802.1x 動態VLAN 派送 設定說明

802.1x 認證 必須要在個人電腦端 啟動 802.1x認證方式

Windows 7 有線網路啟動 802.1x 認證說明

http://windows.microsoft.com/zh-tw/windows-vista/enable-802-1x-authentication

交換器上設定相當簡單

1. 設定好 RADIUS Server IP 以及使用的 Secure key ..

2.設定好 認證Domain

3. Global 啟動

4.介面啟動

5.設定VLAN..把RADIUS上面要派發的VLAN ID 建立在 交換器上面

<5120_LAB>dis curr

#

version 5.20, Release 2220-US

#

sysname 5120_LAB

#

dhcp relay server-group 1 ip 192.168.40.250

#

irf mac-address persistent timer

irf auto-update enable

undo irf link-delay

# 套用 802lab domain 啟動 802.1x 認證

domain default enable 802lab

#

telnet server enable

# 全域啟動 802.1x 認證

dot1x

dot1x timer tx-period 10

dot1x authentication-method eap

#

password-recovery enable

#

igmp-snooping

#

vlan 1

#

vlan 2

# 未認證設備標準 VLAN 3

vlan 3

description Guest

# 未認證設備標準 VLAN 4

vlan 4

description Auth_Fail

#

vlan 10

# 認證後 VLAN

vlan 20

name MKTVLAN

# 認證後 VLAN

vlan 30

name SALESVLAN

#

vlan 2000

#

radius scheme NPS

primary authentication 192.168.40.99

primary accounting 192.168.40.99

key authentication cipher $c$3$P95dQNjIh8DD200WGdL69Ilu1tF7Ep9jzg==

key accounting cipher $c$3$P+dGSOilSS7B4kTLwM0swXSlBrvVazEgKA==

user-name-format without-domain

#

domain 802lab

authentication lan-access radius-scheme NPS local

authorization lan-access radius-scheme NPS local

accounting lan-access radius-scheme NPS local

access-limit disable

state active

idle-cut disable

self-service-url disable

domain system

access-limit disable

state active

idle-cut disable

self-service-url disable

#

dhcp server ip-pool 1

network 192.168.40.0 mask 255.255.255.0

gateway-list 192.168.40.254

dns-list 192.168.40.254

#

dhcp server ip-pool vlan20

network 192.168.20.0 mask 255.255.255.0

gateway-list 192.168.20.254

dns-list 8.8.8.8

#

dhcp server ip-pool vlan30

network 192.168.30.0 mask 255.255.255.0

gateway-list 192.168.30.254

dns-list 8.8.8.8

#

user-group system

group-attribute allow-guest

#

local-user admin

password cipher $c$3$HQxpLTRJwXKD7epv8nnNG6zy5WBlLccNoG5T

authorization-attribute level 3

service-type ssh telnet terminal

service-type web

#

interface NULL0

#

interface Vlan-interface1

ip address 192.168.40.250 255.255.255.0

#

interface Vlan-interface20

ip address 192.168.20.254 255.255.255.0

#

interface Vlan-interface30

ip address 192.168.30.254 255.255.255.0

# 啟動 802.1x 未認證過 存在於 VLAN 3 認證失敗 導到 VLAN4

interface GigabitEthernet1/0/1

dot1x guest-vlan 3

dot1x auth-fail vlan 4

undo dot1x handshake

dot1x port-method portbased

dot1x

#

interface GigabitEthernet1/0/2

undo dot1x handshake

undo dot1x multicast-trigger

dot1x

#

interface Ten-GigabitEthernet1/1/2

#

nqa entry imclinktopologypleaseignore ping

type icmp-echo

destination ip 192.168.40.253

frequency 270000

# 啟動 SNMP 網管服務

snmp-agent

snmp-agent local-engineid 800063A2033CE5A6A1AC69

snmp-agent community read public

snmp-agent community write private

snmp-agent sys-info version all

snmp-agent target-host trap address udp-domain 192.168.40.99 udp-port 161 params securityname public

#

dhcp enable

#

nqa schedule imclinktopologypleaseignore ping start-time now lifetime 630720000

#

load xml-configuration

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

user-interface vty 5 15

#

return

<5120_LAB>