1基于动态VLAN方式下的802.1x域用户认证一、基本原理802.1x认证系统由三个部分组成:1、Supplicant客户端,即802.1x客户端软件。WindowsXPsp2/sp3,WindowsServer2003均内置。2、Authenticator即支持802.1x的交换机、AP、RP。3、认证服务器,接受从交换机/AP/RP转发来的用户认证请求,并确认用户的合法性,下发与用户相关的策略至交换机/AP/RP,打开/关闭相应的物理端口或者接受/拒绝关联,确保用户接入的安全性。企业网中,在Windows域管理情况下,为了实现单点登录(SingleSign-on),即域用户认证与802.1x认证统一为同一域用户认证。在客户端计算机上,域用户认证与802.1x认证并行执行,逻辑上应该为802.1x先认证再作域用户认证便于域登录,然而新用户不完成域用户认证就不能进入客户端桌面启用802.1x认证,为此,先在未启用802.1x的端口/SSID接入客户端计算机,让该计算机注册到相应的域中,再将计算机接入到认证端口/SSID,在认证服务器(IAS)配置计算机认证策略,设置一个特殊的VLAN,在用户未登录时,计算机处于合法认证并可访问域服务器,用户登录后开始开始执行域服务器下发的组策略(GPO),执行RunLogon.vbs脚本,实现与用户相关的802.1x认证和域认证,获得与用户相应的VLAN和IP地址。计算机进入本地用户登录,则开始新的认证50s后失败,交换机关闭端口(AP/RP拒绝认证SSID建立关联),本地用户不能接入到网络。2PC机认证流程图:二、实验环境1、拓扑图进入Windows登录界面按Ctrl+Alt+Delete开始计算机参加域认证输入域用户名连接到域本地用户名登陆1分钟后关闭交换机关闭端口(拒绝关联)执行相应的策略Runlogon.vbs通过802.1x认证并分配到相应VLAN查域服务器IAS访问策略和该计算机是否注册打开对应端口,分配相应VLAN。DHCP获取IP系统无法让您登录,请确定您的用户名及域无错误成功失败成功失败32、设计VLANIP分配范围VLANID说明10.1.10.0VLAN10域/IAS/DHCP/DNS服务器所在网段10.1.20.100~150VLAN20Administration10.1.30.100~150VLAN30Student10.1.40.100~150VLAN40域计算机认证的VLAN3、服务器OS:Windows2003enterprise域服务器procurve1.demoDHCP/IAS/DNS4、交换机、AP420、RP230支持802.1x和动态VLAN下发,并在三层交换机上作DHCPrelay5、客户机WindowsXPsp2/sp3三、配置过程1、交换机/AP配置HP5308的配置:;J4819AConfigurationEditor;Createdonrelease#E.10.71hostname5308timetimezone480module2typeJ4821Bmodule3typeJ4820Bmodule4typeJ4820Bmodule1typeJ9001Amodule6typeJ8161A4interfaceADPnolacpexitinterfaceAUPnolacpexitsntpserver10.1.10.10iproutingtimesyncsntpsntpunicastlogging10.1.10.10snmp-servercommunitypublicUnrestrictedvlan1nameDEFAULT_VLANuntaggedB2-B4,C1-C24,D1-D24,F1-F24ipaddress10.1.1.1255.255.255.0taggedAUPnountaggedADP,B1exitlldpauto-provisionradio-portsauto-vlan2100autovlan2100nameVLAN2100ipaddress10.1.21.1255.255.255.0taggedADPexitvlan10nameVLAN10untaggedB1ipaddress10.1.10.1255.255.255.0iphelper-address10.1.10.10taggedAUP,B2,C15exitvlan20nameVLAN20ipaddress10.1.20.1255.255.255.0iphelper-address10.1.10.10taggedAUP,B2,C1exitvlan30nameVLAN30ipaddress10.1.30.1255.255.255.0iphelper-address10.1.10.10taggedAUP,B2,C1exitvlan40nameVLAN40ipaddress10.1.40.1255.255.255.0iphelper-address10.1.10.10taggedAUP,B2,C1exit;Encodedconfigurationdatafollows.;Modifyingthisdatamakestheconfigurationunusableforrestores.wireless-servicesAconfig02f0JkVemXFZTFYy07RLb6qJUk1BR0lDAGYwNmMwireless-servicesAconfig0MGJhNzVmODkxNDZiNmUyNmM1YjhkMjhlMDEyAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAABAAAAAAAAAAoBAQr///8AAAAAAAAAAAAKAQEwireless-servicesAconfigBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6wireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwireless-servicesAconfigQAAAAAAAAAAAAAA;Endofconfigurationdata.HP2626的配置:;J4900BConfigurationEditor;Createdonrelease#H.10.50hostnameProCurveSwitch2626timetimezone480interface1nolacpexitinterface2nolacpexitipdefault-gateway10.1.1.1sntpserver10.1.10.10timesyncsntpsntpunicastlogging10.1.10.10snmp-servercommunitypublicUnrestrictedvlan1nameDEFAULT_VLAN7untagged1-2,4-26ipaddress10.1.1.2255.255.255.0nountagged3exitvlan10nameVLAN10tagged26exitvlan20nameVLAN20tagged26exitvlan30nameVLAN30tagged26exitvlan40nameVLAN40untagged3tagged26exitaaaauthenticationport-accesseap-radiusradius-serverhost10.1.10.10aaaport-accessauthenticator1-2aaaport-accessauthenticatoractiveaaaport-access1-2AP420的配置:SerialNumber:TW601QB0D6SystemUptime:0days,5hours,29minutes,7secondsSystemName:EnterpriseAP8SystemLocation:SystemContact:ContactSystemCountryCode:CN-CHINAMACAddress:00-16-35-9D-0B-10IPAddress:10.1.1.42SubnetMask:255.255.255.0DefaultGateway:10.1.1.1VLANState:ENABLED(DynamicVLANID)ManagementVLANID(AP):1(U)IAPPState:ENABLEDDHCPClient:DISABLEDHTTPServer:ENABLEDHTTPServerPort:80HTTPSServer:DISABLEDHTTPSServerPort:443SlotStatus:802.11gRadioStatus:EnabledSoftwareVersion:v2.2.3SSHServer:DISABLEDSSHServerPort:22TelnetServer:ENABLEDMaxTelnetSession:4AP420高级设置:910Wirelessservicemodule的配置:!!configurationofProCurveWLANModuleWirelessServicesversionWS.02.27!version1.0!usernamemanagerpassword17cf5ddcd54d4926deca3230083a01a31a8825e73usernamemanagerprivilegesuperuserusernameoperatorpassword1fe96dd39756ac41b74283a9292652d366d73931f!!!country-codecnsnmp-serversysnameWirelessServicessnmp-servermanagerv2snmp-serverman