Acs+802.1x+aaa+ad+ca detailed Configuration tutorial (v)

Part IV:Switchthe configuration:

Enable Secret 5$1$yupo$/o8vcse57otveitvzeqqw0

!

Username Cisco password 0 Cisco \ \ Create a local user name database

AAA New-model \ enable AAA

AAA Authentication Login Default Group radius local \ \ Login using radius authentication,radius Use local database when invalid

AAA Authentication dot1x default Groupradius \ \ uses 802.1x, via RADIUS certification

AAA Authorization Network default Groupradius \ \ user permissions are authorized through Radius

!

IP routing \ \ turns on VLAN for back two networks Inter-Route

!

dot1x System-auth-control \ \ open dot1x System Certification Control

!

Interface FASTETHERNET0/4 \ F0/4 for normal port

Switchport Access VLAN 10

Switchport mode access

!

Interface FASTETHERNET0/5 \ F0/5 for 802.1x authentication Port

Switchport access VLAN \ \ certified normal VLAN

Switchport mode access

 dot1xport-control Auto                                            \\ Port control mode is automatic

Dot1x Guest-vlan authentication failed or no 802.1x Client When the VLAN is assigned to the

!

interface fastethernet0/24 \ \ connect the ACS Server Port

Switchport mode access

!

interface Vlan1 \ \ switch management IP

IPAddress 172.16.167.200 255.255.255.0

Iphelper-address 172.16.167.172

!

Interface Vlan10 \ Guest_vlan managing IP

IPAddress 172.16.100.253 255.255.255.0

iphelper-address 172.16.167.172 \ \ dhcp relay, pointing to the DHCP server address

!

Interface Vlan20

IPAddress 172.16.200.253 255.255.255.0 \ Normal_vlan managing IP

Iphelper-address 172.16.167.172

!

Radius-server host 172.16.167.172 auth-port1645 acct-port 1646 key Cisco

\\ Specify ACS The password used to negotiate the server address and the switch, using the Radius Protocol

Radius-server source-ports 1645-1646 \ \ system automatic Generation

!

after the configuration, the time to go into the switch, you can go through the domain user AAA to log on the switch,AAA Implementation is very simple, here is no longer described in detail.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/31/wKiom1R7yMugYm09AAJBPN4HhIY846.jpg "title=" 1.png " alt= "Wkiom1r7ymugym09aajbpn4hhiy846.jpg"/>

Part V: Client Configuration

Open Local Area Connection, right-click Properties, verify, turn on this network IEEE 802.1x Authentication Check on, and then EAP Type: Protected EAP(PEAP)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/31/wKiom1R7yNbhJEuJAAIGEcHf1m8487.jpg "title=" 2.png " alt= "Wkiom1r7ynbhjeujaaigechf1m8487.jpg"/>

if the client is already joined to a domain, you can use the automatic Windows login name and password on the hook to achieve a single sign-on

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/30/wKioL1R7yWazaAtqAAIvqdNmHtM271.jpg "title=" 3.png " alt= "Wkiol1r7ywazaatqaaivqdnmhtm271.jpg"/>

Part VI: Test results

In order to test the effect, I A DHCP service is introduced on the CA, which is divided into guest_vlan:172.16.100.0/24 and gw:172.16.100.253; NORMAL_VLAN:172.16.200.0/24, gw:172.16.200.253; then The PC can be assigned to the address via DHCP on the server , this step is believed to be all, very simple.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/31/wKiom1R7yOjxZqQIAAKy44AG2ns873.jpg "title=" 4.png " alt= "Wkiom1r7yojxzqqiaaky44ag2ns873.jpg"/>

1, no 802.1x client Situation

first put The PC is connected to a 802.1x enabled port, and if the PC is not using 802.1x authentication at this time , it will be assigned to the Guest_vlan ( 172.16.100.0/24), The resulting address is 172.16. 1.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/30/wKioL1R7yXmgz6OxAALcUJYE3yk054.jpg "title=" 5.png " alt= "Wkiol1r7yxmgz6oxaalcujye3yk054.jpg"/>

2. Enable 802.1x client Case

Select After PEAP is verified, a prompt pops up at the bottom right of the desktop asking for input

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/31/wKiom1R7yRfRCfn8AALKqS_IdKA801.jpg "title=" 6.png " alt= "Wkiom1r7yrfrcfn8aalkqs_idka801.jpg"/>

Click this prompt to enter the user AAA, password AAA, defined in the previous domain

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/30/wKioL1R7yaeiA4qIAALdqgaRmG0522.jpg "title=" 7.png " alt= "Wkiol1r7yaeia4qiaaldqgarmg0522.jpg"/>

after the input is completed ACS sends the username and password to the DC to authenticate, then debug Radiux on the switch can see the authentication process information. After the final verification succeeds, it is assigned to the address 172.16 of the Normal_vlan. 1.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/31/wKiom1R7ySfD6BwEAAJ3EwkALHo776.jpg "title=" 8.png " alt= "Wkiom1r7ysfd6bweaaj3ewkalho776.jpg"/>

That's it . the Reports and Activity above the ACS can see the login status of the AAA user

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/30/wKioL1R7ybiDKVjnAAOkXEG3ZN0783.jpg "title=" 9.png " alt= "Wkiol1r7ybidkvjnaaokxeg3zn0783.jpg"/>

in the In User Setup , you can see a mapping of the AAA to the ACS local default group. BBB is The local user of the ACS

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/31/wKiom1R7yTeCRXu5AAIoZyN83kg545.jpg "title=" 10.png "alt=" Wkiom1r7ytecrxu5aaiozyn83kg545.jpg "/>

Video sharing: Http://www.dwz.cn/lij9D

Acs+802.1x+aaa+ad+ca detailed Configuration tutorial (v)