這裡介紹h3c接入交換機結合深信服的ac裝置做802.1x認證,深信服裝置做認證伺服器,h3c交換機做nas客戶端。深信服的ac做准入的認證方式只能支援eap協議。
1、配置深信服ac的802.1x認證:
ac裝置位址是192.168.1.94;radius伺服器共享金鑰"a123456"
2、建立本地賬號:
兩個本地賬號的密碼都是"123456"
3、配置交換機的dot1x認證:
[h3c]dot1x
[h3c]dot1x authentication-method eap #深信服做伺服器端只能支援eap
[h3c]dot1x retry 3 #認證多少次不通過時認為認證失敗
[h3c]radius scheme sangfor #配置radius方案
[h3c-radius-sangfor]primary authentication 192.168.1.94 #深信服ac位址
[h3c-radius-sangfor]primary accounting 192.168.1.94
[h3c-radius-sangfor]key authentication a123456 #共享金鑰
[h3c-radius-sangfor]key accounting a123456
[h3c-radius-sangfor]nas-ip 192.168.1.2 #發給伺服器認證時使用的源位址,此位址需要和伺服器能通,交換機位址
[h3c-radius-sangfor]quit
[h3c]
[h3c]domain sangfor.local #配置認證域
[h3c-isp-sangfor.local]authentication lan-access radius-scheme sangfor #授權lan-access資源即可
[h3c-isp-sangfor.local]authorization lan-access radius-scheme sangfor
[h3c-isp-sangfor.local]accounting lan-access radius-scheme sangfor
[h3c-isp-sangfor.local]quit
[h3c]
[h3c]inte***ce ethernet 1/0/1 #開啟埠的dot1x認證
[h3c-ethernet1/0/1]dot1x
[h3c-ethernet1/0/1]dot1x mandatory-domain sangfor.local
[h3c-ethernet1/0/1]quit
[h3c]mac-address static 000c-2930-ca52 inte***ce ethernet 1/0/1 vlan 1
1、修改認證方式為ad域控,並加入域"mynet.top":
2、配置交換機的dot1x認證:
[h3c]dot1x
[h3c]dot1x authentication-method eap #深信服做伺服器端只能支援eap
[h3c]dot1x retry 3 #認證多少次不通過時認為認證失敗
[h3c]radius scheme sangfor #配置radius方案
[h3c-radius-sangfor]primary authentication 192.168.1.94 #深信服ac位址
[h3c-radius-sangfor]primary accounting 192.168.1.94
[h3c-radius-sangfor]key authentication a123456 #共享金鑰
[h3c-radius-sangfor]key accounting a123456
[h3c-radius-sangfor]nas-ip 192.168.1.2 #發給伺服器認證時使用的源位址,此位址需要和伺服器能通,交換機位址
[h3c-radius-sangfor]quit
[h3c]
[h3c]domain mynet.top
[h3c-isp-mynet.top]authentication lan-access radius-scheme sangfor
[h3c-isp-mynet.top]authorization lan-access radius-scheme sangfor
[h3c-isp-mynet.top]accounting lan-access radius-scheme sangfor
[h3c-isp-mynet.top]quit
[h3c]
[h3c]inte***ce ethernet 1/0/1
[h3c-ethernet1/0/1]dot1x
[h3c-ethernet1/0/1]dot1x mandatory-domain mynet.top
[h3c-ethernet1/0/1]quit
3、認證成功如下:
[h3c]
%apr 26 15:17:18:809 2000 h3c rds/6/rds_succ: -ifname=ethernet1/0/1-vlanid=1-macaddr=b0:0c:d1:6b:c7:71-ipaddr=n/a-ipv6addr=n/a-username=sangforclient張飛@mynet.top; user got online successfully.
4、免認證:
[h3c]mac-address static 000c-2930-ca52 inte***ce ethernet 1/0/1 vlan 1
h3c交換機筆記
一 埠配置 sysint g0 1 combo enable copper fiber 切換網口和光口 description text duplex full half auto 設定雙工模式 speed 10 100 1000 10000 auto mtu 1430 設定mtu值 port li...
h3c交換機配置遠端管理 H3C交換機配置遠端登入
普通設定telnet密碼 user inte ce aux 0 user inte ce vty 0 4 authentication mode scheme user privilege level 3 set authentication password cipher 52 protocol ...
H3C交換機SNMP配置
1.啟動 關閉snmp agent服務 在系統檢視模式下 啟用 snmp agent 關閉 undo snmp agent 注 預設情況下snmp agent是關閉的 2.使能或禁止snmp相應版本 在系統檢視下 使能snmp協議相應版本 snmp agent sys info version v1...