[Quidway]aaa

[Quidway-aaa]auth

[Quidway-aaa]authentication-scheme jide [Quidway-aaa-authen-jide]authentication-mode radius

[Quidway-aaa-authen-jide]quit [Quidway-aaa]accounting-scheme jide [Quidway-aaa-accounting-jide]accounting-mode none

[Quidway-aaa-accounting-jide]quit [Quidway-aaa]authorization-scheme jide [Quidway-aaa-author-jide]authorization-mode none

[Quidway-aaa-author-jide]quit [Quidway-aaa]domain default [Quidway-aaa-domain-default]authentication-scheme jide [Quidway-aaa-domain-default]authorization-scheme jide [Quidway-aaa-domain-default]radius-server yx

2013-4-16

华赛机密，未经许可不得扩散

第12页, 共13页

文档名称 文档密级

[Quidway-aaa-domain-default]quit

[Quidway-aaa]quit

2013-4-16

华赛机密，未经许可不得扩散 第13页, 共13页