Part IV:Switchthe configuration:
Enable Secret 5$1$yupo$/o8vcse57otveitvzeqqw0
!
Username Cisco password 0 Cisco \ \ Create a local user name database
AAA New-model \ enable AAA
AAA Authentication Login Default Group radius local \ \ Login using radius authentication,radius Use local database when invalid
AAA Authentication dot1x default Groupradius \ \ uses 802.1x, via RADIUS certification
AAA Authorization Network default Groupradius \ \ user permissions are authorized through Radius
!
IP routing \ \ turns on VLAN for back two networks Inter-Route
!
dot1x System-auth-control \ \ open dot1x System Certification Control
!
Interface FASTETHERNET0/4 \ F0/4 for normal port
Switchport Access VLAN 10
Switchport mode access
!
Interface FASTETHERNET0/5 \ F0/5 for 802.1x authentication Port
Switchport access VLAN \ \ certified normal VLAN
Switchport mode access
dot1xport-control Auto \\ Port control mode is automatic
Dot1x Guest-vlan authentication failed or no 802.1x Client When the VLAN is assigned to the
!
interface fastethernet0/24 \ \ connect the ACS Server Port
Switchport mode access
!
interface Vlan1 \ \ switch management IP
IPAddress 172.16.167.200 255.255.255.0
Iphelper-address 172.16.167.172
!
Interface Vlan10 \ Guest_vlan managing IP
IPAddress 172.16.100.253 255.255.255.0
iphelper-address 172.16.167.172 \ \ dhcp relay, pointing to the DHCP server address
!
Interface Vlan20
IPAddress 172.16.200.253 255.255.255.0 \ Normal_vlan managing IP
Iphelper-address 172.16.167.172
!
Radius-server host 172.16.167.172 auth-port1645 acct-port 1646 key Cisco
\\ Specify ACS The password used to negotiate the server address and the switch, using the Radius Protocol
Radius-server source-ports 1645-1646 \ \ system automatic Generation
!
after the configuration, the time to go into the switch, you can go through the domain user AAA to log on the switch,AAA Implementation is very simple, here is no longer described in detail.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/31/wKiom1R7yMugYm09AAJBPN4HhIY846.jpg "title=" 1.png " alt= "Wkiom1r7ymugym09aajbpn4hhiy846.jpg"/>
Part V: Client Configuration
Open Local Area Connection, right-click Properties, verify, turn on this network IEEE 802.1x Authentication Check on, and then EAP Type: Protected EAP(PEAP)
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/31/wKiom1R7yNbhJEuJAAIGEcHf1m8487.jpg "title=" 2.png " alt= "Wkiom1r7ynbhjeujaaigechf1m8487.jpg"/>
if the client is already joined to a domain, you can use the automatic Windows login name and password on the hook to achieve a single sign-on
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/30/wKioL1R7yWazaAtqAAIvqdNmHtM271.jpg "title=" 3.png " alt= "Wkiol1r7ywazaatqaaivqdnmhtm271.jpg"/>
Part VI: Test results
In order to test the effect, I A DHCP service is introduced on the CA, which is divided into guest_vlan:172.16.100.0/24 and gw:172.16.100.253; NORMAL_VLAN:172.16.200.0/24, gw:172.16.200.253; then The PC can be assigned to the address via DHCP on the server , this step is believed to be all, very simple.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/31/wKiom1R7yOjxZqQIAAKy44AG2ns873.jpg "title=" 4.png " alt= "Wkiom1r7yojxzqqiaaky44ag2ns873.jpg"/>
1, no 802.1x client Situation
first put The PC is connected to a 802.1x enabled port, and if the PC is not using 802.1x authentication at this time , it will be assigned to the Guest_vlan ( 172.16.100.0/24), The resulting address is 172.16. 1.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/30/wKioL1R7yXmgz6OxAALcUJYE3yk054.jpg "title=" 5.png " alt= "Wkiol1r7yxmgz6oxaalcujye3yk054.jpg"/>
2. Enable 802.1x client Case
Select After PEAP is verified, a prompt pops up at the bottom right of the desktop asking for input
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/31/wKiom1R7yRfRCfn8AALKqS_IdKA801.jpg "title=" 6.png " alt= "Wkiom1r7yrfrcfn8aalkqs_idka801.jpg"/>
Click this prompt to enter the user AAA, password AAA, defined in the previous domain
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/30/wKioL1R7yaeiA4qIAALdqgaRmG0522.jpg "title=" 7.png " alt= "Wkiol1r7yaeia4qiaaldqgarmg0522.jpg"/>
after the input is completed ACS sends the username and password to the DC to authenticate, then debug Radiux on the switch can see the authentication process information. After the final verification succeeds, it is assigned to the address 172.16 of the Normal_vlan. 1.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/31/wKiom1R7ySfD6BwEAAJ3EwkALHo776.jpg "title=" 8.png " alt= "Wkiom1r7ysfd6bweaaj3ewkalho776.jpg"/>
That's it . the Reports and Activity above the ACS can see the login status of the AAA user
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/30/wKioL1R7ybiDKVjnAAOkXEG3ZN0783.jpg "title=" 9.png " alt= "Wkiol1r7ybidkvjnaaokxeg3zn0783.jpg"/>
in the In User Setup , you can see a mapping of the AAA to the ACS local default group. BBB is The local user of the ACS
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/31/wKiom1R7yTeCRXu5AAIoZyN83kg545.jpg "title=" 10.png "alt=" Wkiom1r7ytecrxu5aaiozyn83kg545.jpg "/>
Video sharing: Http://www.dwz.cn/lij9D
Acs+802.1x+aaa+ad+ca detailed Configuration tutorial (v)