0企業(yè)產(chǎn)品培訓(xùn)上機(jī)指導(dǎo)模板v0

1、修訂開發(fā)/優(yōu)化者時(shí)間審核人開發(fā)類型（新開發(fā)/優(yōu)化）/2012-03-16新開發(fā)課程編碼適用產(chǎn)品產(chǎn)品版本課程版本 IEEE023105S7700V1R61.00S7700 交換機(jī) AAA&NAC特性與配置上機(jī)指導(dǎo)目 錄S7700交換機(jī)AAA&NAC特性與配置上機(jī)指導(dǎo)1實(shí)驗(yàn)環(huán)境介紹61關(guān)于本課程6組網(wǎng)介紹6設(shè)備參數(shù)描述7NET用戶本地認(rèn)證配置8實(shí)驗(yàn)?zāi)繕?biāo)8組網(wǎng)及業(yè)務(wù)描述8配置思路9配置步驟9創(chuàng)建本地用戶9配置VTY用戶的認(rèn)證方式為AAA9結(jié)果驗(yàn)證92.5.1 在客戶端 net SWA.2 查看VTY用戶10配置參考102.6.1 SWA的配置

2、：10FAQ112.7.1 問(wèn)題一11NET用戶RADIUS認(rèn)證配置12實(shí)驗(yàn)?zāi)繕?biāo)12組網(wǎng)及業(yè)務(wù)描述12配置思路13配置步驟13配置RADIUS服務(wù)器模板13配置域的相關(guān)參數(shù)13配置VTY用戶的認(rèn)證方式為AAA13結(jié)果驗(yàn)證143.5.1 驗(yàn)證Radius服務(wù)器模板配置142.62.73.43.5在客戶端 net SWA.3 查看VTY用戶15配置參考153.6.1 SWA的配置：15FAQ163.7.1 問(wèn)題一16NET用戶HWTACACS認(rèn)證配置17實(shí)驗(yàn)?zāi)繕?biāo)17組網(wǎng)及業(yè)務(wù)描述17配置思路18配置步驟18配置HWTACACS服務(wù)器模板18配置域的相關(guān)參數(shù)1

3、83.63.7 配置VTY用戶的認(rèn)證方式為AAA19結(jié)果驗(yàn)證19查看HWTACACS服務(wù)器模板配置19在客戶端電腦 net SWA194.5.3 在本地查看VTY用戶19配置參考20SWA的配置20FAQ21問(wèn)題一21802.1X認(rèn)證配置225實(shí)驗(yàn)?zāi)繕?biāo)22組網(wǎng)及業(yè)務(wù)描述22配置思路23配置步驟23配置RADIUS服務(wù)器模板23配置認(rèn)證方案authen3，認(rèn)證方法為RADIUS23配置admin3域，綁定認(rèn)證方式和RADIUS服務(wù)器模板235.4.4 配置802.1x認(rèn)證24結(jié)果驗(yàn)證24檢查配置結(jié)果24測(cè)試從客戶端PC到RTA的連通性24開啟客戶端PC上的80

4、2.1X認(rèn)證25再次測(cè)試客戶端PC到RTA的連通性25MAC旁路認(rèn)證驗(yàn)證255.5.6 802.1X認(rèn)證失敗情形26配置參考265.6.1 SWA的配置26FAQ275.7.1 問(wèn)題一25.7MAC認(rèn)證配置286實(shí)驗(yàn)?zāi)繕?biāo)28組網(wǎng)及業(yè)務(wù)描述28配置思路29配置步驟29配置RADIUS服務(wù)器模板29配置認(rèn)證方案authen3，認(rèn)證方法為RADIUS29配置admin3域，綁定認(rèn)證方式和RADIUS服務(wù)器模板29配置MAC認(rèn)證30結(jié)果驗(yàn)證30檢查配置結(jié)果30在SWA上測(cè)試賬號(hào)的正確性30測(cè)試客戶端PC到RTA的連通性30配置參考316.6.1 SWA的配置31F

5、AQ3 問(wèn)題一327WEB認(rèn)證配置33實(shí)驗(yàn)?zāi)繕?biāo)33組網(wǎng)及業(yè)務(wù)描述33配置思路34配置步驟34配置RADIUS服務(wù)器模板34配置認(rèn)證方案authen3，認(rèn)證方法為RADIUS34配置admin3域，綁定認(rèn)證方式和RADIUS服務(wù)器模板34配置Web認(rèn)證35結(jié)果驗(yàn)證357.5.1 檢查配置結(jié)果35配置參考357.6.1 SWA的配置35FAQ377.7.1 問(wèn)題一37.7圖表目錄圖圖圖圖圖圖圖1-12-13-14-1整體組網(wǎng)6net用戶本地認(rèn)證實(shí)驗(yàn)組網(wǎng)圖8net用戶RADIUS認(rèn)證實(shí)驗(yàn)組網(wǎng)圖12net用戶H

6、WTACACS認(rèn)證實(shí)驗(yàn)組網(wǎng)圖175-1 802.1X認(rèn)證實(shí)驗(yàn)組網(wǎng)圖226-1 MAC認(rèn)證實(shí)驗(yàn)組網(wǎng)圖287-1 Web認(rèn)證實(shí)驗(yàn)組網(wǎng)圖331實(shí)驗(yàn)環(huán)境介紹1.1關(guān)于本課程AAA是認(rèn)證（Authentication）、（Authorization）、計(jì)費(fèi)（Accounting）的縮寫，它是一個(gè)綜合的安全架構(gòu)，通常不單獨(dú)使用，而是與其他技術(shù)配合提升網(wǎng)絡(luò)和設(shè)備的安全性。NAC（Network AdmisControl）稱為網(wǎng)絡(luò)接入控制，是一種安全接入的框架，其理念是安全“端到端”的概念。NAC從用戶終端考慮而不是從網(wǎng)絡(luò)設(shè)備層面考慮安全。通過(guò)本課程實(shí)驗(yàn)，使學(xué)員能夠掌握AAA和NAC的各種基本配置。的實(shí)驗(yàn)包括

7、：，本課程net用戶本地認(rèn)證配置net用戶RAIDUS認(rèn)證配置net用戶HWTACACS認(rèn)證配置802.1X認(rèn)證配置802.1X認(rèn)證與Guest VLAN配置802.1X認(rèn)證與MAC旁路認(rèn)證配置 MAC認(rèn)證配置Web認(rèn)證配置1.2組網(wǎng)介紹圖 整體組網(wǎng)1.3 設(shè)備參數(shù)描述表 1-1 AAA & NAC 實(shí)驗(yàn)設(shè)備設(shè)備名設(shè)備型號(hào)版本信息備注SWAS7703V100R006C00SPC100RTAAR2220V200R001C00ServerWindows PCWindows XP 以上作為 AAA 服務(wù)器和Web 服務(wù)器PCWindows PCWindows XP 以上作為客戶端2net 用戶本地認(rèn)

8、證配置2.1 實(shí)驗(yàn)?zāi)繕?biāo)掌握S7700交換機(jī)本地用戶的配置方法。掌握查看S7700交換機(jī)VTY用戶狀態(tài)的方法。2.2 組網(wǎng)及業(yè)務(wù)描述2.3配置思路2.4配置步驟2.4.1 創(chuàng)建本地用戶在aaa視圖下創(chuàng)建本地用戶，包括用戶名和net。用戶缺省的操作權(quán)限是level 0。，指定用戶的服務(wù)類型為SWAaaaSWA-aaalocal-user SWA-aaalocal-user SWA-aaaquitu password simple u service-typepnet在系統(tǒng)視圖下配置level 3的super為s。SWA supassword level 3 simples2.4.2 配置 VTY

9、用戶的認(rèn)證方式為 AAAVTY用戶缺省的認(rèn)證方式為password。進(jìn)入VTY用戶視圖，修改認(rèn)證方式為aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quitSWA2.5結(jié)果驗(yàn)證2.5.1 在客戶端net SWA從Windows的CMD窗口 netSWA：C:net 驗(yàn)證配置結(jié)果配置VTY用戶的認(rèn)證方式為AAA創(chuàng)建本地用戶Login authenticationUsername:uPassword:/password pInfo: The max number of VTY users i

10、s 5, and the number of current VTY userson line is 1.因?yàn)橛脩魴?quán)限很低，所有可操作令很少。?User view clusterds:Run clusterddisplayDisplayhwtacacs-user HWTACACS userlocal-userAdd/Delete/Set user(s) functionquit supernet tracertExit from currentd viewPrivilege current user a specified priority level Establish anet conne

11、ctionTrace route function通過(guò)super命令操作權(quán)限。super Password:Now usrivilege is 3 level, and only those to or lessn this level can be used.ds whose level is equalPrivilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE2.5.2查看VTY 用戶先查看用戶所在的VTY。display users User-f DelayType Network AddressAuthenSus AuthorcmdFl

12、ag Username : Unspecified+ 0CON 000:00:00no34 VTY 000:00:56 paoUsername : u再查看該VTY用戶的詳細(xì)信息。SWAdisplay user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The p

13、rivilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use current UIs password.: The physical location of UIs.2.6 配置參考2.6.1 SWA 的配置：#+ 34VTY 0-03A-!Software Ver sysname SWA

14、#V100R006C00SPC800sup #assword level 3 simplesvlan batch 10 20 30#dhcp enable#undo http server enable#drop illegal-mac alarm#aaaauthentication-scheme default authorization-scheme default accounting-scheme defaultdefault default_adminlocal-user admin password simple admin local-user admin service-typ

15、e httplocal-user local-user #erface Vlanif1#u password simple u service-typepneterface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface MEth0/0/1#erface GigabitEthernet0/0/1port link-type acsport default vlan 30#. #erface GigabitEthernet0/0/11port link-type acsport de

16、fault vlan 10#erface GigabitEthernet0/0/12port link-type acsport default vlan 20#. #user- user-erface con 0erface vty 0 4authentication-mode aaa#return2.7 FAQ2.7.1 問(wèn)題一問(wèn)題：為什么本地認(rèn)證不涉及域的配置？答：本實(shí)驗(yàn)比較特殊，采用了缺省的管理域：default_admin。該域缺省采用本地認(rèn)證。用戶也可以指定 net采用特定的域來(lái)認(rèn)證。3net 用戶 RADIUS 認(rèn)證配置3.1 實(shí)驗(yàn)?zāi)繕?biāo)掌握S7700交換機(jī)本地用戶的配置方法。掌握

17、查看S7700交換機(jī)VTY用戶狀態(tài)的方法。3.2 組網(wǎng)及業(yè)務(wù)描述3.3配置思路3.4配置步驟3.4.1 配置 RADIUS 服務(wù)器模板配置名為“testradius”的RADIUS服務(wù)器模板。服務(wù)器地址，認(rèn)證端口1812，計(jì)費(fèi)端口1813，共享密鑰o。SWA radius-server template testradiusSWA-radius-testradius radius-server authentication 1812SWA-radius-testradius radius-server accounting 1813 SWA-radius-testradius radius-s

18、erver shared-key ciphero SWA-radius-testradius quit3.4.2 配置域的相關(guān)參數(shù)域的相關(guān)參數(shù)在aaa視圖下配置。需要配置認(rèn)證方案采用radius模式，計(jì)費(fèi)方案采用radius模式，創(chuàng)建admin域，并在域下服務(wù)器模板。認(rèn)證方案、計(jì)費(fèi)方案和RadiusSWA aaaSWA-aaa authentication-scheme authen1 Info: Create a new authentication schemeSWA-aaa-authen-authen1 authentication-mode radius SWA-aaa-authen-

19、authen1 quitSWA-aaa accounting-scheme acc1 Info: Create a new accounting schemeSWA-aaa-accounting-acc1 accounting-mode radius SWA-aaa-accounting-acc1 quitSWA-aaaSWA-aaa-SWA-aaa-SWA-aaa-SWA-aaa-admin-admin authentication-scheme authen1-admin accounting-scheme acc1-admin radius-server testradius-admin

20、 quit3.4.3 配置 VTY 用戶的認(rèn)證方式為 AAA驗(yàn)證配置結(jié)果配置VTY用戶的認(rèn)證方式為AAA配置域的相關(guān)參數(shù)配置RADIUS服務(wù)器模板VTY用戶缺省的認(rèn)證方式為password。進(jìn)入VTY用戶視圖，修改認(rèn)證方式為aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quitSWA由于缺省情況下用戶的操作權(quán)限是level 0，所以，仍然需要在SWA上配置super為，以便讓用戶有。權(quán)限的。在系統(tǒng)視圖下配置level 3的superSWA supassword level 3 simpl

21、e3.5結(jié)果驗(yàn)證3.5.1 驗(yàn)證 Radius 服務(wù)器模板配置在SWA上查看Radius服務(wù)器模板的配置信息。SWAdis radius-server configurationServer-template-name Protocol-ver Traffic-unitShared-secret-key: testradius: standard: B:oTimeout- Prierval(in second): 5uthentication-server: :1812Lo:1813Lo:0Lo:0Loack:NULL ack:NULL ack:NULL ack:NULLPriccountin

22、g-server: Secondary-authentication-server : Secondary-accounting-server Retransmis-included: : 3: YES:Calling-sion-id MAC-formatTotal of radius template :1還可以直接在SWA上驗(yàn)證Radius服務(wù)器是否可用。這是一個(gè)很實(shí)用的功能，可以脫離客戶端判斷Radius服務(wù)器和交換機(jī)的配置是否正確。test-aaaadminradius-template testradiusInfo: Account test succeed!3.5.2 在客戶端ne

23、t SWA從Windows的CMD窗口 netSWA：C:net Login authenticationUsername: Password:adminInfo: The max number of VTY users is 5, and the number of current VTY userson line is 1.因?yàn)橛脩魴?quán)限很低，所有可操作令很少。?User view cluster displayds:Run cluster Displaydhwtacacs-user HWTACACS userlocal-userAdd/Delete/Set user(s)function

24、Exit from currentquit supernet tracertd viewPrivilege current user a specified priority levelEstablish anet connectionTrace route function通過(guò)super命令操作權(quán)限。super Password:Now usrivilege is 3 level, and only those to or lessn this level can be used.ds whose level is equalPrivilege note: 0-VISIT, 1-MONITO

25、R, 2-SYSTEM, 3-MANAGE3.5.3查看VTY 用戶先查看用戶所在的VTY。display users User-f DelayType Network AddressAuthenSus AuthorcmdFlag+ 0CON 000:00:00noUsername : Unspecified34 VTY 000:00:56 paoUsername :admin再查看該VTY用戶的詳細(xì)信息。SWAdisplay user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current

26、 UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The privilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use

27、 current UIs password.: The physical location of UIs.3.6 配置參考3.6.1 SWA 的配置：#!Software Ver sysname SWA#V100R006C00SPC800sup #assword level 3 simplesvlan batch 10 20 30#dhcp enable#+ 34VTY 0-03A-undo http server enable #drop illegal-mac alarm #radius-server template testradius radius-server shared-key

28、 simpleoradius-server authentication 1812radius-server accounting 1813#aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme acc1 accounting-mode radiusdefault default_admin adminauthenticati

29、on-scheme authen1 accounting-scheme acc1radius-server testradiuslocal-user admin password simple admin local-user admin service-type http#erface Vlanif1#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface MEth0/0/1#erface GigabitEthernet0/0/1port link-type acsport

30、 default vlan 30#. #erface GigabitEthernet0/0/11port link-type acsport default vlan 10#erface GigabitEthernet0/0/12port link-type acsport default vlan 20#. #user-erface con 0user-erface vty 0 4authentication-mode aaa#return3.7 FAQ3.7.1 問(wèn)題一問(wèn)題：是否可以讓用戶登錄設(shè)備后直接擁有l(wèi)evel 3權(quán)限？答：可以。這個(gè)功能是靠Radius廠商擴(kuò)展屬性實(shí)現(xiàn)的，要求Rad

31、ius服務(wù)器支持該功能。4net 用戶 HWTACACS 認(rèn)證配置4.1 實(shí)驗(yàn)?zāi)繕?biāo)掌握S7700交換機(jī)HWTACACS認(rèn)證的配置方法。比較RADIUS認(rèn)證域HWTACACS認(rèn)證的差異。4.2 組網(wǎng)及業(yè)務(wù)描述4.3配置思路4.4配置步驟4.4.1 配置 HWTACACS 服務(wù)器模板配置名為“ht”的HWTACACS服務(wù)器模板。服務(wù)器地址，端49，共享密鑰o。與RADIUS的認(rèn)證與結(jié)合不同，HWTACACS的認(rèn)證與是相互獨(dú)立的模塊，必須分別指定認(rèn)證和服務(wù)器地址。SWA hwtacacs-server template htSWA-hwtacacs-ht hwtacacs-server authen

32、tication 49SWA-hwtacacs-ht hwtacacs-server authorization 49SWA-hwtacacs-ht hwtacacs-server accounting 49 SWA-hwtacacs-ht hwtacacs-server shared-key ciphero SWA-hwtacacs-ht quit4.4.2 配置域的相關(guān)參數(shù)域的相關(guān)參數(shù)在aaa視圖下配置。如果采用HWTACACS認(rèn)證，需要分別定義認(rèn)證，計(jì)費(fèi)三個(gè)方案，指定各方案都采用HWTACACS模式。與Radius認(rèn)證類似，創(chuàng)建admin域，并在域下HWTACACS服務(wù)器模板。認(rèn)證方案、

33、方案、計(jì)費(fèi)方案和SWA aaaSWA-aaa authentication-scheme authen2SWA-aaa-authen-authen2 authentication-mode hwtacacs SWA-aaa-authen-authen2 quitSWA-aaa authorization-scheme author2SWA-aaa-author-author2 authorization-mode hwtacacs SWA-aaa-author-author2 quitSWA-aaa accounting-scheme acc2SWA-aaa-accounting-acc2 a

34、ccounting-mode hwtacacs SWAaaa-accounting-acc2 quitSWA-aaaSWA-aaa-SWA-aaa-SWA-aaa-admin2-admin2 authentication-scheme authen2-admin2 authorization-scheme author2-admin2 accounting-scheme acc2驗(yàn)證配置結(jié)果配置VTY用戶的認(rèn)證方式為AAA配置域的相關(guān)參數(shù)配置HWTACACS服務(wù)器模板SWA-aaa-SWA-aaa-admin hwtacacs-server ht-admin quit4.4.3 配置 VTY

35、用戶的認(rèn)證方式為 AAAVTY用戶缺省的認(rèn)證方式為password。進(jìn)入VTY用戶視圖，修改認(rèn)證方式為aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quit4.5結(jié)果驗(yàn)證4.5.1 查看 HWTACACS 服務(wù)器模板配置display hwtacacs-server template htHWTACACS-server template name: ht: :49:-: :49:-: :49:-Pri Pri Priuthentication-server uthorization-se

36、rver ccounting-serverSecondary-authentication-server : :0:-Secondary-authorization-server : :0:-Secondary-accounting-server Current-authentication-server Current-authorization-server Current-accounting-server Source-IP-address: :0:-: :0:-: :49:-: :49:-: Shared-key:o: 5Quiet-erval(min)Response-timeou

37、t-included Traffic-uniterval(sec) : 5: Yes: BSWA4.5.2net SWA在客戶端電腦C:Usersl00180730net Login authenticationUsername:admin2 Password:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.成功登錄到SWA。4.5.3在本地查看VTY 用戶display usersUser- AuthorcmdFlagfDelayTypeNetwork Addr

38、essAuthenSus+ 0CON 000:00:00noUsername : Unspecified34 VTY 000:00:23passnoUsername : admin2display user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The pri

39、vilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use current UIs password.: The physical location of UIs.4.6配置參考4.6.1SWA 的配置#hwtacacs-server template hthwtacacs-server a

40、uthentication hwtacacs-server authorization hwtacacs-server accounting hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF4ing with 32 bytes of data: Request timed out.Request timed out. Request timed out. Request timed out.sistics for :Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),此時(shí)由于客戶端PC

41、還沒有經(jīng)過(guò)認(rèn)證，所以無(wú)法連接到網(wǎng)絡(luò)，因此也就無(wú)法通RTA。5.5.3 開啟客戶端 PC 上的 802.1X 認(rèn)證打開客戶端PC上的802.1X認(rèn)證客戶端，假設(shè)已經(jīng)在RADIUS服務(wù)器上配置好用戶名和，填寫好用戶名和分別為：，admin3/。PC右下角會(huì)出然后點(diǎn)擊連接，如果配置正確，就能成功認(rèn)證，現(xiàn)成功認(rèn)證后的綠色閃爍的小圖標(biāo)。5.5.4 再次測(cè)試客戶端 PC 到RTA 的連通性C:Usersing with 32 bytes of data:Reply from : bytes=32 time=11ms TTL=254 Reply from : bytes=32 time=1ms TTL=25

42、4 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254sistics for :Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip timesilli-seconds:Minimum = 1ms,um = 11ms, Average = 3ms此時(shí)可以成功通RTA了。5.5.5 MAC 旁路認(rèn)證驗(yàn)證本實(shí)驗(yàn)中關(guān)閉客戶端PC的802.1X認(rèn)證服務(wù)，在RADIUS服務(wù)器上提前配置了客戶端PC的MAC

43、地址賬戶（以客戶端PC的網(wǎng)卡MAC命名和作為如：F0DEF1315EECadmin3/F0DEF1315EEC），如果成功認(rèn)證，PC能成功通RTA。5.5.6 802.1X 認(rèn)證失敗情形如果認(rèn)證失敗，客戶端PC就會(huì)被加入到Guest VLAN。SWAdisplay dot1xerface GigabitEthernet 1/0/12GigabitEthernet1/0/12 s Enabledmac-bypassPort control type is Autous: DOWN 802.1x protocol isAuthentication method is MAC-basedReauth

44、entication is disabled um users: 100Current users: 01 user(s) have joined to guest VLAN: 100. f0de-f131-5eecAuthentication Suc EAPOL Packets: TXs: 16: 69Failure: 5RX: 67SentEAPOL Request/Identity Packets : 22EAPOL Reqhallenge Packets : 16Multicast Triggackets: 0: 16: 15: 19: 16EAPOL Sucs PacketsEAPO

45、L Failure PacketsReceived EAPOL Start Packets EAPOL Logoff PacketsEAPOL Response/Identity Packets : 16 EAPOL Response/Challenge Packets: 16由以上輸出可以看到，有一個(gè)用戶加入到了guest VLAN 100，MAC地址是 f0de-f131-5eec。5.6 配置參考5.6.1 SWA 的配置#!Software Ver sysname SWA#V100R003C00SPC200sup #assword level 3 simplevlan batch 1

46、10 20 30#radius-server template testradiusradius-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF41! radius-server authentication 1812radius-server accounting 1813radius-server retransmit 2 #aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radiusauthentication-scheme auth

47、en2 authentication-mode hwtacacs authentication-scheme authen3 authentication-mode radius authorization-scheme default authorization-scheme author2 authorization-mode hwtacacs accounting-scheme default accounting-scheme acc1 accounting-mode radius accounting-scheme acc2 accounting-mode hwtacacsdefau

48、lt default_admin admin1authentication-scheme authen1 accounting-scheme acc1radius-server testradius admin2authentication-scheme authen2 accounting-scheme acc2 authorization-scheme author2 hwtacacs-server htadmin3authentication-scheme authen3 radius-server testradiuslocal-user admin password simple a

49、dmin local-user admin service-type http#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface Ethernet0/0/0#erface GigabitEthernet1/0/0 port link-type acsport default vlan 30 #erface GigabitEthernet1/0/11 port link-type acsport default vlan 10 dot1x enabledot1x max-

50、user 100 #erface GigabitEthernet1/0/12port link-type acsport default vlan 20#5.7 FAQ5.7.1 問(wèn)題一問(wèn)題：無(wú)6MAC 認(rèn)證配置6.1 實(shí)驗(yàn)?zāi)繕?biāo)掌握S7700交換機(jī)MAC認(rèn)證的配置方法。6.2 組網(wǎng)及業(yè)務(wù)描述6.3 配置思路SWA-aaaSWA-aaa-SWA-aaa-admin3-admin3 authentication-scheme authen3-admin3 radius-server testradius6.4.4 配置MAC 認(rèn)證在全局和接口下使能MAC認(rèn)證。SWA mac-authenSWAer

51、face gigabitethernet 1/0/0 SWA-GigabitEthernet1/0/0 mac-authen配置MAC認(rèn)證用戶所屬的域。SWA mac-authenadmin36.5結(jié)果驗(yàn)證6.5.1 檢查配置結(jié)果在SWA執(zhí)行命令display mac-authenerface，可以看到MAC認(rèn)證配置信息。SWAdisplay mac-authenerface GigabitEthernet 1/0/11GigabitEthernet1/0/11 s um users: 2048Current users: 0e: UP. MAC address authentication

52、is enabledCurrentis admin3Authentication Sucs: 0, Failure: 1 Guest VLAN is disabledSilent MAC info:f0de-f131-5eec1 silent mac address(es) found, 1 pred.6.5.2 在SWA 上測(cè)試賬號(hào)的正確性假設(shè)已經(jīng)在RADIUS服務(wù)器上配置了客戶端PC的MAC地址賬戶（以客戶端PC的網(wǎng)卡MAC命名和作為），如：F0DEF1315EECadmin3/F0DEF1315EECtest-aaa F0DEF1315EECadmin3 F0DEF1315EEC rad

53、ius-template testradiusInfo: Account test succeed!信息提示顯示測(cè)試成功。6.5.3 測(cè)試客戶端 PC 到RTA 的連通性如果MAC地址認(rèn)證通過(guò)，則能PC能成功通RTA。C:Usersing with 32 bytes of data:Reply from : bytes=32 time=11ms TTL=254 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254si

54、stics for :Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip timesilli-seconds:Minimum = 1ms,um = 11ms, Average = 3ms可自行修改客戶端網(wǎng)卡MAC地址，或換另一臺(tái)客戶端接至SWA的GE1/0/11接口測(cè)試，當(dāng)MAC地址認(rèn)證不成功的時(shí)候，用戶則不能連通網(wǎng)絡(luò)。6.6配置參考6.6.1SWA 的配置#!Software Ver sysname SWA#V100R003C00SPC200sup #assword level 3 simpl

55、evlan batch 1 10 20 30#radius-server template testradiusradius-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF41! radius-server authentication 1812radius-server accounting 1813radius-server retransmit 2 #aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radius authenticat

56、ion-scheme authen2 authentication-mode hwtacacs authentication-scheme authen3 authentication-mode radius authorization-scheme default authorization-scheme author2 authorization-mode hwtacacs accounting-scheme default accounting-scheme acc1 accounting-mode radius accounting-scheme acc2 accounting-mod

57、e hwtacacsdefault default_admin admin1authentication-scheme authen1 accounting-scheme acc1radius-server testradius admin2authentication-scheme authen2 accounting-scheme acc2 authorization-scheme author2 hwtacacs-server htadmin3authentication-scheme authen3 radius-server testradiuslocal-user admin pa

58、ssword simple admin local-user admin service-type http#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface Ethernet0/0/0#erface GigabitEthernet1/0/0port link-type acsport default vlan 30#erface GigabitEthernet1/0/11port link-type acsport default vlan 10 mac-authen

59、mac-authen #admin3erface GigabitEthernet1/0/12port link-type acs port default vlan 20 #6.7 FAQ6.7.1 問(wèn)題一問(wèn)題：無(wú)7Web 認(rèn)證配置7.1 實(shí)驗(yàn)?zāi)繕?biāo)掌握S7700交換機(jī)WEB認(rèn)證的配置方法。7.2 組網(wǎng)及業(yè)務(wù)描述7.3 配置思路SWA-aaaSWA-aaa-SWA-aaa-admin3-admin3 authentication-scheme authen3-admin3 radius-server testradius7.4.4 配置Web 認(rèn)證配置Web認(rèn)證服務(wù)器IP地址和URL。SWAweb-auth-server admin3 url htt在接口下綁定Web認(rèn)證服務(wù)器。注意，這里是VLANif，而不是物理接口。SWAerface vlanif 10SWA-Vlanif10 web-auth-server admin3 SWA-Vlanif10 quit7.5結(jié)果驗(yàn)證7.5.1 檢查配置結(jié)果在SWA上執(zhí)行命令disp