自学Aruba5.3.4-Aruba安全认证-有PEFNG 许可证环境的认证配置802.1x

点击返回:自学Aruba之路

自学Aruba5.3.4-Aruba安全认证-有PEFNG 许可证环境的认证配置802.1x

1. 采用InterDB认证服务器完成802.1X认证

 1 (Aruba650) #configure terminal 
 2 (Aruba650) (config) #aaa server-group dot1x-server
 3 (Aruba650) (Server Group "dot1x-server") #auth-server Internal
 4 (Aruba650) (Server Group "dot1x-server") #set role condition role value-of
 5 (Aruba650) (Server Group "dot1x-server") #exit
 6 
 7 (Aruba650) (config) #aaa authentication dot1x dot1x-auth
 8 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable
 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 
10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-mschapv2 
11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #exit   
12                         
13 (Aruba650) (config) #aaa profile dot1x-profile
14 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated  ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
15 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server
16 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth
17 (Aruba650) (AAA Profile "dot1x-profile") #exit
18 
19 (Aruba650) (config) #wlan ssid-profile dot1x-ssid
20 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x
21 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 
22 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 
23 (Aruba650) (SSID Profile "dot1x-ssid") #exit
24 
25 (Aruba650) (config) #wlan virtual-ap dot1x-vap
26 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile
27 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid
28 (Aruba650) (Virtual AP profile "dot1x") #vlan 1
29 (Aruba650) (Virtual AP profile "dot1x") #exit
30 
31 (Aruba650) (config) #ap-group 802xyk
32 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap   
33 (Aruba650) (AP group "802xyk") #exit
1 (Aruba650) #local-userdb add username test1 password 123456 role web-1
2 (Aruba650) #local-userdb add username test2 password 123456 role web-2

2. 采用LDAP认证认证服务器完成802.1X认证

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa authentication-server ldap ad
3 (Aruba650) (LDAP Server "ad") #host 172.18.50.30
4 (Aruba650) (LDAP Server "ad") #admin-dn cn=rui,cn=Users,dc=ruitest,dc=com
5 (Aruba650) (LDAP Server "ad") #admin-passwd 123456
6 (Aruba650) (LDAP Server "ad") #allow-cleartext 
7 (Aruba650) (LDAP Server "ad") #base-dn cn=Users,dc=ruitest,dc=com
8 (Aruba650) (LDAP Server "ad") #preferred-conn-type clear-text 
9 (Aruba650) (LDAP Server "ad") #exit
1 (Aruba650) #aaa test-server pap ad carlos 123456
2 Authentication Successful
 1 (Aruba650) # aaa query-user ad carlos
 2 objectClass: top 
 3 objectClass: person 
 4 objectClass: organizationalPerson 
 5 objectClass: user 
 6 cn: carlos 
 7 sn: carlos
 8 distinguishedName: CN=carlos,CN=Users,DC=ruitest,DC=com 
 9 instanceType: 4 
10 whenCreated: 20180117110333.0Z 
11 whenChanged: 20180117110404.0Z 
12 displayName: carlos
13 uSNCreated: 368694 
14 memberOf: CN=tech1,CN=Users,DC=ruitest,DC=com 
15 uSNChanged: 368706 
16 name: carlos 
17 objectGUID: n\240\203\277T\345\002K\235\202y\351\372\240<\376 
18 userAccountControl: 66048 
19 badPwdCount: 0
 1 (Aruba650) (config) #aaa server-group dot1x-server
 2 (Aruba650) (Server Group "dot1x-server") #no auth-server ias
 3 (Aruba650) (Server Group "dot1x-server") #auth-server ad
 4 (Aruba650) (Server Group "dot1x-server") #set role condition memberOf equals CN=tech1,CN=Users,DC=ruitest,DC=com set-value web-1 ##返回组名为test1,匹配到role web-1
 5 (Aruba650) (Server Group "dot1x-server") #set role condition memberOf equals CN=tech2,CN=Users,DC=ruitest,DC=com set-value web-2
 6 (Aruba650) (Server Group "dot1x-server") #exit
 7 
 8 (Aruba650) (config) #aaa authentication dot1x dot1x-auth
 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #dot1x-default-role role-1 ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable
11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 
12 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-tls 
13 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #no termination inner-eap-type eap-mschapv2 
14 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-gtc 
15 
16 (Aruba650) (config) #aaa profile dot1x-profile
17 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated  ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
18 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server
19 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth
20 (Aruba650) (AAA Profile "dot1x-profile") #exit
21 
22 (Aruba650) (config) #wlan ssid-profile dot1x-ssid
23 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x
24 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 
25 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 
26 (Aruba650) (SSID Profile "dot1x-ssid") #exit
27 
28 (Aruba650) (config) #wlan virtual-ap dot1x-vap
29 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile
30 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid
31 (Aruba650) (Virtual AP profile "dot1x") #vlan 1
32 (Aruba650) (Virtual AP profile "dot1x") #exit
33 
34 (Aruba650) (config) #ap-group 802xyk
35 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap   
36 (Aruba650) (AP group "802xyk") #exit

3. 采用Radis认证认证服务器完成802.1X认证

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa authentication-server radius ias 
3 (Aruba650) (RADIUS Server "ias") #host 172.18.50.30
4 (Aruba650) (RADIUS Server "ias") #key 123456
5 (Aruba650) (RADIUS Server "ias") #exit
1 (Aruba650) #aaa test-server mschapv2 ad carlos 123456
2 Authentication Successful

ISA配置需要注意:

 1 (Aruba650) (config) #aaa server-group dot1x-server
 2 (Aruba650) (Server Group "dot1x-server") #no auth-server Internal
 3 (Aruba650) (Server Group "dot1x-server") #auth-server ias
 4 (Aruba650) (Server Group "dot1x-server") # set role condition role value-of
 5 (Aruba650) (Server Group "dot1x-server") #exit
 6 
 7 (Aruba650) (config) #aaa authentication dot1x dot1x-auth
 8 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable
 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 
10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-mschapv2 
11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #exit   
12     
13 (Aruba650) (config) #aaa profile dot1x-profile
14 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated  ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
15 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server
16 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth
17 (Aruba650) (AAA Profile "dot1x-profile") #exit
18 
19 (Aruba650) (config) #wlan ssid-profile dot1x-ssid
20 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x
21 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 
22 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 
23  (Aruba650) (SSID Profile "dot1x-ssid") #exit
24 
25 (Aruba650) (config) #wlan virtual-ap dot1x-vap
26 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile
27 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid
28 (Aruba650) (Virtual AP profile "dot1x") #vlan 1
29 (Aruba650) (Virtual AP profile "dot1x") #exit
30 
31 (Aruba650) (config) #ap-group 802xyk
32 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap   
33 (Aruba650) (AP group "802xyk") #exit

posted on 2018-01-17 13:48  CARLOS_KONG  阅读(1225)  评论(0编辑  收藏  举报

导航