日本免费全黄少妇一区二区三区-高清无码一区二区三区四区-欧美中文字幕日韩在线观看-国产福利诱惑在线网站-国产中文字幕一区在线-亚洲欧美精品日韩一区-久久国产精品国产精品国产-国产精久久久久久一区二区三区-欧美亚洲国产精品久久久久

  1. 首頁(yè) > 云知道 > >

交換機(jī)使用PEAP及EAP-TLS協(xié)議進(jìn)行802.1x認(rèn)證( 二 )

云知道


aaa authorization network default group radius
!---和802.1x相關(guān)的AAA設(shè)置
dot1x system-auth-control
!---打開802.1x功能
interface FastEthernet0/2
switchport mode Access
dot1x port-control auto
spanning-tree portfast
!---在F0/2口上打開802.1x端口控制功能
radius-server host 192.168.168.155 key xxxxxx
!---定義RARIUS Server
三、配置終端接入設(shè)備
1、在AD Server上配置MS Certificate Machine Autoenrollment
在AD Server的治理工具中打開“Active Directory Users and Computers”,在域名上點(diǎn)右鍵選擇Properties,然后選擇“Group Policy→Default Domain Policy→Edit”,然后選擇“Computer Configuration→Windows Settings→Security Settings→Public Key Policies→Automatic Certificate Request Settings”,在菜單項(xiàng)中選擇“Action→New→Automatic Certificate Request→Computer”,選中CA服務(wù)器后按下一步結(jié)束配置;
2、將終端設(shè)備加入域
這個(gè)過程大家都會(huì),不多說了;
3、在終端設(shè)備上手動(dòng)安裝根證書
如已配置“Certificate Machine Autoenrollment”,此步驟可忽略 。
登錄域后在瀏覽器上鍵入http://192.168.168.196/certsrv進(jìn)入證書WEB申請(qǐng)頁(yè)面,登錄用戶采用域治理用戶賬號(hào) 。
選擇“Retrieve the CA certificate or certificate revocation list→Download CA certificate→Install Certificate→Automatically select the certificate store based on the type of the certificate”,按下一步結(jié)束證書安裝;
4、進(jìn)行終端設(shè)備上的802.1x認(rèn)證設(shè)置
在以太網(wǎng)卡的連接屬性中選擇“Authentication→Enable IEEE 802.1x authentication for this network”,EAP type選為“Protected EAP(PEAP)”,勾選“Authenticate as computer when computer information is available”,然后再點(diǎn)Properties,在EAP屬性窗口中選擇“Validate server certificate”,同時(shí)在“Trusted Root Certificastion Authorities:”窗口中選擇對(duì)應(yīng)的ROOT CA,這里為acs-ca,Authentication Method選成“Secure passWord (EAP-MSCHAP v2)” 。再點(diǎn)Configure按鈕確保“Automatically use my Windows logon name and password (and domain if any)”選項(xiàng)已被選中;
四、結(jié)果查看
所有配置完成后查看認(rèn)證結(jié)果:
Switch#sh dot1x int f0/2
Supplicant MAC
AuthSM State = CONNECTING
BendSM State = IDLE
PortStatus = UNAUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Switch#sh dot1x int f0/2
Supplicant MAC 000b.6a2a.03cb
AuthSM State = AUTHENTICATING
BendSM State = RESPONSE
PortStatus = UNAUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
Switch#sh dot1x int f0/2
Supplicant MAC 000b.6a2a.03cb
AuthSM State = AUTHENTICATED
BendSM State = IDLE
PortStatus = AUTHORIZED
MaxReq = 2
HostMode = Single
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
!---認(rèn)證通過
查看終端設(shè)備網(wǎng)絡(luò)連接提示,此時(shí)已為“Authentication sUCceeded.”
五、TIPS
* 注重Windows客戶端在安裝根證書時(shí)應(yīng)保持和網(wǎng)絡(luò)的正常連接,如此時(shí)在端口上設(shè)置了802.1x,則網(wǎng)絡(luò)是斷開的;
* AD Server上的證書服務(wù)應(yīng)在IIS服務(wù)安裝之后再裝,否則certificate web enrollment不能成功;

推薦閱讀