需求:各個部門使用無線的用戶,只能連接到部門所屬的VLAN。
環境:
網絡設備 :核心交換H3C S5500(192.168.10.254),接入層POE H3C S5130(192.168.10.253), AC爲H3C WX2560H(192.168.10.252),AP爲WA4320;
服務器:域/DHCP服務器(192.168.20.1),NPS服務器(192.168.20.2)
VLAN分爲10、20、30、40、50、60,其中10爲網絡設備網段,20爲Windows服務器網段,30爲AP網段,40\50\60爲用戶所屬生產網段;10\20\30由核心交換機分配地址,40\50\60由核心交換中繼到Windows DHCP服務器進行分配IP地址。
一、交換機配置:
核心交換S5500:
<S5500>dis cur # version 7.1.045, Release 3116 # sysname S5500 # clock timezone Lisbon add 00:00:00 clock protocol none # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable dhcp server forbidden-ip 192.168.10.1 192.168.10.10 dhcp server forbidden-ip 192.168.20.1 192.168.20.10 # lldp global enable # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 30 # vlan 40 # vlan 50 # vlan 60 #10 stp global enable # dhcp server ip-pool 10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.20.1 # dhcp server ip-pool 20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.20.1 # dhcp server ip-pool 30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.20.1 option 43 hex 8007000001c0a80afc #AP網段爲30,AC網段爲10,AP跨網段註冊時在DHCP上要配置optin43選項,即AC的16進制地址 # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.233 255.255.255.0 # interface Vlan-interface10 ip address 192.168.10.254 255.255.255.0 # interface Vlan-interface20 ip address 192.168.20.254 255.255.255.0 # interface Vlan-interface30 ip address 192.168.30.254 255.255.255.0 # interface Vlan-interface40 ip address 192.168.40.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface Vlan-interface50 ip address 192.168.50.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface Vlan-interface60 ip address 192.168.60.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1 # interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/2 # interface GigabitEthernet1/0/3 # interface GigabitEthernet1/0/4 # interface GigabitEthernet1/0/5 # interface GigabitEthernet1/0/6 # interface GigabitEthernet1/0/7 # interface GigabitEthernet1/0/8 # interface GigabitEthernet1/0/9 # interface GigabitEthernet1/0/10 # interface GigabitEthernet1/0/11 # interface GigabitEthernet1/0/12 # interface GigabitEthernet1/0/13 # interface GigabitEthernet1/0/14 # interface GigabitEthernet1/0/15 # interface GigabitEthernet1/0/16 # interface GigabitEthernet1/0/17 #下聯S5130 port link-type trunk port trunk permit vlan all combo enable copper # interface GigabitEthernet1/0/18 #下聯AC WX2560H port link-type trunk port trunk permit vlan all combo enable copper # interface GigabitEthernet1/0/19 combo enable copper # interface GigabitEthernet1/0/20 combo enable copper # interface GigabitEthernet1/0/21 combo enable copper # interface GigabitEthernet1/0/22 combo enable copper # interface GigabitEthernet1/0/23 port access vlan 10 combo enable copper # interface GigabitEthernet1/0/24 port access vlan 20 combo enable copper # interface GigabitEthernet1/0/25 # interface GigabitEthernet1/0/26 # interface GigabitEthernet1/0/27 # interface GigabitEthernet1/0/28 # scheduler logfile size 16 # line class aux user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin user-role network-operator idle-timeout 0 0 # snmp-agent snmp-agent local-engineid 800063A2803CF5CC29A26100000001 snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all # domain system # aaa session-limit http 6 aaa session-limit https 6 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$m6G0XrvVo3KCxzlo$ZiSUweumlOHswdjZOF9eac28c8rKCP4001GBXyfQp444n0ETJiRF6TJJNHE9Sh+eEChM11nlVTbZ5v6c8juKyA== service-type telnet terminal http https authorization-attribute user-role network-admin authorization-attribute user-role network-operator # netconf soap http enable netconf soap https enable # ip http enable ip https enable # return <S5500>
POE S5130:
具體配置省略,關鍵信息爲: 1、開啓端口POE功能; 2、由於要配置AP自動上線,所以此交換機連接AP的端口模式均配置爲access模式,VLAN爲AP所屬VLAN30;
AC WX2560H:
<WX2560H>dis cur # version 7.1.064, Release 5215P01 # sysname WX2560H # telnet server enable # dot1x #啓用dot1x,配置802.1x系統認證方位爲EAP dot1x authentication-method eap # password-recovery enable # vlan 1 # vlan 10 # vlan 20 # vlan 30 # vlan 40 # vlan 50 # wlan service-template 1 #無線模版配置 ssid service1 akm mode dot1x cipher-suite ccmp security-ie rsn client-security authentication-mode dot1x dot1x domain dm01 service-template enable # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0 # interface Vlan-interface10 ip address 192.168.10.252 255.255.255.0 # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/1 #AC上聯端口 port link-mode bridge port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/2 port link-mode bridge # interface GigabitEthernet1/0/3 port link-mode bridge # interface GigabitEthernet1/0/4 port link-mode bridge # interface GigabitEthernet1/0/5 port link-mode bridge # interface GigabitEthernet1/0/6 port link-mode bridge # scheduler logfile size 16 # line class console user-role network-admin # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 31 authentication-mode scheme user-role network-operator # ip route-static 192.168.10.0 24 192.168.10.254 #靜態路由 ip route-static 192.168.20.0 24 192.168.10.254 #添加靜態路由,否則驗證無法通過 ip route-static 192.168.30.0 24 192.168.10.254 #添加靜態路由,否則AP無法註冊至AC # undo info-center logfile enable # radius session-control enable #使能radius session-control功能 # radius scheme rd01 #新建radius服務,授權及認證服務器和密鑰 primary authentication 192.168.20.2 key cipher $c$3$H/oG+QiqvYDHlrCjYQtLXoWoKXbOf9mSuU1N primary accounting 192.168.20.2 key cipher $c$3$4/xA5b5wob1GLTAt+J4pxJJf8NuaSzQOiYn2 key authentication cipher $c$3$bCmB/bA01ZFxZnpa1xxpBCLeIZnQ2uhhp4Ee key accounting cipher $c$3$NXsfRNwLjlhQw0YMKdmAgf2L2oQFVFGGIGpp nas-ip 192.168.10.252 #指定Nas-ip,即AC地址 # radius dynamic-author server #開啓並配置Radius DAE client ip 192.168.20.2 key cipher $c$3$GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd # domain dm01 #新建本地isp authentication lan-access radius-scheme rd01 authorization lan-access radius-scheme rd01 accounting lan-access radius-scheme rd01 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$D5QsfpSiuEZF2/U4$8Q1ajQ+0kHYMJjx5sJESu48zPA+O9o+txSM7JQP3MJP6o4DXCQ+PeGwqXGX39NRJZX8HsGSCC1YdCZJCtzUYsg== service-type telnet http https authorization-attribute user-role network-admin # ip http enable ip https enable # wlan auto-ap enable wlan auto-persistent enable # wlan global-configuration # wlan ap-group default-group vlan 1 # wlan ap 38ad-be58-d860 model WA4320H serial-id 219801A0YG8178E08438 radio 1 radio 2 # wlan ap 38ad-be58-d6a0 model WA4320H serial-id 219801A0YG8178E08424 radio 1 radio enable service-template 1 radio 2 # cloud-management server domain oasis.h3c.com # return <WX2560H>
二、服務器配置
1、域服務器配置省略
常規安裝完畢域服務器後,安裝證書服務。
在AD服務器上配置證書服務:
添加證書頒發幾個和證書web註冊
證書服務安裝成功
在Radius服務器上申請證書
有效期爲365天
2、Radius服務器配置
Radius服務器配置,分爲四個部分。
2.1、新建共享模版
2.2、新建Radius客戶端。
Radius客戶端通常即爲AC的地址,部分品牌使用軟AC的無線AP,Radius客戶端爲所有AP的IP地址(此種情況下,需要把AP的地址設置爲固定IP)
2.3、連接請求策略
連接請求策略和網絡策略互相對應的,通常情況下是一個部門(或一個VLAN)對應一條策略
2.3、網絡策略
網絡策略中,主要設置以下幾個重要的參數:
對應的安全組:此條策略對應的Windows組,通常爲一個部門的安全組;
身份驗證方式:EAP類型
framed-protocol:PPP
service-type :framed
tunnel-medium-type: 隧道承載媒介類型爲802
tunnel-pvt-group-id:定義所屬的vlan
至此,Radius實現無線用戶動態VLAN配置完成。