802.1x的三大角色

with ieee 802.1x port-based authentication,the devices in the network have specific roles:

client

switch access point(ap)

authentication server

802.1x认证过程介绍

pc接上来,交换机就会给打招呼请求你是否能够支持,如果支持就回eaport-start开始,然后把包发给交换机,交换机把包做一个access-request告诉ise,ise做一个请求要求客户输入认证,可以通过peap,eap-fast,eap-tls安全把的用户名密码交给服务器,服务器判断用户名是那个组的,根据相应的组给你相应的授权交给交换机,交换机就会把相应的接口做一个处理,后续客户就可以通过访问这个网络.

认证初始化

when the linke state changes from down to up,the witch sends an esp request/identity frame to the client to request its idenity.

however,if during bootup,the client does not reccive an eap-request/idenity frame from the switch,the client can initiate authentication by sending an eapol-start frame,

交换机或者客户没有激活802.1x的处理

if the client does not receive an eap-request/identity frame after three attempts to start authentication,the client sends frames as if the port is in the authorized state.

端口状态

you control the port authorization state by using the dot1x port-control interface configuration command and these keywords:

force-authorized-disables ieee 802.1x authentication and causes the port to change to the authorized state without any authentication exchange required

force-unauthorized-causes the port to remain in the unauthorized state,ignoring all attempts by the client to authenticate

auto-enables ieee 802.1x authentication and causes the port to begin in the unauthorized state,allowing only eapol frames to be sent and received through the port in high security mode.

802.1x和语音vlan

a voice vlan port is a special access port associated with two vlan identifiers:

wid to carry voice trffic to and from the ip phone;

the wid is used to configure the ip phone that is connected to the port.

pvid to carry the data traffic to and from the workstation connected to the switch through the ip phone;

the pvid is the native vlan of the port

wid-voice vlan id-voice domain

pvid-port vlan id-data domain

3750x-sw1:

int g1/0/4

sw voice vlan 10(语音vlan)

per-user acls的802.1x

you can enable per-user access control lists(acls) to provide different levels of network access and service to an ieee802.1x-authenticated user.

when the radius server authenticates a user that is connected to an ieee 802.1x port,it retrieves the acl attributes based on the user identity and sends them to the switch.

the switch applies the attributes to the ieee802.1x port for the duration of the user session.

the switch removes the per-user acl configuration when the session is over,if authentication fails,or if a link-down condition occurs.

802.1x配置指南

when ieee 802.1x is enable,ports are authenticated before any other layer 2 or layer 3 features are enable.

the ieee802.1x portocol is supported on layer 2 static-access port,voice vlan ports,and layer 3 routed ports,but it is not supported on these port types:

trunk port

dynamic ports

dynamic-access ports

etherchanel port

switched port analyzer(span) and remote span(rspan) destination ports

when ieee 802.1x is enable on a port,you cannot configure a port vlan that is equal to a voice vlan.

配置eap

1.配置win7-1所连接的g1/0/2

3750-sw1:

int g1/0/2

description ise-mab-dot1x-webauth

switch access vlan 2

switchport mode access

ip access-group acl-default in

authentication event fail action next-method

authentication event server dead action authorize vlan 10

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

spanning-tree portfast

启动wired autoconfig服务

启用用户或计算机身份验证

设置peap认证

配置allowed protocols只允许peap

配置认证策略

注销win-7进行测试

3750-sw1:

int g1/0/2

sh

no sh

show authentication sessions interface g1/0/2

配置peap用的authorization profiles

配置授权策略