FreeRadius+H3C交换机实现802.1X认证准入FreeRadius+H3C交换机实现802.1X认证准入主

网络拓扑

CORE配置

vlan 10 20 30 100
 
interface GigabitEthernet1/0/2
 port access vlan 30
 stp edged-port 

interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk permit vlan 10 20 100

// 配置dhcp
dhcp enable
dhcp server ip-pool VLAN10
 gateway-list 192.168.10.254
 network 192.168.10.0 mask 255.255.255.0
 forbidden-ip 192.168.10.254

dhcp server ip-pool VLAN20
 gateway-list 192.168.20.254
 network 192.168.20.0 mask 255.255.255.0
 forbidden-ip 192.168.20.254

dhcp server ip-pool VLAN30
 gateway-list 192.168.30.254
 network 192.168.30.0 mask 255.255.255.0
 forbidden-ip 192.168.30.254

int vlan 10
 ip add 192.168.10.254 24
int vlan 20
 ip add 192.168.20.254 24
int vlan 30
 ip add 192.168.30.254 24
int vlan 100
 ip add 192.168.100.1 24

NAS网络配置

vlan 10 20 100

interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 10 20 100

interface GigabitEthernet1/0/2
 port link-type hybrid
 port hybrid vlan 1 10 20 untagged
 port hybrid pvid vlan 10
 stp edged-port

interface Vlan-interface100
 ip address 192.168.100.2 255.255.255.0

ip route-static 0.0.0.0 0 192.168.100.1

NAS关键配置

dot1x
dot1x authentication-method eap  // 采用中继的方式 默认chap终结 中继可减轻交换机压力

radius scheme beijing
 primary authentication 192.168.30.1 key simple H3c@123!  // 密钥需与认证服务器一致
 primary accounting 192.168.30.1 key simple H3c@123!
 nas-ip 192.168.100.2
 user-name-format without-domain    // 不携带域名

domain beijing
 authentication lan-access radius-scheme beijing  // 有线网络认证关联模板  (local本地登入)
 authorization lan-access radius-scheme beijing   // 授权
 accounting lan-access radius-scheme beijing      // 计费

int g1/0/2   // 下联口调用
 dot1x // 接口开启
 dot1x port-method macbased  // mac认证
 dot1x mandatory-domain beijing  // 调用域名模板

FreeRadius配置

mysql -u root -p

use radius;
// 创建用户
INSERT INTO radcheck (id,username,attribute,op,VALUE) VALUES ('1','zhangsan','Cleartext-Password',':=','123456');

// 配置用户组策略
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Auth-Type',':=','Local');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Service-Type',':=','Framed-user');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Type',':=','VLAN');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Medium-Type',':=','IEEE-802');
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('H3C','Tunnel-Private-Group-ID',':=','20');

// 将用户zhangsan绑定到H3C用户组
INSERT INTO radusergroup (username,groupname,priority) VALUES ('zhangsan','H3C','0');

// 创建NAS
INSERT INTO nas (nasname, type, secret) VALUES ('192.168.100.2', 'other', 'H3c@123!');

如何删除条目

DELETE FROM nas WHERE id = 1;

如何去调试?

radiusd -X

此处代表NAS未存在数据库中

解决办法

// 在文件末尾添加NAS

vim /etc/raddb/clients.conf

FreeRadius+H3C交换机实现802.1X认证准入

网络拓扑

CORE配置

NAS网络配置

NAS关键配置

FreeRadius配置

如何删除条目

如何去调试?

WEB效果

Ubuntu系统登入操作

最终测试效果