自学Aruba5.3.4-Aruba安全认证-有PEFNG 许可证环境的认证配置802.1x
1. 采用InterDB认证服务器完成802.1X认证
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa server-group dot1x-server 3 (Aruba650) (Server Group "dot1x-server") #auth-server Internal 4 (Aruba650) (Server Group "dot1x-server") #set role condition role value-of 5 (Aruba650) (Server Group "dot1x-server") #exit 6 7 (Aruba650) (config) #aaa authentication dot1x dot1x-auth 8 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-mschapv2 11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #exit 12 13 (Aruba650) (config) #aaa profile dot1x-profile 14 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 15 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server 16 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth 17 (Aruba650) (AAA Profile "dot1x-profile") #exit 18 19 (Aruba650) (config) #wlan ssid-profile dot1x-ssid 20 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x 21 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 22 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 23 (Aruba650) (SSID Profile "dot1x-ssid") #exit 24 25 (Aruba650) (config) #wlan virtual-ap dot1x-vap 26 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile 27 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid 28 (Aruba650) (Virtual AP profile "dot1x") #vlan 1 29 (Aruba650) (Virtual AP profile "dot1x") #exit 30 31 (Aruba650) (config) #ap-group 802xyk 32 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap 33 (Aruba650) (AP group "802xyk") #exit
1 (Aruba650) #local-userdb add username test1 password 123456 role web-1 2 (Aruba650) #local-userdb add username test2 password 123456 role web-2
2. 采用LDAP认证认证服务器完成802.1X认证
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa authentication-server ldap ad 3 (Aruba650) (LDAP Server "ad") #host 172.18.50.30 4 (Aruba650) (LDAP Server "ad") #admin-dn cn=rui,cn=Users,dc=ruitest,dc=com 5 (Aruba650) (LDAP Server "ad") #admin-passwd 123456 6 (Aruba650) (LDAP Server "ad") #allow-cleartext 7 (Aruba650) (LDAP Server "ad") #base-dn cn=Users,dc=ruitest,dc=com 8 (Aruba650) (LDAP Server "ad") #preferred-conn-type clear-text 9 (Aruba650) (LDAP Server "ad") #exit
1 (Aruba650) #aaa test-server pap ad carlos 123456 2 Authentication Successful
1 (Aruba650) # aaa query-user ad carlos 2 objectClass: top 3 objectClass: person 4 objectClass: organizationalPerson 5 objectClass: user 6 cn: carlos 7 sn: carlos 8 distinguishedName: CN=carlos,CN=Users,DC=ruitest,DC=com 9 instanceType: 4 10 whenCreated: 20180117110333.0Z 11 whenChanged: 20180117110404.0Z 12 displayName: carlos 13 uSNCreated: 368694 14 memberOf: CN=tech1,CN=Users,DC=ruitest,DC=com 15 uSNChanged: 368706 16 name: carlos 17 objectGUID: n240203277T345�02K235202y351372240<376 18 userAccountControl: 66048 19 badPwdCount: 0
1 (Aruba650) (config) #aaa server-group dot1x-server 2 (Aruba650) (Server Group "dot1x-server") #no auth-server ias 3 (Aruba650) (Server Group "dot1x-server") #auth-server ad 4 (Aruba650) (Server Group "dot1x-server") #set role condition memberOf equals CN=tech1,CN=Users,DC=ruitest,DC=com set-value web-1 ##返回组名为test1,匹配到role web-1 5 (Aruba650) (Server Group "dot1x-server") #set role condition memberOf equals CN=tech2,CN=Users,DC=ruitest,DC=com set-value web-2 6 (Aruba650) (Server Group "dot1x-server") #exit 7 8 (Aruba650) (config) #aaa authentication dot1x dot1x-auth 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #dot1x-default-role role-1 ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable 11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 12 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-tls 13 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #no termination inner-eap-type eap-mschapv2 14 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-gtc 15 16 (Aruba650) (config) #aaa profile dot1x-profile 17 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 18 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server 19 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth 20 (Aruba650) (AAA Profile "dot1x-profile") #exit 21 22 (Aruba650) (config) #wlan ssid-profile dot1x-ssid 23 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x 24 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 25 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 26 (Aruba650) (SSID Profile "dot1x-ssid") #exit 27 28 (Aruba650) (config) #wlan virtual-ap dot1x-vap 29 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile 30 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid 31 (Aruba650) (Virtual AP profile "dot1x") #vlan 1 32 (Aruba650) (Virtual AP profile "dot1x") #exit 33 34 (Aruba650) (config) #ap-group 802xyk 35 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap 36 (Aruba650) (AP group "802xyk") #exit
3. 采用Radis认证认证服务器完成802.1X认证
1 (Aruba650) #configure terminal 2 (Aruba650) (config) #aaa authentication-server radius ias 3 (Aruba650) (RADIUS Server "ias") #host 172.18.50.30 4 (Aruba650) (RADIUS Server "ias") #key 123456 5 (Aruba650) (RADIUS Server "ias") #exit
1 (Aruba650) #aaa test-server mschapv2 ad carlos 123456 2 Authentication Successful
ISA配置需要注意:
1 (Aruba650) (config) #aaa server-group dot1x-server 2 (Aruba650) (Server Group "dot1x-server") #no auth-server Internal 3 (Aruba650) (Server Group "dot1x-server") #auth-server ias 4 (Aruba650) (Server Group "dot1x-server") # set role condition role value-of 5 (Aruba650) (Server Group "dot1x-server") #exit 6 7 (Aruba650) (config) #aaa authentication dot1x dot1x-auth 8 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination enable 9 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination eap-type eap-peap 10 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #termination inner-eap-type eap-mschapv2 11 (Aruba650) (802.1X Authentication Profile "dot1x-auth") #exit 12 13 (Aruba650) (config) #aaa profile dot1x-profile 14 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-default-role authenticated ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色 15 (Aruba650) (AAA Profile "dot1x-profile") #dot1x-server-group dot1x-server 16 (Aruba650) (AAA Profile "dot1x-profile") #authentication-dot1x dot1x-auth 17 (Aruba650) (AAA Profile "dot1x-profile") #exit 18 19 (Aruba650) (config) #wlan ssid-profile dot1x-ssid 20 (Aruba650) (SSID Profile "dot1x-ssid") #essid 802.1x 21 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa-tkip 22 (Aruba650) (SSID Profile "dot1x-ssid") #opmode wpa2-aes 23 (Aruba650) (SSID Profile "dot1x-ssid") #exit 24 25 (Aruba650) (config) #wlan virtual-ap dot1x-vap 26 (Aruba650) (Virtual AP profile "dot1x") #aaa-profile dot1x-profile 27 (Aruba650) (Virtual AP profile "dot1x") #ssid-profile dot1x-ssid 28 (Aruba650) (Virtual AP profile "dot1x") #vlan 1 29 (Aruba650) (Virtual AP profile "dot1x") #exit 30 31 (Aruba650) (config) #ap-group 802xyk 32 (Aruba650) (AP group "802xyk") #virtual-ap dot1x-vap 33 (Aruba650) (AP group "802xyk") #exit