如何进行ACS验证和MAC地址绑定,很多新手对此不是很清楚,为了帮助大家解决这个难题,下面小编将为大家详细讲解,有这方面需求的人可以来学习下,希望你能有所收获。前言应用ACS验证方案:拓扑图设备要求:交换机quidway 2403H-HI 1台防火墙H3C F100-C 1台主机 4台DHCP Server(CentOS6.4系统)AAA Server(win server2003系统)实验所需软件:jdk-7-windows-i586acs4.0-build-24H3C_8021XClient地址规划:eth0/0 1.1.1.2/24eth0/0.1 192.168.10.1/24 vlan10eth0/0.2 192.168.20.1/24 vlan20eth0/0.3 192.168.30.1/24 vlan30DHCP Server 192.168.30.100/24AAA Server 192.168.30.200/24PC1 192.168.10.100/24PC2 192.168.20.100/24具体配置步骤:DHCP server配置将以下内容添加至/etc/dhcp/dhcpd.conf中即可。
option domain-name-servers 222.88.88.88, 222.85.85.85;default-lease-time 600;max-lease-time 7200;log-facility local7;subnet 192.168.30.0 netmask 255.255.255.0 {}subnet 192.168.10.0 netmask 255.255.255.0 {range 192.168.10.2 192.168.10.254;option routers 192.168.10.1;option domain-name “tec.com”;}subnet 192.168.20.0 netmask 255.255.255.0 {range 192.168.20.2 192.168.20.254;option routers 192.168.20.1;option domain-name “mkt.com”;}FW-1配置:system-viewSystem View: return to User View with Ctrl+Z.[FW-1]int eth0/0[FW-1-Ethernet0/0]ip add 1.1.1.2 24[FW-1-Ethernet0/0]quit[FW-1]int eth0/0.1[FW-1-Ethernet0/0.1]vlan-type dot1q vid 10[FW-1-Ethernet0/0.1]ip add 192.168.10.1 24[FW-1-Ethernet0/0.1]int eth0/0.2 [FW-1-Ethernet0/0.2]vlan-type dot1q vid 20[FW-1-Ethernet0/0.2]ip add 192.168.20.1 24[FW-1-Ethernet0/0.2]int eth0/0.3[FW-1-Ethernet0/0.3]vlan-type dot1q vid 30 [FW-1-Ethernet0/0.3]ip add 192.168.30.1 24[FW-1-Ethernet0/0.3]quit[FW-1]firewall zone trust[FW-1-zone-trust]add int eth0/0[FW-1-zone-trus免费云主机域名t]add int eth0/0.1 [FW-1-zone-trust]add int eth0/0.2[FW-1-zone-trust]add int eth0/0.3[FW-1-zone-trust]quit[FW-1]undo insulate[FW-1]dhcp enableDHCP task has already been started![FW-1]dhcp select relay interface eth0/0.1 to eth0/0.2[FW-1]int eth0/0.1[FW-1-Ethernet0/0.1]ip relay add 192.168.30.100[FW-1-Ethernet0/0.1]int eth0/0.2 [FW-1-Ethernet0/0.2]ip relay add 192.168.30.100[FW-1]radius scheme abcNew Radius scheme[FW-1-radius-abc]primary authentication 192.168.30.200[FW-1-radius-abc]key authentication 123456[FW-1-radius-abc]server-type extended[FW-1-radius-abc]user-name-format without-domain[FW-1-radius-abc]accounting optional[FW-1-radius-abc]quit[FW-1]domain tyedu.comNew Domain added.[FW-1-isp-tyedu.com]radius-scheme abc[FW-1-isp-tyedu.com]accounting optional[FW-1-isp-tyedu.com]access-limit enable 100SW1配置:[Quidway]sysname SW1[SW1]int vlan 1[SW1-Vlan-interface1]ip add 1.1.1.1 24[SW1-Vlan-interface1]quit[SW1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2[SW1]vlan 10 [SW1-vlan10]port e1/0/10 [SW1-vlan10]vlan 20[SW1-vlan20]port e1/0/20[SW1-vlan20]vlan 30[SW1-vlan30]port e1/0/23 e1/0/24[SW1-vlan30]quit[SW1]int e1/0/22[SW1-Ethernet1/0/22]port link-type trunk[SW1-Ethernet1/0/22]port trunk permit vlan all[SW1-Ethernet1/0/22]dis vlanNow, the following VLAN exist(s):1(default), 10, 20, 30[SW1]dot1x802.1X is enabled globally.[SW1]int e1/0/10[SW1-Ethernet1/0/10]dot1x802.1X is enabled on port Ethernet1/0/10.[SW1-Ethernet1/0/10]quit[SW1]int e1/0/20[SW1-Ethernet1/0/20]dot1x802.1X is enabled on port Ethernet1/0/20.[SW1-Ethernet1/0/20]quit[SW1]radius scheme xxxNew Radius scheme[SW1-radius-xxx]primary authentication 192.168.30.200[SW1-radius-xxx]key authentication 123456[SW1-radius-xxx]server-type huawei[SW1-radius-xxx]user-name-format without-domain[SW1-radius-xxx]accounting optional[SW1-radius-xxx]quit[SW1]domain tyedu.comNew Domain added.[SW1-isp-tyedu.com]radius-scheme xxx[SW1-isp-tyedu.com]accounting optional[SW1-isp-tyedu.com]access-limit enable 100在server2003中安装ACS(需要先安装JDK):添加华为私有属性将h4c.ini文件拷贝到C盘根目录下。以下是h4c.ini文本内容(可以直接复制保存为h4c.ini即可)[User Defined Vendor]Name=HuaweiIETF Code=2011VSA 29=hw_Exec_Privilege[hw_Exec_Privilege]Type=INTEGERProfile=IN OUTEnums=hw_Exec_Privilege-Values[hw_Exec_Privilege-Values]0=Access1=Monitor2=Manager3=Administrator将华为私有属性添加至acs安装目录bin下。查看,已添加成功。配置ACS:配置AAA Server,服务器的key要和客户端的key保持一致。配置AAA Client-SW1,选择华为私有属性。配置AAA Client-FW-1,选择华为私有属性。查看配置。添加两个账号,test1用于验证主机(属于Default Group),test2用于验证设备(属于Group 1)。在测试主机中安装H3C_8021XClient,登录测试。vlan 10(技术部)PC1测试结果。vlan 20(市场部)PC2测试结果。要求测试主机能telnet设备,并且账号要经过ACS验证(拥有超级管理员权限)。首先在Network Configuration→RADIUS(Huawei)中应用华为私有属性。如果测试主机想要telnet远程管理设备(SW1和FW-1),必须进入组中把telnet打开,并且应用华为私有属性。打开telnet应用华为私有属性,并选择管理员权限。telnet SW1,使用test2账号登录,测试成功,并且具有超级管理员权限。telnet FW-1(telnet 1.1.1.2也可进入),使用test2账号登录,测试成功,并且具有超级管理员权限。应用MAC地址验证方案:具体配置步骤:[SW1]mac-authenticationMAC-authentication is enabled globally.[SW1]mac-authentication authmode usernameasmacaddress usernameformat without-hyphen[SW1]int e1/0/20[SW1-Ethernet1/0/20]mac-authenticationMAC-authentication is enabled on port Ethernet1/0/20[SW1-Ethernet1/0/20]int e1/0/10 [SW1-Ethernet1/0/10]mac-authenticationMAC-authentication is enabled on port Ethernet1/0/10[SW1-Ethernet1/0/10]quit[SW1]dis mac-authentication int e1/0/20Ethernet1/0/20 is link-upMAC address authentication is EnabledAuthenticate success: 1, failed: 0Current online user number is 1 MAC ADDR Authenticate state AuthIndex 001c-2596-2e0e MAC_AUTHENTICATOR_SUCCESS 21在ACS中添加测试主机的MAC地址,作为账号和密码。测试主机结果:看完上述内容是否对您有帮助呢?如果还想对相关知识有进一步的了解或阅读更多相关文章,请关注云编程开发博客行业资讯频道,感谢您对云编程开发博客的支持。
相关推荐: OWASP Broken Web Applications Project
找个靶机练练手http://sourceforge.net/projects/owaspbwa/ Open Web Application Security Project (OWASP) Broken W免费云主机域名eb Applications Proj…
相关
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
