| aaa new-model ---启用AAA aaa authentication dot1x default group radius ---802.1X默认认证方式为radius
aaa authorization network default group radius ---授权网络默认方式为radius
aaa accounting dot1x default start-stop group radius ---802.1X默认审计方式是radius
|
| ---启用Dot1x认证,授权与审计 |
| aaa server radius dynamic-author client 202.100.1.241 server-key cisco |
| ---启用CoA(修改授权,做NAC网络准入控制用,radius服务器去找交换机) |
| dot1x system-auth-control |
| ---全局启用Dot1x |
| ip device tracking |
| ---跟踪设备的IP地址 ---因:DACL:源一定是any 果:IP device tracking,IP device tracking要和IP add dhcp结合! |
| radius-server attribute 6 on-for-login-auth |
| ---Sends the Service-Type attribute in access requests |
| radius-server attribute 8 include-in-access-req |
| ---Sends the Framed-IP-Address attribute in access requests |
| radius-server attribute 25 access-request include |
| ---Sends the Class attribute in access requests ---ASA做VPN授权 |
| radius-server dead-criteria time 5 tries 3 |
| ---Wait 3 x 5 seconds before marking RADIUS server as dead |
| radius-server host 202.100.1.241 |
| radius-server key cisco |
| radius-server vsa send accounting ---厂商特殊属性,如Cisco DACL |
| ---Enables vendor-specific attributes to be sent in RADIUS accounting messages |
| radius-server vsa send authentication |
| ---In order to enable dACLs, you must first configure your access switch to allow communications using the cisco-av-pair attribute with the value aaa:event=acl-download. Enter the command shown here in the global
configuration of the switch. If you fail to add this command, will result in failed authentication/authorization
requests ---vsa:厂商特殊属性,DACL(思科私有),不敲vsa DACL不能下载
|
| ip access-list extended ACL-DEFAULT remark DHCP
permit udp any eq bootpc any eq bootps ---DHCP前身是bootpc
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
|
| ---ACL-DEFAULT放行基本流量 |
| ip access-list extended WEB-REDIRECT deny udp any any eq domain
deny udp any host 202.100.1.241 eq 8905
deny udp any host 202.100.2.254 eq 8905
deny udp any host 202.100.1.241 eq 8906
deny udp any host 202.100.1.241 eq 8909
deny tcp any host 202.100.1.241 eq 8443
deny tcp any host 202.100.1.241 eq 8905
deny tcp any host 202.100.2.254 eq 8905
deny tcp any host 202.100.1.241 eq 8909
permit ip any any
|
| ---WEB-REDIRECT匹配需要重定向的流量 ---ACL web-redirect准入控制用 |
|
interface GigabitEthernet1/0/1
description ISE-MAB-DOT1X-WEBAUTH
switchport access vlan 2
switchport mode access
spanning-tree portfast
dot1x pae authenticator ---交换机的角色是请求者
authentication port-control auto
---设置接口的802.1x为auto,
the switch sends an initial identity/request frame followed by one or more requests for authentication information
authentication open ---使能认证open
ip access-group ACL-DEFAULT in ---只允许基本流量通过
authentication host-mode multi-auth ---主机模式为多认证
authentication violation restrict ---如果违规就restrict
mab ---开启MAB认证
authentication order mab dot1x ---认证顺序
authentication priority dot1x mab ---认证优先级
authentication event fail action next-method ---如果认证失败跳到下一个方式认证
authentication event server dead action authorize vlan 10 ---AAA挂了,就划到VLAN10
authentication event server alive action reinitialize ---AAA活了就重新初始化
Authentication event no-response action authorize VLAN 20 ---client没有反应就划到VLAN20
Authentication event fail action authorize VLAN 30 ---client不老实猜密码错误就划到VLAN30
|
| ---接口下dot1.x的配置 |
