基于MAC认证的Portal无感知认证.docx
- 文档编号:18314899
- 上传时间:2023-08-15
- 格式:DOCX
- 页数:19
- 大小:86.90KB
基于MAC认证的Portal无感知认证.docx
《基于MAC认证的Portal无感知认证.docx》由会员分享,可在线阅读,更多相关《基于MAC认证的Portal无感知认证.docx(19页珍藏版)》请在冰点文库上搜索。
基于MAC认证的Portal无感知认证
基于MAC认证的Portal无感知认证:
基于portal在线用户的MAC认证
一、组网需求:
WX系列AC、FITAP、便携机(安装有无线网卡)、Radius/PortalServer
二、实现原理:
中国移动主推的Portal无感知认证是基于流量触发的mac-trigger,要求支持移动的mac-trigger协议,并且新增MAC绑定服务器以存储MAC的绑定关系。
对于第三方的Radius/Portalserver厂商来说开发较繁琐,有些厂商是不支持的。
如果不支持mac-trigger协议,可以以下方案实现Portal的无感知认证,实现原理如下:
(1)用户的业务VLAN开启MAC认证和guestvlan功能;
(2)用户第一次上线时进行MAC认证,AC根据用户MAC查找在线Portal用户,如果有该MAC地址的Portal用户,则MAC认证成功。
因为用户第一次认证,AC没有该MAC地址的Portal在线用户,用户MAC认证失败,进入guestvlan;
(3)guestvlan开启Portal认证;
(4)用户在guestvlan进行Portal认证,Portal认证成功后,AC立即将该用户去关联,触发用户重关联,此时由于设置idle-cut时间还未生效,AC上有该Portal用户在线;
(5)用户重关联时进行MAC认证,此时AC上已有该MAC地址的Portal用户,MAC认证通过。
(6)用户后续都是无感知的MAC认证,MAC认证通过的前提是对应MAC地址的Portal用户在线,因为后续用户流量属于业务VLAN,Portal用户的流量为0,因此设置idle-cut时间为Portal用户的在线时间,即用户能够MAC认证通过的时间。
备注:
该方案中,第三方Radius/Portalserver只需具有Radius服务器和Portal服务器的功能,没有特殊要求,基于portal用户的MAC认证功能在AC自身实现。
三、组网图:
本典型配置举例中AC使用WX5004无线控制器,版本为R2507P18。
SW作为AP网关(Vlan-int2:
192.168.2.254/24)、Client进行MAC认证的vlan网关(Vlan-int10:
192.168.10.254/24)、Client进行Portal认证的guestvlan网关(Vlan-int11:
192.168.11.254/24),并配置DHCPServer为FITAP、Client分配IP地址。
第三方Radius/Portalserver的IP地址为192.168.100.253,AC通过IP地址192.168.100.1与其互联。
四、配置信息:
1.AC配置信息:
#
version5.20,Release2507P18
#
sysnameAC
#
domaindefaultenablesystem
#
telnetserverenable
#
port-securityenable
#
portalserverdsf-portalip192.168.100.253keycipher$c$3$uDGtFFtWMQH6VTGbBg3tVMYIv+F00w==urlhttp:
//192.168.100.253/portalserver-typeimc
portalfree-rule0sourcemac3822-d6c0-ad73destinationany
#
vlan1
#
vlan2
#
vlan10to11
#
Vlan100
#
vlan1000
#
radiusschemedsf-portal
primaryauthentication192.168.100.253
primaryaccounting192.168.100.253
keyauthenticationcipher$c$3$o1jrlBnKIVhr5s6BS5Ck3pV2XGtpFQ==
keyaccountingcipher$c$3$JvB3TU6DkwokktR2uX/6vl5S+5XWvg==
user-name-formatwithout-domain
nas-ip192.168.100.1
#
domaindsf-mac
authenticationlan-accessnone
authorizationlan-accessnone
accountinglan-accessnone
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
domaindsf-portal
authenticationportalradius-schemedsf-portal
authorizationportalnone
accountingportalnone
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
domainsystem
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
#
user-groupsystem
group-attributeallow-guest
#
local-useradmin
passwordcipher$c$3$4CSnRqvYBd2xHeUsyDKNVbcG7cL1Q/IT
authorization-attributelevel3
service-typetelnet
#
wlanrrm
dot11amandatory-rate61224
dot11asupported-rate918364854
dot11bmandatory-rate12
dot11bsupported-rate5.511
dot11gmandatory-rate125.511
dot11gsupported-rate69121824364854
#
wlanservice-template1clear
ssiddsf-portal
bindWLAN-ESS1
service-templateenable
#
interfaceNULL0
#
interfaceVlan-interface1
ipaddress192.168.0.100255.255.255.0
#
interfaceVlan-interface2
ipaddress192.168.2.1255.255.255.0
#
interfaceVlan-interface10
ipaddress192.168.10.1255.255.255.0
#
interfaceVlan-interface11
ipaddress192.168.11.1255.255.255.0
portalserverdsf-portalmethoddirect
portaldomaindsf-portal
portalnas-port-typewireless
portalnas-ip192.168.100.1
#
interfaceVlan-interface100
ipaddress192.168.100.1255.255.255.0
#
interfaceGigabitEthernet1/0/1
portlink-typetrunk
porttrunkpermitvlanall
#
interfaceGigabitEthernet1/0/2
#
interfaceGigabitEthernet1/0/3
#
interfaceGigabitEthernet1/0/4
#
interfaceTen-GigabitEthernet1/0/5
#
interfaceWLAN-ESS1
portlink-typehybrid
undoporthybridvlan1
porthybridvlan1000untagged
porthybridpvidvlan1000
mac-vlanenable
port-securityport-modemac-authentication
mac-authenticationguest-vlan11
mac-authenticationdomaindsf-mac
mac-authenticationtriggerafter-portal
#
wlanapap01modelWA2220-AGid1
serial-id210235A29EB092002600
radio1
service-template1vlan-id10
radioenable
radio2
service-template1vlan-id10
radioenable
#
iproute-static0.0.0.00.0.0.0192.168.100.254
#
undoinfo-centerlogfileenable
#
snmp-agent
snmp-agentlocal-engineid800063A2033CE5A684342E
snmp-agentcommunityreadpublic
snmp-agentcommunitywriteprivate
snmp-agentsys-infoversionall
#
arp-snoopingenable
#
loadxml-configuration
#
user-interfacecon0
user-interfacevty04
authentication-modescheme
userprivilegelevel3
#
return
2.SW的配置信息:
#
version5.20,Release2103
#
sysnameSW
#
domaindefaultenablesystem
#
telnetserverenable
#
vlan1
#
vlan2
#
vlan10to11
#
vlan100
#
radiusschemesystem
server-typeextended
primaryauthentication127.0.0.11645
primaryaccounting127.0.0.11646
user-name-formatwithout-domain
#
domainsystem
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
#
dhcpserverip-poolpool-ap
network192.168.2.0mask255.255.255.0
gateway-list192.168.2.254
#
dhcpserverip-poolpool-client-mac
network192.168.10.0mask255.255.255.0
gateway-list192.168.10.254
#
dhcpserverip-poolpool-client-portal
network192.168.11.0mask255.255.255.0
gateway-list192.168.11.254
#
user-groupsystem
group-attributeallow-guest
#
local-useradmin
#
interfaceNULL0
#
interfaceVlan-interface2
ipaddress192.168.2.254255.255.255.0
#
interfaceVlan-interface10
ipaddress192.168.10.254255.255.255.0
#
interfaceVlan-interface11
ipaddress192.168.11.254255.255.255.0
#
interfaceVlan-interface100
ipaddress192.168.100.254255.255.255.0
#
interfaceEthernet1/0/1
portlink-modebridge
portaccessvlan2
poeenable
#
interfaceEthernet1/0/23
portlink-modebridge
portaccessvlan100
#
interfaceEthernet1/0/24
portlink-modebridge
portlink-typetrunk
porttrunkpermitvlanall
#
dhcpserverforbidden-ip192.168.2.1
dhcpserverforbidden-ip192.168.10.1
dhcpserverforbidden-ip192.168.11.1
#
dhcpenable
#
loadxml-configuration
#
loadtr069-configuration
#
user-interfaceaux0
user-interfacevty015
#
return
五、主要配置步骤:
1.AC配置:
#创建VLAN,二层端口配置VLAN信息,并配置VLAN接口IP地址。
[AC]vlan2
[AC–vlan2]quit
[AC]vlan10
[AC–vlan10]quit
[AC]vlan11
[AC–vlan11]quit
[AC]vlan100
[AC–vlan100]quit
[AC]vlan1000
[AC–vlan1000]quit
[AC]interfaceGigabitEthernet1/0/1
[AC-GigabitEthernet1/0/1]portlink-typetrunk
[AC-GigabitEthernet1/0/1]porttrunkpermitvlanall
[AC]interfaceVlan-interface2
[AC-Vlan-interface2]ipaddress192.168.2.1255.255.255.0
[AC-Vlan-interface2]quit
[AC]interfaceVlan-interface10
[AC-Vlan-interface10]ipaddress192.168.10.1255.255.255.0
[AC-Vlan-interface10]quit
[AC]interfaceVlan-interface11
[AC-Vlan-interface11]ipaddress192.168.11.1255.255.255.0
[AC-Vlan-interface11]quit
[AC]interfaceVlan-interface100
[AC-Vlan-interface100]ipaddress192.168.100.1255.255.255.0
[AC-Vlan-interface100]quit
#使能ARPSnooping功能,命令displaywlanclient显示无线客户端的IP地址。
[AC]arp-snoopingenable
#配置静态路由。
[AC]iproute-static0.0.0.00.0.0.0192.168.100.254
# 配置RADIUS方案,创建名称为dsf-mac的RADIUS方案。
[AC]radiusschemedsf-mac
#配置MAC认证域,创建并进入名字为dsf-mac的ISP域。
[AC]domaindsf-mac
[AC-isp-dsf-mac]authenticationlan-accessnone
[AC-isp-dsf-mac]authorizationlan-accessnone
[AC-isp-dsf-mac]accountinglan-accessnone
[AC-isp-dsf-mac]quit
# 配置Portal认证RADIUS方案,创建名称为dsf-portal的RADIUS方案。
[AC]radiusschemedsf-portal
[AC-radius-dsf-portal]primaryauthentication192.168.100.253
[AC-radius-dsf-portal]primaryaccounting192.168.100.253
[AC-radius-dsf-portal]keyauthenticationdsf
[AC-radius-dsf-portal]keyaccountingdsf
[AC-radius-dsf-portal]user-name-formatwithout-domain
[AC-radius-dsf-portal]nas-ip192.168.100.1
[AC-radius-dsf-portal]quit
#配置Portal认证域,创建并进入名字为dsf-portal的ISP域。
[AC]domaindsf-portal
[AC-isp-dsf-portal]authenticationportalradius-schemedsf-portal
[AC-isp-dsf-portal]authorizationportalnone
[AC-isp-dsf-portal]accountingportalnone
[AC-isp-dsf-portal]quit
#配置Portal服务器:
名称为dsf-portal,IP地址为192.168.100.253,密钥为dsf,URL为http:
//192.168.100.253/portal。
[AC]portalserverdsf-portalip192.168.100.253keydsfurlhttp:
//192.168.100.253/portalserver-typeimc
#配置Portalfree-rule,允许源MAC 地址为用户网关MAC(3822-d6c0-ad73)的所有流量。
[AC]portalfree-rule0sourcemac3822-d6c0-ad73destinationany
#在用户MAC认证guestvlan接口上使能Portal认证,并配置接入的Portal用户使用认证域dsf-portal。
[AC]interfaceVlan-interface11
[AC-Vlan-interface11]portalserverdsf-portalmethoddirect
[AC-Vlan-interface11]portaldomaindsf-portal
[AC-Vlan-interface11]portalnas-port-typewireless
[AC-Vlan-interface11]portalnas-ip192.168.100.1
[AC-Vlan-interface11]quit
#配置端口安全。
[AC]port-securityenable
#配置WLANESS接口,并配置MAC认证。
[AC]interfaceWLAN-ESS1
[AC-WLAN-ESS1] portlink-typehybrid
[AC-WLAN-ESS1] undoporthybridvlan1
[AC-WLAN-ESS1] porthybridvlan1000untagged
[AC-WLAN-ESS1] porthybridpvidvlan1000
[AC-WLAN-ESS1] mac-vlanenable
[AC-WLAN-ESS1] port-securityport-modemac-authentication
[AC-WLAN-ESS1] mac-authenticationguest-vlan11
[AC-WLAN-ESS1] mac-authenticationdomaindsf-mac
#指定对用户的MAC地址认证必须在该用户通过Portal认证之后。
[AC-WLAN-ESS1]mac-authenticationtriggerafter-portal
[AC-WLAN-ESS1]quit
#配置service-template服务模板。
[AC]wlanservice-template1clear
[AC-wlan-st-1]ssiddsf-portal
[AC-wlan-st-1]bindWLAN-ESS1
[AC-wlan-st-1]service-templateenable
[AC-wlan-st-1]quit
#配置ap1。
[AC]wlanapap01modelWA2220-AG
[AC-wlan-ap-ap01]serial-id210235A29EB092002600
[AC-wlan-ap-ap01] radio1
[AC- wlan-ap-ap01-radio-1]service-template1vlan-id10
[AC- wlan-ap-ap01-radio-1]radioenable
[AC- wlan-ap-ap01-radio-1]quit
[AC-wlan-ap-ap01] radio2
[AC- wlan-ap-ap01-radio-2service-template1vlan-id10
[AC- wlan-ap-ap01-radio-2radioe
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 基于 MAC 认证 Portal 感知
![提示](https://static.bingdoc.com/images/bang_tan.gif)