· Создать на коммутаторе VLAN v10 и v20.
config vlan default delete 1-24 create vlan v10 tag 10
config vlan v10 add untagged 13-24 create vlan v20 tag 20
config vlan v20 add untagged 1-12
config ipif System ipaddress 192.168.0.1/24 vlan v10
· Активизировать функции 802.1Х и Guest VLAN.
enable 802.1x
create 802.1x guest_vlan v10
config 802.1x guest_vlan ports 13-24 state enable
· Настроить коммутатор в качестве аутентификатора и задать параметры сервера RADIUS.
config 802.1x capability ports 13-24 authenticator config radius add 1 192.168.0.10 key 123456 default
Настройка параметров на сервере RADIUS включает установку следующих пользовательских атрибутов:
Tunnel-Medium-Type (65) = 802
Tunnel-Pvt-Group-ID (81) = 20 VID Tunnel-Type (64) = VLAN
Рис. 8.22. Пользовательские атрибуты на сервере RADIUS Проверить конфигурацию коммутатора можно с помощью следующих команд:
DES-3810-28# show 802.1x auth_configuration
Command: show 802.1x auth_configuration
802.1X: Enabled
Authentication Mode: Port_based Authentication Protocol: RADIUS_EAP
Port number: 1
Capability: None AdminCrlDir: Both OpenCrlDir: Both Port Control: Auto QuietPeriod: 60 sec TxPeriod: 30 sec Supp Timeout: 30 sec Server Timeout: 30 sec MaxReq: 2 times ReAuthPeriod: 3600 sec ReAuthenticate: Disabled
DES-3810-28# show 802.1x guest_vlan
Command: show 802.1x guest_vlan
Guest VLAN Setting
-------------------------------
Guest VLAN: v10
Enable Guest VLAN Ports: 13-24
|
|
DES-3810-28# show radius
Command: show radius
Idx | IP Address | Auth-Port | Acct-Port | Status | Key |
--- | ------------ | ---------- | --------- | ------- | -------- |
192.168.0.10 | Active |
Total Entries: 1
Пока клиент, подключенный к порту 22, не прошел аутентификацию, текущая конфигурация VLAN и состояние аутентификации 802.1Х на коммутаторе будут следующими:
DES-3810-28# show vlan
VID: 1 VLAN Name: default
VLAN Type: Static Advertisement: Enabled Member Ports: 25-27
Static Ports: 25-27 Current Tagged Ports: Current Untagged Ports: 25-27 Static Tagged Ports: Static Untagged Ports: 25-27 Forbidden Ports:
VID: 10 VLAN Name: v10
VLAN Type: Static Advertisement: Disabled Member Ports: 13-24
Static Ports: 13-24 Current Tagged Ports: Current Untagged Ports: 13-24 Static Tagged Ports: Static Untagged Ports: 13-24 Forbidden Ports:
VID: 20 VLAN Name: v20
VLAN Type: Static Advertisement: Disabled Member Ports: 1-12
Static Ports: 1-12 Current Tagged Ports: Current Untagged Ports: 1-12 Static Tagged Ports: Static Untagged Ports: 1-12 Forbidden Ports:
Total Entries: 3
DES-3810-28# show 802.1x auth_state
Command: show 802.1x auth_state
Port Auth PAE State Backend State Port State
---- --------------- ------------- --------------
1 ForceAuth Success Authorized
2 ForceAuth Success Authorized
3 ForceAuth Success Authorized
4 ForceAuth Success Authorized
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
Disconnected | Idle | Unauthorized | |
………… | Disconnected Connecting | Idle Idle | Unauthorized Unauthorized |
После аутентификации клиента текущие настройки VLAN и состояние аутентификации 802.1Х изменятся следующим образом:
DES-3810-28# show vlan
VID: 1 VLAN Name: default
VLAN Type: Static Advertisement: Enabled Member Ports: 25-27
Static Ports: 25-27 Current Tagged Ports: Current Untagged Ports: 25-27 Static Tagged Ports:
Static Untagged Ports: 25-27 Forbidden Ports:
VID: 10 VLAN Name: v10
VLAN Type: Static Advertisement: Disabled Member Ports: 13-21,23-24
Static Ports: 13-21,23-24 Current Tagged Ports:
Current Untagged Ports: 13-21,23-24 Static Tagged Ports:
Static Untagged Ports: 13-21,23-24 Forbidden Ports:
|
|
VID: 20 VLAN Name: v20
VLAN Type: Static Advertisement: Disabled Member Ports: 1-12, 22
Static Ports: 1-12, 22 Current Tagged Ports:
Current Untagged Ports: 1-12, 22 Static Tagged Ports:
Static Untagged Ports: 1-12, 22 Forbidden Ports:
Total Entries: 3
DES-3810-28# show 802.1x auth_state
Command: show 802.1x auth_state
Port Auth PAE State Backend State Port State
---- -------------- ------------- --------------
1 ForceAuth Success Authorized
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
ForceAuth | Success | Authorized | |
Disconnected | Idle | Unauthorized | |
Disconnected | Idle | Unauthorized | |
………… | |||
Authenticated | Idle | Authorized |