admin 管理员组文章数量: 887021
2024年3月8日发(作者:十进制数的ascii码)
一、 组网需求:
在BYOD组网方案下,我们主要通过iNode客户端、HTTP网页、终端Ma c地址以及DHCP的Option属性这四种方式获取终端的操作系统和厂商信息, 实现终端识别以便完成相应的权限策略控制。其中 DHCP的Option属性方式可
普遍用户各种场景。由于部署 DHCP服务器并安装Age nt插件的方式比较繁琐, 这里我们以普通PortaI认证为例介绍一种通过无线控制器的 DHCP-snooping功能 获取记录终端的option 55 (终端操作系统)和option 60 (终端厂商)信息并通 过Radius属性上报给iMC服务器的典型配置。
WX系列AC、Fit AP、交换机、便携机(安装有无线网卡)、iMC服务器 及其他智能终端。
二、 组网图:
S5500
172.16.0.212^
Vian 1
1711&0.202
172.16.0*22
iMC server
(包含Pl泌、
EIA等组AP
WX3024
192.168.0.254
Vian 24
19Z16&.O.O/24
三、配置步骤:
1、AC版本要求
WX系列AC从B109D012合入该特性,因此只有这个版本号及其以后的版 本支持DHCP-snooping功能获取记录终端的option 55 (终端操作系统)和 opti on 60 (终端厂商)信息并通过Radius属性上报给iMC服务器。WX系列AC可 通过下面的命令查看内部版本号:
H3C Comware Platform Software
Comware Software, Versio n 5.20, Release 2607P18
Comware Platform Software Versio n COMWAREV5OOROO2B1O9DO22
H3C WX5540E Software Version V200R006B09D022
Copyright (c) 2004-2014 Hangzhou H3C Tech. Co., Ltd. All rights reserve d.
Compiled Feb 25 2014 11:08:07, RELEASE SOFTWARE
H3C WX5540E uptime is 1 week, 4 days, 0 hour, 49 minutes
2、AC侧配置及说明
1 / 8
#
version 5.20, Release 3120P17
#
sys name WX3024-AC
#
doma in default en able system
#
telnet server en able
#
port-security en able
#
//配置 portal server、ip、key、url 以及 server-type,注意这里 server-type 必 须配置为imc
portal server imc ip 172.16.0.22 key cipher $c$3$6uB5v4kaCg1aSOJkOqX+ ==url
172.16.0.22:8080/portal server-type imc
〃配置 portal free-rule 放通 AC 内联口
portal free-rule 0 source in terface GigabitEthernet1/0/1 dest in ati on any
#
oap ma nageme nt-ip 192.168.0.101 slot 0
#
password-recovery en able
#
vla n 1
#
vla n 24
#
//酉己置radius策略,注意 server-type必须选择 extended模式,注意 user-name-format 及nas-ip的配置必须与iMC接入策略和接入服务里配置保持一 致。
radius scheme imc
server-type exte nded
primary authentication 172.16.0.22
primary accounting 172.16.0.22
key authentication cipher $c$3$Myv0nhgPjC4vsMforZW3iCiW5KkP7Q== key
accou nting cipher $c$3$dCEXJGp71WPyrPK4hsPJd6sdTYf01A== user- name-format without-doma in
In as-ip 172.16.0.202
#
〃配置 domain
domai n imc
authentication portal radius-scheme imc authorization portal radius-scheme imc
acco unting portal radius-scheme imc
access-limit disable
state active
idle-cut disable
2 / 8
self-service-url disable doma in system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
//配置AP注册dhcp pool
dhcp server ip-pool 1
n etwork 192.168.0.0 mask 255.255.255.0
#
〃配置终端业务dhcp pool
dhcp server ip-pool option55
network 192.168.24.0 mask 255.255.255.0
gateway-list 192.168.24.254
dn s-list 8.8.8.8
#
user-group system
group-attribute allow-guest
#
local-user adm in
password cipher $c$3$iMGIwEx7o4TNbMqd7OaOAwB5SWSzOrKE authorizati
on-attribute level 3
service-type tel net
#
wlan rrm
dot11a man datory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b man datory-rate 1 2
dot11b supported-rate 5.5 11
dot11g man datory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
//配置无线服务模板
wlan service-template 10 clear
ssid optio n55
bind WLAN-ESS 10 service-template en able
#
wla n ap-group default_group
ap ap1
ap ap2
#
in terface NULLO
#
//与iMC互联ip及vlan接口
3 / 8
in terface Vian-i nterfacel
ip address 172.16.0.202 255.255.255.0
#
//终端业务互联ip及vlan接口,接口下开启 portal,注意portal domain
及portal nas-ip配置需要与iMC服务器portal设备保持一致
in terface Vlan-i nterface24
ip address 192.168.24.1 255.255.255.0
portal server imc method direct
portal doma in imc
portal nas-ip 172.16.0.202
#
in terface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
#
//配置 wlan-ess接口
in terface WLAN-ESS10
port access vla n 24
#
wlan ap ap2 model WA2610H-GN id 2
serial-id 219801A0FH9136Q00287
radio 1
service-template 10
radio en able
#
//开启 dhcp-snooping,使能 dhcp-snooping记录用户的n 60信息功能
dhcp-s nooping
dhcp-snooping binding record user-identity
#
//配置默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.24.254
#
snm p-age nt
snm p-age nt local-e ngi neid 800063A203000FE2873066
snmp-agent community read public
snmp-agent community write private
snm p-age nt sys-i nfo versi on all
#
〃使能dhcp
dhcp en able
#
user- in terface con 0
user- in terface vty 0 4
authe nticati on-m ode scheme
4 / 8
option 55 和optio
user privilege level 3
#
return
3、 iMC侧配置请参考KMS-2143《WX系列AC与iMC配合实现无线Portal认证 典型配置》,这里不再赘述。
4、 结果验证及抓包
1) AC上查看在线的客户端和portal在线用户信息:
Total Number of Clients : 2
Client Information
SSID: optio n55
MAC Address User Name APID/RID IP Address
2477-0391-7720 -NA-
28e1-4cb5-8249 -NA-
VLAN
24
24
2/1
2/1
192.168.24.2
192.168.24.3
In dex:12
State:ONLINE
SubState:NONE
ACL:NONE
Work-mode:sta nd-al one
MAC IP Vla n In terface
2477-0391-7720 192.168.24.2 24 Vlan-in terface24
In dex:13
State:ONLINE
SubState:NONE
ACL:NONE
Work-mode:sta nd-al one
MAC IP Vla n In terface
28e1-4cb5-8249 192.168.24.3 24 Vla n-in terface24
Total 2 user(s) matched, 2 listed.
2) iMC上通过终端设备管理查看终端的厂商、类型以及操作系统等信息:
5 / 8
ift
t I3C i»***flp
■■ ” ■■
■rwf
总< '■啤7 "W
*nn
■ ...
■
______
石■护
n ・■
勺T 1
vivi tv*1 WKumid jm
4UM4M
mi”
—— rH-W • I 1 H
3)查看AC的debugging信息,可以清楚看到 Radius的code=[1]报文里携 带了
option 55和option 60的属性字段:
*Apr 26 16:37:06:936 2000 WX3024-AC RDS/7/DEBUG: Send attribute li st:
*Apr 26 16:37:06:946 2000 WX3024-AC RDS/7/DEBUG:
[1 User-name ] [8 ] [c09467]
][18] [6EFCA7E2624584E38EA53882A4
][6 ] [172.16.0.202]
][11] [WX3024-AC]
][6 ] [16818200]
][18] [0024]
2000 WX3024-AC RDS/7/DEBUG:
][6 ] [19]
[60 CHAP_Challenge
][6 ] [21]
[6 ] [2]
A12C90]
][6 ] [255]
[4 NAS-IP-Address [32
][19] [36432D38382D31342D35392D38392D38
NAS-Identifier
[5 NAS-Port
][28] [74-25-8A-33-81-70:option55]
[87 NAS_Port_Id
*Apr 26 16:37:06:986
2000 WX3024-AC RDS/7/DEBUG:
][16] [10]
[61 NAS-Port-Type
][6 ] [192.168.24.4]
[H3C-26 Connect_ID
][12] [H3C WX3024]
[6 Service-Type
][32] [192.168.24.4 6c:88:14:59:89:8c]
[7 Framed-Protocol
[31 Caller-ID
][14] [010F03062C2E2F1F2179F92B]
43]
[H3C-209 DHCP-Option60 ] [10]
[30 Called-statio n-ld
[4D53465420352E30]
*Apr 26 16:37:07:027
*Apr 26 16:37:07:077 2000 WX3024-AC
[44 Acct-Sessio n-ld [8
RDS/7/DEBUG:
Framed-Address [H3C-[H3C-59 NAS-Startup-Timestamp ] [6 ] [956750400]
255Product-ID [H3C-*Apr 26 16:37:07:087 2000 WX3024-AC
60 Ip-Host-Addr
RDS/7/DEBUG:
[H3C-208 DHCP-Option55
Eve nt: Begi n to switch RADIUS server whe n
sending 0 packet.
*Apr 26 16:37:07:108 2000 WX3024-AC RDS/7/DEBUG: The RD TWL t imer has
resumeed.
6 / 8
%Apr 26 16:37:07:118 2000 WX3024-AC RDS/6/RDS_SUCC: -IfName =Vla n-in terface24-Vla nl d=24-MACAddr=6C:88:14:59:89:8C-IPAddr=192.168. 24.4-IPv6Addr=N/A-UserName=c09467@imc; User got online successfully.
%Apr 26 16:37:07:138 2000 WX3024-AC PORTAL/5/PORTAL_USER_
LOGON SUCCESS: -UserName=c09467-IPAddr=192.168.24.4-lfName=Vlan-
in terface24-Vla nlD=24-MACAddr=6c88-1459-898c-APMAC=7425-8A33-8170 -SSID=option55-NasId=-NasPortId=; User got online successfully.
*Apr 26 16:37:07:169 2000 WX3024-AC RDS/7/DEBUG: Malloc seed
38 in 172.16.0.22 for User ID:21
*Apr 26 16:37:07:179 2000 WX3024-AC RDS/7/DEBUG:
Eve nt: Modify NAS-IP to 172.16.0.202.
*Apr 26 16:37:07:189 2000 WX3024-AC RDS/7/DEBUG: Send: IP=[172.1
6.0.22], UserIndex=[21], ID=[38], RetryTimes=[0], Code=[1], Length=[27
9]
4)通过抓包我们也可以看到这个属性字段:
四、配置关键点:
1、 portal server 的 server-type 必须选择 imc, radius scheme 的 server-type 必须选择extendec。
2、 全局视图下开启 dhcp-snooping 和 dhcp-snooping binding record user-ide
ntity。
3、 AC本身并不支持终端操作系统和厂商识别,只是把相关 option 55和o ption
60信息传送给iMC完成终端识别。
范文素材和资料部分来自网络, 供参考。可复制、编制,期待你的好评与关注)
7 / 8
版权声明:本文标题:H3CAC进行Portal认证 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.freenas.com.cn/free/1709848791h548499.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论