网络拓扑
CORE配置
vlan 10 20 30 100
interface GigabitEthernet1/0/2
port access vlan 30
stp edged-port
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan 10 20 100
// 配置dhcp
dhcp enable
dhcp server ip-pool VLAN10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
forbidden-ip 192.168.10.254
dhcp server ip-pool VLAN20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
forbidden-ip 192.168.20.254
dhcp server ip-pool VLAN30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
forbidden-ip 192.168.30.254
int vlan 10
ip add 192.168.10.254 24
int vlan 20
ip add 192.168.20.254 24
int vlan 30
ip add 192.168.30.254 24
int vlan 100
ip add 192.168.100.1 24
NAS网络配置
vlan 10 20 100
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 100
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid vlan 1 10 20 untagged
port hybrid pvid vlan 10
stp edged-port
interface Vlan-interface100
ip address 192.168.100.2 255.255.255.0
ip route-static 0.0.0.0 0 192.168.100.1
NAS关键配置
dot1x
dot1x authentication-method eap // 采用中继的方式 默认chap终结 中继可减轻交换机压力
radius scheme beijing
primary authentication 192.168.30.1 key simple H3c@123! // 密钥需与认证服务器一致
primary accounting 192.168.30.1 key simple H3c@123!
nas-ip 192.168.100.2
user-name-format without-domain // 不携带域名
domain beijing
authentication lan-access radius-scheme beijing // 有线网络认证关联模板 (local本地登入)
authorization lan-access radius-scheme beijing // 授权
accounting lan-access radius-scheme beijing // 计费
int g1/0/2 // 下联口调用
dot1x // 接口开启
dot1x port-method macbased // mac认证
dot1x mandatory-domain beijing // 调用域名模板
FreeRadius配置
mysql -u root -p
use radius;
// 创建用户
INSERT INTO radcheck (id,username,attribute,op,VALUE) VALUES ('1','zhangsan','Cleartext-Password',':=','123456');
// 配置用户组策略
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Auth-Type',':=','Local');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Service-Type',':=','Framed-user');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Type',':=','VLAN');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Medium-Type',':=','IEEE-802');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Private-Group-ID',':=','20');
// 将用户zhangsan绑定到H3C用户组
INSERT INTO radusergroup (username,groupname,priority) VALUES ('zhangsan','H3C','0');
// 创建NAS
INSERT INTO nas (nasname, type, secret) VALUES ('192.168.100.2', 'other', 'H3c@123!');
如何删除条目
DELETE FROM nas WHERE id = 1;
如何去调试?
radiusd -X
- 此处代表NAS未存在数据库中
解决NAS地址不存在的问题
- conf文件添加地址
// 在文件末尾添加NAS
vim /etc/raddb/clients.conf
- 修改sql文件
vim /etc/raddb/mods-enabled/sql
解决TLS不匹配问题
vim /etc/raddb/mods-enabled/eap
systemctl restart radiusd.service
systemctl restart mariadb.service
WEB效果
Ubuntu系统登入操作
最终测试效果
-
服务器端监听到报文
-
报文 accept报文代表认证成功
-
IP地址由192.168.10.1切换到192.168.20.1
-
错误密码则认证失败
-
交换机向客户端发送认证失败
H3C真机交换机本地认证配置
local-user zhangsan class network
password simple 123456
service-type lan-access
authorization-attribute vlan 20
authorization-attribute user-role network-operator
domain beijing
authentication lan-access radius-scheme h3c local
查看用户登入情况
MAC地址认证情况
清空认证用户
WIN10系统登入操作
最终效果
计费环节排查
- 提示数据过长 无法写入数据库
解决办法
cd /etc/raddb/mods-config/sql/main/mysql/
vim ./schema.sql
// 重新导入数据库
mysql -u root -p
use radius;
// 删除原有表
DROP TABLE radacct;
source /etc/raddb/mods-config/sql/main/mysql/schema.sql;
quit
systemctl restart mariadb.service
最后
- 如果认证失败 获取不到IP地址数据正常情况 认证失败 交换机不会处理PC数据报文 导致DHCP无法交互
- 如果链接话机的话 需要开启voice vlan xxx enable
