自学Aruba5.3.3-Aruba安全认证-有PEFNG 许可证环境的认证配置Captive-Portal
自学Aruba5.3.3-Aruba安全认证-有PEFNG 许可证环境的认证配置Captive-Portal
1. Captive-Portal认证配置前言
1.1 新建web认证服务器派生角色
在导入了PEFNG许可证后,系统不会对Web认证的aaa authentication captive-protal自动生成一个对应的role,因此需要为认证前的用户派生一个角色,并设置弹出认证界面。
1.2 新建web认证服务器派生角色
由于Policy“logon-control”中的允许ping的rule,使得web认证的用户接入SSID后,可以ping通其他地址,容易给客户造成误解。因此建议把配置web认证前,把策略“logon-control”中的允许ping关闭。
1 (Aruba650) (config) #ip access-list session logon-control 2 (Aruba650) (config-sess-logon-control)# no any any "svc-icmp" deny ## 关闭logon-control角色中ping功能
1 (Aruba650) (config) #user-role yk-web */ 定义Captive-Portal的角色为yk-web 2 (Aruba650) (config-role) #session-acl logon-control 3 (Aruba650) (config-role) #session-acl captiveportal 4 (Aruba650) (config-role) #session-acl vpnlogon 5 (Aruba650) (config-role) #captive-portal web-auth 6 (Aruba650) (config-role) #exit
2.Captive-Portal认证配置命令
2.1 采用InterDB认证服务器完成Captive-Portal认证
1 (Aruba650) (config) #aaa server-group web-server 2 (Aruba650) (Server Group "web-server") #auth-server Internal 3 (Aruba650) (Server Group "web-server") #set role condition role value-of 4 (Aruba650) (Server Group "web-server") #exit 5 6 (Aruba650) (config) #aaa authentication captive-portal web-auth 7 (Aruba650) (Captive Portal Authentication Profile "web-auth") #server-group web-server 8 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http ##采用http进行认证 9 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1 ##认证后自动跳转1s 10 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit 12 13 (Aruba650) (config) #ip access-list session logon-control 14 (Aruba650) (config-sess-logon-control)# no any any "svc-icmp" deny ##关闭ping 15 16 (Aruba650) (config) #user-role yk-web 17 (Aruba650) (config-role) #session-acl logon-control 18 (Aruba650) (config-role) #session-acl captiveportal 19 (Aruba650) (config-role) #session-acl vpnlogon 20 (Aruba650) (config-role) #captive-portal web-auth 21 (Aruba650) (config-role) #exit 22 23 (Aruba650) (config) #aaa profile web-profile 24 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面 25 (Aruba650) (AAA Profile "web-profile") #exit 26 27 (Aruba650) (config) #wlan ssid-profile web-ssid 28 (Aruba650) (SSID Profile "web-ssid") #essid webyk 29 (Aruba650) (SSID Profile "web-ssid") #exit 30 31 (Aruba650) (config) #wlan virtual-ap web-vap 32 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile 33 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid 34 (Aruba650) (Virtual AP profile "web-vap") #vlan 1 35 (Aruba650) (Virtual AP profile "web-vap") #exit 36 37 (Aruba650) (config) #ap-group webyk 38 (Aruba650) (AP group "webyk") #virtual-ap web-vap 39 (Aruba650) (AP group "webyk") #exit
1 (Aruba650) #local-userdb add username test1 password 123456 role web-1 ##建立两两个用户test1 test2 对应派生的角色web-1 web-2 2 (Aruba650) #local-userdb add username test2 password 123456 role web-2
2.2 采用LDAP认证服务器完成Captive-Portal认证
2.2.1 LDAP相关的配置
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa authentication-server ldap ad 3 (Aruba650) (LDAP Server "ad") #host 172.18.50.30 4 (Aruba650) (LDAP Server "ad") #admin-dn cn=rui,cn=Users,dc=ruitest,dc=com 5 (Aruba650) (LDAP Server "ad") #admin-passwd 123456 6 (Aruba650) (LDAP Server "ad") #allow-cleartext 7 (Aruba650) (LDAP Server "ad") #base-dn cn=Users,dc=ruitest,dc=com 8 (Aruba650) (LDAP Server "ad") #preferred-conn-type clear-text 9 (Aruba650) (LDAP Server "ad") #exit
1 (Aruba650) #aaa test-server pap ad carlos 123456 ##测试是否和LDAP服务器建立连接 2 Authentication Successful ##认证成功
1 (Aruba650) # aaa query-user ad carlos ## 参看用户carlos,LADP返回的值 2 3 objectClass: top 4 objectClass: person 5 objectClass: organizationalPerson 6 objectClass: user 7 cn: carlos 8 sn: carlos 9 distinguishedName: CN=carlos,CN=Users,DC=ruitest,DC=com ##返回值的用户组,AC可以根据返回值匹配来定义该用户所属的组 10 instanceType: 4 11 whenCreated: 20180117082111.0Z 12 whenChanged: 20180417082815.0Z 13 displayName: carlos 14 uSNCreated: 368694 15 memberOf: CN=tech1,CN=Users,DC=ruitest,DC=com 16 uSNChanged: 368706 17 name: wang1 18 objectGUID: n\240\203\277T\345\002K\235\202y\351\372\240<\376 19 userAccountControl: 66048 20 badPwdCount: 0
2.2.2 无线相关的配置
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa server-group web-server 3 (Aruba650) (Server Group "web-server") #no auth-server Internal 4 (Aruba650) (Server Group "web-server") #auth-server ad 5 (Aruba650) (Server Group "web-server") #set role condition memberOf equals CN=tech1,CN=Users,DC=ruitest,DC=com set-value web-1 ##返回组名为test1,匹配到role web-1 6 (Aruba650) (Server Group "web-server") #set role condition memberOf equals CN=tech2,CN=Users,DC=ruitest,DC=com set-value web-2 7 (Aruba650) (Server Group "web-server") #exit 8 9 (Aruba650) (config) #aaa authentication captive-portal web-auth 10 (Aruba650) (Captive Portal Authentication Profile "web-auth") # server-group web-server 11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http 12 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1 13 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 14 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit 15 16 (Aruba650) (config) #user-role yk-web 17 (Aruba650) (config-role) #session-acl logon-control 18 (Aruba650) (config-role) #session-acl captiveportal 19 (Aruba650) (config-role) # session-acl vpnlogon 20 (Aruba650) (config-role) #captive-portal web-auth 21 (Aruba650) (config-role) #exit 22 23 (Aruba650) (config) #aaa profile web-profile 24 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面 25 (Aruba650) (AAA Profile "web-profile") #exit 26 27 (Aruba650) (config) #wlan ssid-profile web-ssid 28 (Aruba650) (SSID Profile "web-ssid") #essid web 29 (Aruba650) (SSID Profile "web-ssid") #exit 30 31 (Aruba650) (config) #wlan virtual-ap web-vap 32 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile 33 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid 34 (Aruba650) (Virtual AP profile "web-vap") #vlan 1 35 (Aruba650) (Virtual AP profile "web-vap") #exit 36 37 (Aruba650) (config) #ap-group webyk 38 (Aruba650) (AP group "webyk") #virtual-ap web-vap 39 (Aruba650) (AP group "webyk") #exit
2.3 采用Radis认证服务器完成Captive-Portal认证
2.3.1 Radis相关的配置
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa authentication-server radius ias 3 (Aruba650) (RADIUS Server "ias") #host 172.18.50.88 4 (Aruba650) (RADIUS Server "ias") #key 123456 5 (Aruba650) (RADIUS Server "ias") #exit
1 (Aruba650) #aaa test-server mschapv2 ias carlos 123456 ##测试是否和IAS服务器建立连接 2 Authentication Successful ##认证成功
AS的远程访问策略中,需要注意的设置如下:
2.3.2 无线相关的配置
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa server-group web-server 3 (Aruba650) (Server Group "web-server") #no auth-server Internal 4 (Aruba650) (Server Group "web-server") #auth-server ad 5 (Aruba650) (Server Group "web-server") #set role condition role value-of 6 (Aruba650) (Server Group "web-server") #exit 7 8 (Aruba650) (config) #aaa authentication captive-portal web-auth 9 (Aruba650) (Captive Portal Authentication Profile "web-auth") # server-group web-server 10 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http 11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1 12 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 13 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit 14 15 (Aruba650) (config) #user-role yk-web 16 (Aruba650) (config-role) #session-acl logon-control 17 (Aruba650) (config-role) #session-acl captiveportal 18 (Aruba650) (config-role) # session-acl vpnlogon 19 (Aruba650) (config-role) #captive-portal web-auth 20 (Aruba650) (config-role) #exit 21 22 (Aruba650) (config) #aaa profile web-profile 23 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面 24 (Aruba650) (AAA Profile "web-profile") #exit 25 26 (Aruba650) (config) #wlan ssid-profile web-ssid 27 (Aruba650) (SSID Profile "web-ssid") #essid web 28 (Aruba650) (SSID Profile "web-ssid") #exit 29 30 (Aruba650) (config) #wlan virtual-ap web-vap 31 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile 32 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid 33 (Aruba650) (Virtual AP profile "web-vap") #vlan 1 34 (Aruba650) (Virtual AP profile "web-vap") #exit 35 36 (Aruba650) (config) #ap-group webyk 37 (Aruba650) (AP group "webyk") #virtual-ap web-vap 38 (Aruba650) (AP group "webyk") #exit
作者:CARLOS_CHIANG
出处:http://www.cnblogs.com/yaoyaojcy/
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文链接。
posted on 2018-01-17 09:12 CARLOS_KONG 阅读(1615) 评论(0) 编辑 收藏 举报
