溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
身份認證是計算機系統的用戶在進入系統或訪問不同保護級別的系統資源時,系統確認該用戶的身份是否真實、合法和唯一的過程。使用身份認證的主要目的是防止非授權用戶進入系統,同時防止非授權用戶通過非正常操作訪問受控信息或惡意破壞系統數據的完整性。近年來,越來越多的單位通過身份認證系統加密用戶對網絡資源的訪問,在眾多的解決方案中,Radius認證系統的使用最為廣泛。在大量的企業、政府機關、高校,通過Radius認證系統,實現對用戶網絡訪問身份的認證,以決定某一用戶是否具有上網權限,并記錄相關的信息 。
安全技術1: dot1x 與radius的 AAA服務器,
【實驗目的】
①防火墻的單臂路由實現多Vlan間通信。
②利用防火墻的DHCP中繼實現多Vlan動態獲得地址。
③用戶通過AAA認證,訪問外網。
④遠程帶內管理(Telnet)各設備,需要AAA驗證。
【拓撲規劃】
配置命令
交換機配置
[Quidway]dis cu
#
sysname Quidway
#
super password level 3 simple 123456
#
local-server nas-ip 192.168.30.151 key 123456
#
domain default enable ty
#
dot1x
dot1x authentication-method pap
#
radius scheme system
radius scheme xxx
server-type standard
primary authentication 192.168.30.151
accounting optional
key authentication 123456
user-name-format without-domain
#
domain system
domain ty
scheme radius-scheme xxx
access-limit enable 10
accounting optional
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
port access vlan 10
dot1x
#
interface Ethernet1/0/2
port access vlan 20
dot1x
#
interface Ethernet1/0/3
port access vlan 30
#
interface Ethernet1/0/4
port link-type trunk
port trunk permit vlan all
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254 preference 60
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
防火墻配置
%Aug 12 18:10:37:367 2013 H3C SHELL/4/LOGIN: Console login from con0
System View: return to User View with Ctrl+Z.
[H3C]dis cu
#
sysname H3C
#
super password level 3 simple 123456
#
domain default enable ty
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
radius scheme ty
server-type standard
primary authentication 192.168.30.151
key authentication 123456
user-name-format without-domain
#
domain system
domain ty
scheme radius-scheme ty
authentication local
access-limit enable 10
accounting optional
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!<>
service-type telnet terminal
level 3
service-type ftp
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
dhcp select relay
#
interface Ethernet0/0.10
ip address 192.168.10.1 255.255.255.0
ip relay address 192.168.30.100
dhcp select relay
vlan-type dot1q vid 10
#
interface Ethernet0/0.20
ip address 192.168.20.1 255.255.255.0
ip relay address 192.168.30.100
dhcp select relay
vlan-type dot1q vid 20
#
interface Ethernet0/0.30
ip address 192.168.30.1 255.255.255.0
dhcp select relay
vlan-type dot1q vid 30
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/0.10
add interface Ethernet0/0.20
add interface Ethernet0/0.30
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
客戶端認證
DHCP動態獲得地址
TELNET界面
安全技術2:對于dot1x下還用一種是基于mac地址的認證:【本地的 和acs的】
本地的
【實驗目的】
通過在交換機上創建用戶限制訪問
基于客戶機mac地址一種認證方式
【實驗拓撲】
客服集地址 12.168.30.1
【實驗配置】
交換機配置命令
[Quidway]dis cu
#
sysname Quidway
#
MAC-authentication
MAC-authentication authmode usernameasmacaddress usernameformat with-hyphen
#
radius scheme system
#
domain system
#
local-user 00-0c-29-d6-5a-52
password simple 00-0c-29-d6-5a-52
service-type lan-access
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.30.100 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
#
interface Ethernet1/0/4
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface Ethernet1/0/7
#
interface Ethernet1/0/8
#
interface Ethernet1/0/9
#
interface Ethernet1/0/10
MAC-authentication
#
interface Ethernet1/0/11
#
interface Ethernet1/0/12
#
interface Ethernet1/0/13
#
interface Ethernet1/0/14
#
interface Ethernet1/0/15
#
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
#
return
【實驗驗證】
基于acs的認證
【實驗目的】
通過在交換機上創建用戶限制訪問
基于客戶機mac地址一種認證方式
通過AAA服務器建立
【實驗拓撲】
【實驗配置】
#
sysname Quidway
#
MAC-authentication
MAC-authentication authmode usernameasmacaddress usernameformat with-hyphen
#
radius scheme system
radius scheme xxx
server-type standard
primary authentication 192.168.30.151
accounting optional
key authentication 123456
user-name-format without-domain
#
domain system
scheme radius-scheme xxx
access-limit enable 10
accounting optional
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.30.10 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
#
interface Ethernet1/0/4
#
interface Ethernet1/0/5
#
interface Ethernet1/0/6
#
interface Ethernet1/0/7
#
interface Ethernet1/0/8
#
interface Ethernet1/0/9
#
interface Ethernet1/0/10
#
interface Ethernet1/0/11
#
interface Ethernet1/0/12
#
interface Ethernet1/0/13
#
interface Ethernet1/0/14
#
interface Ethernet1/0/15
#
interface Ethernet1/0/16
#
interface Ethernet1/0/17
#
interface Ethernet1/0/18
#
interface Ethernet1/0/19
#
interface Ethernet1/0/20
#
interface Ethernet1/0/21
#
interface Ethernet1/0/22
#
interface Ethernet1/0/23
MAC-authentication
#
interface Ethernet1/0/24
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
#
Return
【實驗驗證】
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
