admin 管理员组

文章数量: 887021


2024年3月8日发(作者:十进制数的ascii码)

一、 组网需求:

在BYOD组网方案下,我们主要通过iNode客户端、HTTP网页、终端Ma c地址以及DHCP的Option属性这四种方式获取终端的操作系统和厂商信息, 实现终端识别以便完成相应的权限策略控制。其中 DHCP的Option属性方式可

普遍用户各种场景。由于部署 DHCP服务器并安装Age nt插件的方式比较繁琐, 这里我们以普通PortaI认证为例介绍一种通过无线控制器的 DHCP-snooping功能 获取记录终端的option 55 (终端操作系统)和option 60 (终端厂商)信息并通 过Radius属性上报给iMC服务器的典型配置。

WX系列AC、Fit AP、交换机、便携机(安装有无线网卡)、iMC服务器 及其他智能终端。

二、 组网图:

S5500

172.16.0.212^

Vian 1

1711&0.202

172.16.0*22

iMC server

(包含Pl泌、

EIA等组AP

WX3024

192.168.0.254

Vian 24

19Z16&.O.O/24

三、配置步骤:

1、AC版本要求

WX系列AC从B109D012合入该特性,因此只有这个版本号及其以后的版 本支持DHCP-snooping功能获取记录终端的option 55 (终端操作系统)和 opti on 60 (终端厂商)信息并通过Radius属性上报给iMC服务器。WX系列AC可 通过下面的命令查看内部版本号:

_display version

H3C Comware Platform Software

Comware Software, Versio n 5.20, Release 2607P18

Comware Platform Software Versio n COMWAREV5OOROO2B1O9DO22

H3C WX5540E Software Version V200R006B09D022

Copyright (c) 2004-2014 Hangzhou H3C Tech. Co., Ltd. All rights reserve d.

Compiled Feb 25 2014 11:08:07, RELEASE SOFTWARE

H3C WX5540E uptime is 1 week, 4 days, 0 hour, 49 minutes

2、AC侧配置及说明

1 / 8

#

version 5.20, Release 3120P17

#

sys name WX3024-AC

#

doma in default en able system

#

telnet server en able

#

port-security en able

#

//配置 portal server、ip、key、url 以及 server-type,注意这里 server-type 必 须配置为imc

portal server imc ip 172.16.0.22 key cipher $c$3$6uB5v4kaCg1aSOJkOqX+ ==url

172.16.0.22:8080/portal server-type imc

〃配置 portal free-rule 放通 AC 内联口

portal free-rule 0 source in terface GigabitEthernet1/0/1 dest in ati on any

#

oap ma nageme nt-ip 192.168.0.101 slot 0

#

password-recovery en able

#

vla n 1

#

vla n 24

#

//酉己置radius策略,注意 server-type必须选择 extended模式,注意 user-name-format 及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一 致。

radius scheme imc

server-type exte nded

primary authentication 172.16.0.22

primary accounting 172.16.0.22

key authentication cipher $c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q== key

accou nting cipher $c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A== user- name-format without-doma in

In as-ip 172.16.0.202

#

〃配置 domain

domai n imc

authentication portal radius-scheme imc authorization portal radius-scheme imc

acco unting portal radius-scheme imc

access-limit disable

state active

idle-cut disable

2 / 8

self-service-url disable doma in system

access-limit disable

state active

idle-cut disable

self-service-url disable

#

//配置AP注册dhcp pool

dhcp server ip-pool 1

n etwork 192.168.0.0 mask 255.255.255.0

#

〃配置终端业务dhcp pool

dhcp server ip-pool option55

network 192.168.24.0 mask 255.255.255.0

gateway-list 192.168.24.254

dn s-list 8.8.8.8

#

user-group system

group-attribute allow-guest

#

local-user adm in

password cipher $c$3$iMGIwEx7o4TNbMqd7OaOAwB5SWSzOrKE authorizati

on-attribute level 3

service-type tel net

#

wlan rrm

dot11a man datory-rate 6 12 24

dot11a supported-rate 9 18 36 48 54

dot11b man datory-rate 1 2

dot11b supported-rate 5.5 11

dot11g man datory-rate 1 2 5.5 11

dot11g supported-rate 6 9 12 18 24 36 48 54

#

//配置无线服务模板

wlan service-template 10 clear

ssid optio n55

bind WLAN-ESS 10 service-template en able

#

wla n ap-group default_group

ap ap1

ap ap2

#

in terface NULLO

#

//与iMC互联ip及vlan接口

3 / 8

in terface Vian-i nterfacel

ip address 172.16.0.202 255.255.255.0

#

//终端业务互联ip及vlan接口,接口下开启 portal,注意portal domain

及portal nas-ip配置需要与iMC服务器portal设备保持一致

in terface Vlan-i nterface24

ip address 192.168.24.1 255.255.255.0

portal server imc method direct

portal doma in imc

portal nas-ip 172.16.0.202

#

in terface GigabitEthernet1/0/1

port link-type trunk

port trunk permit vlan all

#

//配置 wlan-ess接口

in terface WLAN-ESS10

port access vla n 24

#

wlan ap ap2 model WA2610H-GN id 2

serial-id 219801A0FH9136Q00287

radio 1

service-template 10

radio en able

#

//开启 dhcp-snooping,使能 dhcp-snooping记录用户的n 60信息功能

dhcp-s nooping

dhcp-snooping binding record user-identity

#

//配置默认路由

ip route-static 0.0.0.0 0.0.0.0 192.168.24.254

#

snm p-age nt

snm p-age nt local-e ngi neid 800063A203000FE2873066

snmp-agent community read public

snmp-agent community write private

snm p-age nt sys-i nfo versi on all

#

〃使能dhcp

dhcp en able

#

user- in terface con 0

user- in terface vty 0 4

authe nticati on-m ode scheme

4 / 8

option 55 和optio

user privilege level 3

#

return

3、 iMC侧配置请参考KMS-2143《WX系列AC与iMC配合实现无线Portal认证 典型配置》,这里不再赘述。

4、 结果验证及抓包

1) AC上查看在线的客户端和portal在线用户信息:

dis wlan client

Total Number of Clients : 2

Client Information

SSID: optio n55

MAC Address User Name APID/RID IP Address

2477-0391-7720 -NA-

28e1-4cb5-8249 -NA-

VLAN

24

24

2/1

2/1

192.168.24.2

192.168.24.3

dis portal user all

In dex:12

State:ONLINE

SubState:NONE

ACL:NONE

Work-mode:sta nd-al one

MAC IP Vla n In terface

2477-0391-7720 192.168.24.2 24 Vlan-in terface24

In dex:13

State:ONLINE

SubState:NONE

ACL:NONE

Work-mode:sta nd-al one

MAC IP Vla n In terface

28e1-4cb5-8249 192.168.24.3 24 Vla n-in terface24

Total 2 user(s) matched, 2 listed.

2) iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息:

5 / 8

ift

t I3C i»***flp

■■ ” ■■

■rwf

总< '■啤7 "W

*nn

■ ...

______

石■护

n ・■

勺T 1

vivi tv*1 WKumid jm

4UM4M

mi”

—— rH-W • I 1 H

3)查看AC的debugging信息,可以清楚看到 Radius的code=[1]报文里携 带了

option 55和option 60的属性字段:

*Apr 26 16:37:06:936 2000 WX3024-AC RDS/7/DEBUG: Send attribute li st:

*Apr 26 16:37:06:946 2000 WX3024-AC RDS/7/DEBUG:

[1 User-name ] [8 ] [c09467]

][18] [6EFCA7E2624584E38EA53882A4

][6 ] [172.16.0.202]

][11] [WX3024-AC]

][6 ] [16818200]

][18] [0024]

2000 WX3024-AC RDS/7/DEBUG:

][6 ] [19]

[60 CHAP_Challenge

][6 ] [21]

[6 ] [2]

A12C90]

][6 ] [255]

[4 NAS-IP-Address [32

][19] [36432D38382D31342D35392D38392D38

NAS-Identifier

[5 NAS-Port

][28] [74-25-8A-33-81-70:option55]

[87 NAS_Port_Id

*Apr 26 16:37:06:986

2000 WX3024-AC RDS/7/DEBUG:

][16] [10]

[61 NAS-Port-Type

][6 ] [192.168.24.4]

[H3C-26 Connect_ID

][12] [H3C WX3024]

[6 Service-Type

][32] [192.168.24.4 6c:88:14:59:89:8c]

[7 Framed-Protocol

[31 Caller-ID

][14] [010F03062C2E2F1F2179F92B]

43]

[H3C-209 DHCP-Option60 ] [10]

[30 Called-statio n-ld

[4D53465420352E30]

*Apr 26 16:37:07:027

*Apr 26 16:37:07:077 2000 WX3024-AC

[44 Acct-Sessio n-ld [8

RDS/7/DEBUG:

Framed-Address [H3C-[H3C-59 NAS-Startup-Timestamp ] [6 ] [956750400]

255Product-ID [H3C-*Apr 26 16:37:07:087 2000 WX3024-AC

60 Ip-Host-Addr

RDS/7/DEBUG:

[H3C-208 DHCP-Option55

Eve nt: Begi n to switch RADIUS server whe n

sending 0 packet.

*Apr 26 16:37:07:108 2000 WX3024-AC RDS/7/DEBUG: The RD TWL t imer has

resumeed.

6 / 8

%Apr 26 16:37:07:118 2000 WX3024-AC RDS/6/RDS_SUCC: -IfName =Vla n-in terface24-Vla nl d=24-MACAddr=6C:88:14:59:89:8C-IPAddr=192.168. 24.4-IPv6Addr=N/A-UserName=c09467@imc; User got online successfully.

%Apr 26 16:37:07:138 2000 WX3024-AC PORTAL/5/PORTAL_USER_

LOGON SUCCESS: -UserName=c09467-IPAddr=192.168.24.4-lfName=Vlan-

in terface24-Vla nlD=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170 -SSID=option55-NasId=-NasPortId=; User got online successfully.

*Apr 26 16:37:07:169 2000 WX3024-AC RDS/7/DEBUG: Malloc seed

38 in 172.16.0.22 for User ID:21

*Apr 26 16:37:07:179 2000 WX3024-AC RDS/7/DEBUG:

Eve nt: Modify NAS-IP to 172.16.0.202.

*Apr 26 16:37:07:189 2000 WX3024-AC RDS/7/DEBUG: Send: IP=[172.1

6.0.22], UserIndex=[21], ID=[38], RetryTimes=[0], Code=[1], Length=[27

9]

4)通过抓包我们也可以看到这个属性字段:

四、配置关键点:

1、 portal server 的 server-type 必须选择 imc, radius scheme 的 server-type 必须选择extendec。

2、 全局视图下开启 dhcp-snooping 和 dhcp-snooping binding record user-ide

ntity。

3、 AC本身并不支持终端操作系统和厂商识别,只是把相关 option 55和o ption

60信息传送给iMC完成终端识别。

范文素材和资料部分来自网络, 供参考。可复制、编制,期待你的好评与关注)

7 / 8


本文标签: 终端 配置 服务器