3750x配置介绍
官方推荐配置3750x配置
aaa new-model
aaa authentication dot1x default group radius
aaa authorizaiton network default group radius
aaa accounting dot1x default start-stop group radius
启动dot1x认证,授权与审计
aaa server radius dynamic-author
client 202.100.1.241 server-key cisco
启用coa
dot1x system-auth-control
全局启用dot1x
ip device tracking
跟踪设备的ip地址
3750x-sw1:
aaa new-model
aaa authentication dot1x default group radius
aaa authorizaiton network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 202.100.1.241 server-key cisco
dot1x system-auth-control
ip device tracking
官方推荐3750x配置
radius-server attribute 6 on-for-login-auth
sends the service-type attribute in access requests
radius-server attribute 8 include-in-access-req
sends the framed-ip-address attribute in access requesits
radius-server attribute 25 access-request include
send the class attribute in access requeste
radius-server dead-criteria time 5 tries 3
wait 3 x 5 seconds before marking radius server as dead
radius-server host 202.100.1.241
radius-server key cisco
radius-server vsa send accounting
enables vendor-spectic attributes to be sent in radius accounting messages
radius-server vsa send authentication
in order to enable dacls,you must first configure your access switch to allow communications using the cisco-av-pair attribute with the value aaa event=acl-download enter the command shown here in the global configruation on the switch.if you fail to add this command ,will result in failed authentication/authonzation requests.
3750x-sw1:
radius-server attribute 6 on-for-login-auth(在登录认证的时候requests包要加上服务类型)
radius-server attribute 8 include-in-access-req(在访问请求里发送,属性8就是ip地址,)
radius-server attribute 25 access-request include(在request里发送class属性)
radius-server dead-criteria time 5 tries 3(判断raidus server通的判断方式)
radius-server host 202.100.1.241
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication(厂商特殊属性vsa)
官方推荐3750x配置
ip access-list extended acl-default
remark dhcp
permit udp any eq bootpc any eq bootps
remark dns
permit udp any any eq domain
remark ping
permit icmp any any
remark tftp
permit udp any any eq tftp
remark drop all the rest
deny ip any any log
---acl-default放行基本流行
ip access-list extended web-redirect
deny udp any any eq domain
deny udp any host 202.100.1.241 eq 8905
deny udp any host 202.100.2.254 eq 8905
deny udp any host 202.100.1.241 eq 8906
deny udp any host 202.100.1.241 eq 8909
deny tcp any host 202.100.1.241 eq 8443
deny tcp any host 202.100.1.241 eq 8905
deny tcp any host 202.100.1.254 eq 8905
deny tcp any host 202.100.1.241 eq 2909
permit ip any any(deny的不做重定向,其他都做重定向)
---web-redirect匹配需要重定向的流量
3750x-sw1:
ip access-list extended acl-default
remark dhcp
permit udp any eq bootpc any eq bootps
remark dns
permit udp any any eq domain
remark ping
permit icmp any any
remark tftp
permit udp any any eq tftp
remark drop all the rest
deny ip any any log
ip access-list extended web-redirect
deny udp any any eq domain
deny udp any host 202.100.1.241 eq 8905
deny udp any host 202.100.2.254 eq 8905
deny udp any host 202.100.1.241 eq 8906
deny udp any host 202.100.1.241 eq 8909
deny tcp any host 202.100.1.241 eq 8443
deny tcp any host 202.100.1.241 eq 8905
deny tcp any host 202.100.1.254 eq 8905
deny tcp any host 202.100.1.241 eq 2909
permit ip any any
官方推荐3750x配置
int g1/0/1
description ise-mab-dot1x-webauth
sw access vlan 2
sw mode access
ip access-group acl-denfault in
authenticaiton event fail action next-method(认证失败尝试下一个方式)
authenticaiton event server dead action authorize vlan 10(如果server dead授权vlan10)
authentication event server alive action reinitialize(如果server好了的话让交换机重新初始化让客户做认证)
authentication host-mode multi-auth(主机模式,总共四中single host,只有一个电脑从这个接口做dot1x认证,能授权vlan和dacl,multi-host能接很多电脑只需要一个电脑做认证,如果这个电脑过了其他都可以过了,只能授权vlan,multi-domain auth(mda)接口下可以串一个电话电话下串接一个电脑,电话做dot1x认证电脑也能做dot1x认证,支持vlan,dacl,multi-authentication,接一个电话,电话下能接多个电脑,电脑电话都能做dot1x.支持vlan,dacl)
authentication open(认证open,不做open,dot1x不过什么都过不了,网络先通再授权,认证open的低风险模式,先做acl)
authentication order mab dot1x(先做mac地址旁路后做dot1x,mab是mac地址认证)
authentication priority dot1x mab(先dot1x再mab)
authentication port-control auto(启用dot1x)
authentication vlolation restrict(默认产生)
mab(启用mab)
dot1x pae authenticator
spanning-tree portfast
3750x-sw1:
int g1/0/1
description ise-mab-dot1x-webauth
sw access vlan 2
sw mode access
ip access-group acl-denfault in
authenticaiton event fail action next-method(认证失败尝试下一个方式)
authenticaiton event server dead action authorize vlan 10(如果server dead授权vlan10)
authentication event server alive action reinitialize(如果server好了的话让交换机重新初始化让客户做认证)
authentication host-mode multi-auth(主机模式,总共四中single host,只有一个电脑从这个接口做dot1x认证,能授权vlan和dacl,multi-host能接很多电脑只需要一个电脑做认证,如果这个电脑过了其他都可以过了,只能授权vlan,multi-domain auth(mda)接口下可以串一个电话电话下串接一个电脑,电话做dot1x认证电脑也能做dot1x认证,支持vlan,dacl,multi-authentication,接一个电话,电话下能接多个电脑,电脑电话都能做dot1x.支持vlan,dacl)
authentication open(认证open,不做open,dot1x不过什么都过不了,网络先通再授权,认证open的低风险模式,先做acl)
authentication order mab dot1x(先做mac地址旁路后做dot1x,mab是mac地址认证)
authentication priority dot1x mab(先dot1x再mab)
authentication port-control auto(启用dot1x)
authentication vlolation restrict(默认产生)
mab(启用mab)
dot1x pae authenticator
spanning-tree portfast
浙公网安备 33010602011771号