中文讨论区

Reply
Moderator

如何在MAS交换机上配置用户认证

Mobility Access Switch目前支持MAC认证和802.1x认证。

 

默认情况下,交换机接口是Trusted模式,接入的终端无需认证。开启认证需要将接口设置为Untrusted模式并关联aaa profile。

 

配置Radius srever

 

internal radius server:

(ArubaS3500) #local-userdb add username test password test123 role authenticated

对于MAC认证,在local database中以设备的MAC地址作为用户名/密码。

 

external radius server:

(ArubaS3500) (config) #aaa authentication-server radius acs 

 ArubaS3500-24P-US) (RADIUS Server "acs") #host ?

 <host>                  IP address/Hostname of radius server 

 (ArubaS3500) (RADIUS Server "acs") #host 10.4.135.132 

 (ArubaS3500) (RADIUS Server "acs") #key test 

 (ArubaS3500) (config) # 

 

在外置radius server上也需要配置MAS的IP和共享密码。

 

配置认证server group

 

可设置参数如下:

(ArubaS3500) (Server Group "test") #?

allow-fail-through      Allow authentication fail through

auth-server             Assign authentication server

clone                   Copy data from another Server Group

no                      Delete Command

set                     Configure rules to derive Role/VLAN

 

internal server:默认存在的server group “internal”

 

external server:

(ArubaS3500) (config) #aaa server-group acs

(ArubaS3500) (Server Group "acs") #auth-server acs

(ArubaS3500) (config) #

 

配置用户角色

在aaa profile中,initial role和authentication default role需要被设置。 在user role的配置中,access-list,voip-profileqos-profile policer-porfile和reauthnetication-interval都可以按实际情况修改。

 

(ArubaS3500) (config) #user-role test


(ArubaS3500) (config-role) #?

access-list             Apply access-lists to the role

no                      Delete Command

policer-profile         Apply Policer Profile to this role

qos-profile             Apply QoS Profile to this role

reauthentication-inte.. Configure reauthentication interval time

vlan                    Assign VLAN

voip-profile            Apply VoIP Profile to this role

例如

(ArubaS3500) (config) #user-role test

(ArubaS3500) (config-role) #vlan 100

(ArubaS3500) (config-role) #access-list stateless allowall-stateless

(ArubaS3500) (config) #

 

配置authentication profile

 

MAC认证、802.1x认证可以各自单独使用,也可以一同使用。

 

MAC认证:

(ArubaS3500) (config) #aaa authentication mac test-mac

(ArubaS3500) (MAC Authentication Profile "test-mac") #delimiter colon

(ArubaS3500) (config) #

 

 802.1x认证:

(ArubaS3500) (config) #aaa authentication dot1x test-dot1x

(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #

(ArubaS3500) (802.1X Authentication Profile "test-dot1x") #termination enable

(ArubaS3500) (config) #

 

 

配置aaa profile

 

只使用MAC认证

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac

(ArubaS3500) (AAA Profile "port-auth") #mac-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #mac-default-role authenticated

(ArubaS3500) (config) #

 

 

只使用802.1x认证

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x

(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated

(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #exit

(ArubaS3500) (config) #

 

同时使用MAC认证和802.1x认证

 

(ArubaS3500) (config) #aaa profile port-auth

(ArubaS3500) (AAA Profile "port-auth") #initial-role logon

(ArubaS3500) (AAA Profile "port-auth") #authentication-mac test-mac

(ArubaS3500) (AAA Profile "port-auth") #mac-default-role test

(ArubaS3500) (AAA Profile "port-auth") #mac-server-group default

(ArubaS3500) (AAA Profile "port-auth") #authentication-dot1x test-dot1x

(ArubaS3500) (AAA Profile "port-auth") #dot1x-default-role authenticated

(ArubaS3500) (AAA Profile "port-auth") #dot1x-server-group acs

(ArubaS3500) (AAA Profile "port-auth") #exit

(ArubaS3500) (config) #

 

将aaa profile关联到接口上

(ArubaS3500) (config) #interface gigabitethernet 0/0/1

(ArubaS3500) (gigabitethernet "0/0/1") #no trusted port

(ArubaS3500) (gigabitethernet "0/0/1") #aaa-profile port-auth

(ArubaS3500) (gigabitethernet "0/0/1") #exit

(ArubaS3500) (config) #

 

 将aaa profile关联到port group

(ArubaS3500) (config) #interface-group gigabitethernet port-auth

(ArubaS3500) (gigabitethernet "port-auth") #apply-to 0/0/45-0/0/47

(ArubaS3500) (gigabitethernet "port-auth") #no trusted port

(ArubaS3500) (gigabitethernet "port-auth") #aaa-profile port-auth

(ArubaS3500) (config) #
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: