需求:各个部门使用无线的用户,只能连接到部门所属的VLAN。
创新互联建站始终坚持【策划先行,效果至上】的经营理念,通过多达十年累计超上千家客户的网站建设总结了一套系统有效的全网营销推广解决方案,现已广泛运用于各行各业的客户,其中包括:
花箱等企业,备受客户称赞。
环境:
网络设备 :核心交换H3C S5500(192.168.10.254),接入层POE H3C S5130(192.168.10.253), AC为H3C WX2560H(192.168.10.252),AP为WA4320;
服务器:域/DHCP服务器(192.168.20.1),NPS服务器(192.168.20.2)
VLAN分为10、20、30、40、50、60,其中10为网络设备网段,20为Windows服务器网段,30为AP网段,40\50\60为用户所属生产网段;10\20\30由核心交换机分配地址,40\50\60由核心交换中继到Windows DHCP服务器进行分配IP地址。
一、交换机配置:
核心交换S5500:
dis cur
# version 7.1.045, Release 3116
# sysname S5500
# clock timezone Lisbon add 00:00:00 clock protocol none
# telnet server enable
# irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1
# dhcp enable dhcp server forbidden-ip 192.168.10.1 192.168.10.10 dhcp server forbidden-ip 192.168.20.1 192.168.20.10
# lldp global enable
# password-recovery enable
#
vlan 1 #
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#10 stp global enable
#
dhcp server ip-pool 10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.20.1
#
dhcp server ip-pool 20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.20.1
#
dhcp server ip-pool 30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.20.1 option 43 hex 8007000001c0a80afc #AP网段为30,AC网段为10,AP跨网段注册时在DHCP上要配置optin43选项,即AC的16进制地址
#
interface NULL0
#
interface Vlan-interface1 ip address 192.168.0.233 255.255.255.0
#
interface Vlan-interface10 ip address 192.168.10.254 255.255.255.0
#
interface Vlan-interface20 ip address 192.168.20.254 255.255.255.0
#
interface Vlan-interface30 ip address 192.168.30.254 255.255.255.0
#
interface Vlan-interface40 ip address 192.168.40.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface Vlan-interface50 ip address 192.168.50.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface Vlan-interface60 ip address 192.168.60.254 255.255.255.0 dhcp select relay dhcp relay server-address 192.168.20.1
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
# interface GigabitEthernet1/0/17 #下联S5130 port link-type trunk port trunk permit vlan all combo enable copper
#
interface GigabitEthernet1/0/18 #下联AC WX2560H port link-type trunk port trunk permit vlan all combo enable copper
#
interface GigabitEthernet1/0/19 combo enable copper
#
interface GigabitEthernet1/0/20 combo enable copper
#
interface GigabitEthernet1/0/21 combo enable copper
#
interface GigabitEthernet1/0/22 combo enable copper
#
interface GigabitEthernet1/0/23 port access vlan 10 combo enable copper
#
interface GigabitEthernet1/0/24 port access vlan 20 combo enable copper
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
# scheduler logfile size 16
#
line class aux user-role network-admin
#
line class vty user-role network-operator
# line aux 0 user-role network-admin
#
line vty 0 63 authentication-mode scheme user-role network-admin user-role network-operator idle-timeout 0 0
# snmp-agent snmp-agent local-engineid 800063A2803CF5CC29A26100000001 snmp-agent community write private snmp-agent community read public snmp-agent sys-info version all #
domain system
# aaa session-limit http 6 aaa session-limit https 6 domain default enable system
#
role name level-0 description Predefined level-0 role
#
role name level-1 description Predefined level-1 role
#
role name level-2 description Predefined level-2 role
#
role name level-3 description Predefined level-3 role
#
role name level-4 description Predefined level-4 role
#
role name level-5 description Predefined level-5 role
#
role name level-6 description Predefined level-6 role
#
role name level-7 description Predefined level-7 role
#
role name level-8 description Predefined level-8 role
#
role name level-9 description Predefined level-9 role
#
role name level-10 description Predefined level-10 role
#
role name level-11 description Predefined level-11 role
#
role name level-12 description Predefined level-12 role
#
role name level-13 description Predefined level-13 role
#
role name level-14 description Predefined level-14 role
#
user-group system
#
local-user admin class manage password hash $h$6$m6G0XrvVo3KCxzlo$ZiSUweumlOHswdjZOF9eac28c8rKCP4001GBXyfQp444n0ETJiRF6TJJNHE9Sh+eEChM11nlVTbZ5v6c8juKyA== service-type telnet terminal http https authorization-attribute user-role network-admin authorization-attribute user-role network-operator
# netconf soap http enable netconf soap https enable
# ip http enable ip https enable
#
return
POE S5130:
具体配置省略,关键信息为:
1、开启端口POE功能;
2、由于要配置AP自动上线,所以此交换机连接AP的端口模式均配置为access模式,VLAN为AP所属VLAN30;AC WX2560H:
dis cur
# version 7.1.064, Release 5215P01
# sysname WX2560H
# telnet server enable
# dot1x #启用dot1x,配置802.1x系统认证方位为EAP dot1x authentication-method eap
# password-recovery enable
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
# wlan service-template 1 #无线模版配置 ssid service1 akm mode dot1x cipher-suite ccmp security-ie rsn client-security authentication-mode dot1x dot1x domain dm01 service-template enable
#
interface NULL0
#
interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface10 ip address 192.168.10.252 255.255.255.0
#
interface GigabitEthernet1/0/7 port link-mode route
#
interface GigabitEthernet1/0/8 port link-mode route
# interface GigabitEthernet1/0/1 #AC上联端口 port link-mode bridge port link-type trunk port trunk permit vlan all
#
interface GigabitEthernet1/0/2 port link-mode bridge
#
interface GigabitEthernet1/0/3 port link-mode bridge
#
interface GigabitEthernet1/0/4 port link-mode bridge
#
interface GigabitEthernet1/0/5 port link-mode bridge
#
interface GigabitEthernet1/0/6 port link-mode bridge
# scheduler logfile size 16
#
line class console user-role network-admin
#
line class vty user-role network-operator
#
line con 0 user-role network-admin
#
line vty 0 31 authentication-mode scheme user-role network-operator
# ip route-static 192.168.10.0 24 192.168.10.254 #静态路由 ip route-static 192.168.20.0 24 192.168.10.254 #添加静态路由,否则验证无法通过 ip route-static 192.168.30.0 24 192.168.10.254 #添加静态路由,否则AP无法注册至AC
# undo info-center logfile enable
# radius session-control enable #使能radius session-control功能
#
radius scheme rd01 #新建radius服务,授权及认证服务器和密钥 primary authentication 192.168.20.2 key cipher $c$3$H/oG+QiqvYDHlrCjYQtLXoWoKXbOf9mSuU1N primary accounting 192.168.20.2 key cipher $c$3$4/xA5b5wob1GLTAt+J4pxJJf8NuaSzQOiYn2 key authentication cipher $c$3$bCmB/bA01ZFxZnpa1xxpBCLeIZnQ2uhhp4Ee key accounting cipher $c$3$NXsfRNwLjlhQw0YMKdmAgf2L2oQFVFGGIGpp nas-ip 192.168.10.252 #指定Nas-ip,即AC地址
#
radius dynamic-author server #开启并配置Radius DAE client ip 192.168.20.2 key cipher $c$3$GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd
#
domain dm01 #新建本地isp authentication lan-access radius-scheme rd01 authorization lan-access radius-scheme rd01 accounting lan-access radius-scheme rd01
#
domain system
# domain default enable system
#
role name level-0 description Predefined level-0 role
#
role name level-1 description Predefined level-1 role
#
role name level-2 description Predefined level-2 role
#
role name level-3 description Predefined level-3 role
#
role name level-4 description Predefined level-4 role
#
role name level-5 description Predefined level-5 role
#
role name level-6 description Predefined level-6 role
#
role name level-7 description Predefined level-7 role
#
role name level-8 description Predefined level-8 role
#
role name level-9 description Predefined level-9 role
#
role name level-10 description Predefined level-10 role
#
role name level-11 description Predefined level-11 role
#
role name level-12 description Predefined level-12 role
#
role name level-13 description Predefined level-13 role
#
role name level-14 description Predefined level-14 role
#
user-group system
#
local-user admin class manage password hash $h$6$D5QsfpSiuEZF2/U4$8Q1ajQ+0kHYMJjx5sJESu48zPA+O9o+txSM7JQP3MJP6o4DXCQ+PeGwqXGX39NRJZX8HsGSCC1YdCZJCtzUYsg== service-type telnet http https authorization-attribute user-role network-admin
# ip http enable ip https enable
# wlan auto-ap enable wlan auto-persistent enable
#
wlan global-configuration
#
wlan ap-group default-group vlan 1
#
wlan ap 38ad-be58-d860 model WA4320H serial-id 219801A0YG8178E08438 radio 1 radio 2
#
wlan ap 38ad-be58-d6a0 model WA4320H serial-id 219801A0YG8178E08424 radio 1 radio enable service-template 1 radio 2 # cloud-management server domain oasis.h4c.com
#
return
二、服务器配置
1、域服务器配置省略
常规安装完毕域服务器后,安装证书服务。
在AD服务器上配置证书服务:
添加证书颁发几个和证书web注册
证书服务安装成功
在Radius服务器上申请证书
有效期为365天
2、Radius服务器配置
Radius服务器配置,分为四个部分。
2.1、新建共享模版
2.2、新建Radius客户端。
Radius客户端通常即为AC的地址,部分品牌使用软AC的无线AP,Radius客户端为所有AP的IP地址(此种情况下,需要把AP的地址设置为固定IP)
2.3、连接请求策略
连接请求策略和网络策略互相对应的,通常情况下是一个部门(或一个VLAN)对应一条策略
2.3、网络策略
网络策略中,主要设置以下几个重要的参数:
对应的安全组:此条策略对应的Windows组,通常为一个部门的安全组;
身份验证方式:EAP类型
framed-protocol:PPP
service-type :framed
tunnel-medium-type: 隧道承载媒介类型为802
tunnel-pvt-group-id:定义所属的vlan
至此,Radius实现无线用户动态VLAN配置完成。
另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
当前名称:Radius无线动态VLAN配置-创新互联
本文路径:http://lswzjz.com/article/dggjho.html