I. test requirements
XX enterprises currently require the use of Aruba devices for stable wireless network coverage and security assurance. To ensure security, XX enterprise requires the Aruba device to establish two wireless SSID, one SSID is CA, and the user initially connects to the CA for certificate application (the user is in vlan 710 ), you are not authorized to access other networks. The other SSID is "Employee", which is a normal business SSID. the user is required to use certificate authentication during connection and be able to correctly authorize the user after successful authentication.
Ii. Test Topology
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/020539E93-0.jpg "/>
Test Device:
CISCO 7609
Aruba 6000-400
Wireless Controller
Cisco Catalyst 3750-24 PS 24 port POE Switch
Aruba AP 105/125.
Windows Server 2003 Enterprise (AD + DNS + IIS + CA)
Cisco ACSS 4.2
Iii. Test content
1:
Release two SSID, CA and Employee.
2: CA SSID
To hide the certificate, you must manually add the SSID to access the certificate. Wireless users can access the certificate without authentication.
Employee
SSID
Wireless authentication uses 802.1x Authentication Based on Cisco ACS Server (ACS Server and CA are integrated), and users can be authorized to specific VLANs.
3:
To ensure security,
You are not allowed to change the IP address at will. You can only access the business through the IP address assigned by DHCP. If you change the IP address at will, you cannot access any address.
To prevent wireless users from setting up a DHCP Server to affect the normal operation of the network, it is required that all wireless users cannot act as DHCP servers. (Reject user messages sent to any UDP 68)
Iv. Test Procedure
1: POE
Vswitch Configuration
2: ACS Server
Configuration of (AD + DNS + IIS + CA + ACS configuration is omitted here due to the length relationship)
3: Aruba AC
Configuration
4:
Security Configuration
5:
Client Test
1: 3750 POE
Vswitch Configuration
1:Interface Configuration Configure the connection interface as the trunk Interface Divide the interfaces connected to the AP into vlan 96 |
2: DHCP Server(Assign addresses to the AP, and assign addresses to wireless users using Windows DHCP) (Cisco3750SW) (config) # ip dhcp pool vlan96 (Cisco3750SW) (config-dhcp) # network 172.16.22.0 255.255.255.255.0 (Cisco3750SW) (config-dhcp) # default-router 172.16.22.1 (Cisco3750SW) (config-dhcp) # option 43 ip address 100.100.6.188 (Cisco3750SW) (config-dhcp) # exit (Cisco3750SW) (config) # service dhcp |
2: Cisco ACS Server
;
The above is a legend: the integrator is in the actual configuration Add 100.100.6.188 as the IP address of the AAA Client. KeyIs 123456789 AuthenticateUse Radius (IETF) Submit + ApplyConfigure Aruba AC as the client. |
3: Aruba AC
Wireless Configuration on
Configure the CA-based SSID of 802.1x"Employee" (Aruba6000AC1) (config) # aaa authentication-server radius ht-radius (Aruba6000AC1) (RADIUS Server "ht-radius") # host 100.100.100.116 (Aruba6000AC1) (RADIUS Server "ht-radius") # key 123456789 (Aruba6000AC1) (RADIUS Server "ht-radius") # enable (Aruba6000AC1) (RADIUS Server "ht-radius") # exit (Aruba6000AC1) (config) # aaa server-group ht-dot1x-server-group (Aruba6000AC1) (Server Group "ht-dot1x-server-group") # auth-server ht-radius (Aruba6000AC1) (Server Group "ht-dot1x-server-group") # set role condition role value- (Aruba6000AC1) (Server Group "ht-dot1x-server-group") # exit (Aruba6000AC1) (config) # aaa authentication dot1x ht-dot1x-aaa-auth-profile (Aruba6000AC1) (802.1X Authentication Profile "ht-dot1x-aaa-auth-profile") # termination eap-type eap-tls (Aruba6000AC1) (802.1X Authentication Profile "ht-dot1x-aaa-auth-profile") # termination inner-eap-type eap-mschapv2 (Aruba6000AC1) (802.1X Authentication Profile "ht-dot1x-aaa-auth-profile") # exit (Aruba6000AC1) (config) # aaa profile ht-dot1x-aaa-profile (Aruba6000AC1) (AAA Profile "ht-dot1x-aaa-profile") # dot1x-server-group ht-dot1x-server-group (Aruba6000AC1) (AAA Profile "ht-dot1x-aaa-profile") # authentication-dot1x ht-dot1x-aaa-auth-profile (Aruba6000AC1) (AAA Profile "ht-dot1x-aaa-profile") # exit (Aruba6000AC1) (config) # wlan ssid-profile ht-dot1x-ssid-profile (Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile") # essid Employee (Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile") # opmode wpa-tkip (Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile") # exit (Aruba6000AC1) (config) # wlan virtual-ap ht-dot1x-vap-profile (Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # aaa-profile ht-dot1x-aaa-profile (Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # ssid-profile ht-dot1x-ssid-profile (Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # vlan 703-704,710,900-902,905 (Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # exit (Aruba6000AC1) (config) # ap-group default (Aruba6000AC1) (AP group "ht-dot1x") # virtual-ap ht-dot1x-vap-profile (Aruba6000AC1) (AP group "ht-dot1x") # exit |
Import the root certificate of the CA server on the AC and call root CA under aaa profile.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02053930E-1.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0205393607-2.jpg "/>
Configure the SSID for the Certificate Application
"
CA
"
(Aruba6000AC1) (config) # aaa profile aaa
(Aruba6000AC1) (AAA Profile "ht-dot1x-aaa-profile") # exit
(Aruba6000AC1) (config) # wlan ssid-profile ssid
(Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile") # essid CA
(Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile ")#
Hide-ssid //
Hide SSID
(Aruba6000AC1) (SSID Profile "ht-dot1x-ssid-profile") # exit
(Aruba6000AC1) (config) # wlan virtual-ap open-vap
(Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # aaa-profile aaa
(Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # ssid-profile ssid
(Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # vlan 710
(Aruba6000AC1) (Virtual AP profile "ht-dot1x-vap-profile") # exit
(Aruba6000AC1) (config) # ap-group default
(Aruba6000AC1) (AP group "ht-dot1x") # virtual-ap open-vap
(Aruba6000AC1) (AP group "ht-dot1x") # exit
V. Security Configuration
Modify IP address protection at will
(Aruba6000AC1) (config) # aaa profile ht-dot1x-aaa-profile (Aruba6000AC1) (AAA Profile "ht-dot1x-aaa-profile") # enforce-dhcp //Only IP addresses from DHCP can be used. |
Protection against private DHCP servers
(Aruba6000AC1) (config )#Ip access-list session nodhcp (Aruba6000AC1) (config-access-list )#User any udp 68 deny //Deny wireless users from sending any UDP 68 packets and call them to the user's role. User-role guest Access-list session nodhcp Access-list session http-acl Access-list session https-acl Access-list session dhcp-acl Access-list session icmp-acl Access-list session dns-acl Access-list session v6-http-acl Access-list session v6-https-acl Access-list session v6-dhcp-acl Access-list session v6-icmp-acl Access-list session v6-dns-acl |
Vi. Client Testing
Client Requirements 1) Support WPA/WPA2 wireless network adapter; 2) Complete Certificate installation and EAP-TLS and other configuration
Select "Authentication → Enable IEEE 802.1x authentication for this network" in the connection attribute of the Ethernet Card, and select "smart card or other certificate" as the EAP type ", check "Authenticate as computer when computer information is available", click Properties, select "Validate server certificate" in the EAP Properties window, and at the same time in "Trusted Root Certificastion Authorities: "window, select the corresponding root ca, here is ca, Authentication Method is selected as" Secure password (EAP-MSCHAP v2 )". Click the Configure button to make sure that the "Automatically use my Windows logon name and password (and domain if any)" option is selected;
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0205392551-3.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0205395W4-4.jpg "/>
The above is a legend:
Select the CA Server in XX enterprise.
7. Test Results
1:
Users can pass CA authentication and perform correct vlan authorization. (No configuration after the authentication configuration of the wireless network adapter is completed for the first time)
2:
You cannot manually change the IP address. (Similar to IP Source Guard Technology)
3:
After a user sets up a DHCP Server, other users will not obtain the address from it. (Because we have rejected DHCPoffer packets from wireless clients)
Note: Due to space limitations, Server installation and configuration, and some details are omitted in this article. For details, see the attachment. If you have any questions, please leave a message and I hope you can discuss it with us.
This article is from the "HoltZhang" blog, please be sure to keep this source http://holtzhang.blog.51cto.com/340794/844747