802.1x 認證 必須要在個人電腦端 啟動 802.1x認證方式
Windows 7 有線網路啟動 802.1x 認證說明
http://windows.microsoft.com/zh-tw/windows-vista/enable-802-1x-authentication
交換器上設定相當簡單
1. 設定好 RADIUS Server IP 以及使用的 Secure key ..
2.設定好 認證Domain
3. Global 啟動
4.介面啟動
5.設定VLAN..把RADIUS上面要派發的VLAN ID 建立在 交換器上面
<5120_LAB>dis curr
#
version 5.20, Release 2220-US
#
sysname 5120_LAB
#
dhcp relay server-group 1 ip 192.168.40.250
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
# 套用 802lab domain 啟動 802.1x 認證
domain default enable 802lab
#
telnet server enable
# 全域啟動 802.1x 認證
dot1x
dot1x timer tx-period 10
dot1x authentication-method eap
#
password-recovery enable
#
igmp-snooping
#
vlan 1
#
vlan 2
# 未認證設備標準 VLAN 3
vlan 3
description Guest
# 未認證設備標準 VLAN 4
vlan 4
description Auth_Fail
#
vlan 10
# 認證後 VLAN
vlan 20
name MKTVLAN
# 認證後 VLAN
vlan 30
name SALESVLAN
#
vlan 2000
#
radius scheme NPS
primary authentication 192.168.40.99
primary accounting 192.168.40.99
key authentication cipher $c$3$P95dQNjIh8DD200WGdL69Ilu1tF7Ep9jzg==
key accounting cipher $c$3$P+dGSOilSS7B4kTLwM0swXSlBrvVazEgKA==
user-name-format without-domain
#
domain 802lab
authentication lan-access radius-scheme NPS local
authorization lan-access radius-scheme NPS local
accounting lan-access radius-scheme NPS local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.40.0 mask 255.255.255.0
gateway-list 192.168.40.254
dns-list 192.168.40.254
#
dhcp server ip-pool vlan20
network 192.168.20.0 mask 255.255.255.0
gateway-list 192.168.20.254
dns-list 8.8.8.8
#
dhcp server ip-pool vlan30
network 192.168.30.0 mask 255.255.255.0
gateway-list 192.168.30.254
dns-list 8.8.8.8
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$HQxpLTRJwXKD7epv8nnNG6zy5WBlLccNoG5T
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.40.250 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.254 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.254 255.255.255.0
# 啟動 802.1x 未認證過 存在於 VLAN 3 認證失敗 導到 VLAN4
interface GigabitEthernet1/0/1
dot1x guest-vlan 3
dot1x auth-fail vlan 4
undo dot1x handshake
dot1x port-method portbased
dot1x
#
interface GigabitEthernet1/0/2
undo dot1x handshake
undo dot1x multicast-trigger
dot1x
#
interface Ten-GigabitEthernet1/1/2
#
nqa entry imclinktopologypleaseignore ping
type icmp-echo
destination ip 192.168.40.253
frequency 270000
# 啟動 SNMP 網管服務
snmp-agent
snmp-agent local-engineid 800063A2033CE5A6A1AC69
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.40.99 udp-port 161 params securityname public
#
dhcp enable
#
nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
user-interface vty 5 15
#
return
<5120_LAB>