交换机S5720(V2R7C00SPC500版本)802.1X配置逃生

发布时间:  2016-06-14 浏览次数:  407 下载次数:  0
问题描述

版本信息:S5700 V200R007C00SPC500  AgileController V100R002C00SPC105

组网概述:组网采用典型型园区网拓扑核心-接入,业务网关在核心交换机上,Controller服务器旁挂在核心交换机上,在接入交换机上开启802.1X认证,交换机上配置和Radius服务器(AgileController)进行对接。

配置脚本:

dot1x enable

dot1x authentication-method eap

#

radius-server template controller

 radius-server shared-key cipher %#%#wTI;TegVA2Eo1!T7uKIWD+1@.F.T.!xy`2O3M(xS%#%#

 radius-server authentication 192.168.254.2 1812 weight 80

 radius-server accounting 192.168.254.2 1813 weight 80

 radius-server dead-time 600

radius-server authorization 192.168.254.2 shared-key cipher %#%#K'=8LP/72TW'[7+8|389\>5B>--uAINK'%X=R_ME%#%#

radius-server dead-interval 30            

radius-server dead-count 3

#

acl number 3999

 rule 5 permit ip

#

aaa

 authentication-scheme default

 authentication-scheme auth

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 accounting-scheme acc

  accounting-mode radius

  accounting realtime 12

 accounting-scheme realtime

 service-scheme ucl

 domain default

  authentication-scheme auth

  accounting-scheme acc

  radius-server controller

 domain default_admin

#

#

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 1000

 dot1x enable

 dot1x authentication-method eap

#

故障现象:可以实现认证通过后正常上网,但AgileController服务器和交换机网络中断时或者服务器故障时,无法实现逃生。

解决方案

1.将接口链路类型改为 Hybrid  “port link-type hybrid、 port hybrid pvid vlan 1000 、 port hybrid untagged vlan 1000”

2.在接口下增加“authentication event authen-server-down vlan VLAN-ID” 来实现逃生,VLAN-ID根据业务VLAN填写。

修改后的接口配置如下:

#

interface GigabitEthernet0/0/1

 port link-type hybrid

 port hybrid pvid vlan 1000

 port hybrid untagged vlan 1000

 authentication event authen-server-down vlan 1000

 dot1x enable

 dot1x authentication-method eap

#


END