配置通过ACL和动态VLAN为用户授权示例(命令行)
用户授权简介
ACL编号授权
RADIUS服务器上配置了ACL编号下发功能,则授权信息中含有下发的ACL编号,设备端根据下发的ACL编号匹配相应的ACL规则,对用户权限进行控制。
ACL编号下发,使用的RADIUS属性为:(011)Filter-Id。
AC上支持接受的ACL编号取值范围为3000~3031。
动态VLAN授权
RADIUS服务器上配置了动态VLAN下发功能,则授权信息中含有下发的VLAN属性,设备端在接收到下发的VLAN属性后,会将用户所属的VLAN修改为下发VLAN。授权下发的VLAN并不改变接口的配置,也不影响接口的配置。但是,授权下发的VLAN的优先级高于用户配置的VLAN,即通过认证后起作用的VLAN是授权下发的VLAN,用户配置的VLAN在用户下线后生效。
动态VLAN下发,使用了以下RADIUS属性:- (064)Tunnel-Type:必须指定为VLAN,或数值13
- (065)Tunnel-Medium-Type:必须指定为802,或数值6
- (081)Tunnel-Private-Group-ID:可以是VLAN ID或VLAN名称
AC和Aruba ClearPass对接时,802.1x认证支持PAP、CHAP和EAP三种认证方式,本举例以EAP认证方式为例,其它两种认证方式的配置与之类似。
对于设备侧配置,如果您只需查阅通过ACL为用户授权相关的配置方法,请直接参见在AC上配置用户授权。
如果您只需查阅Aruba ClearPass服务器侧的配置方法,请直接参见配置Aruba ClearPass。
业务需求
用户接入WLAN网络,使用802.1x客户端进行认证时,根据用户角色来对网络访问权限进行控制。
某公司内部大量员工无线终端接入网络。为确保网络的安全性,管理员需对终端的网络访问权限进行控制,要求终端认证成功后能够访问业务服务器(IP地址为10.23.105.1)和实验室内的设备(所属VLAN号为20,IP地址段为10.23.20.2–10.23.20.100)。
数据规划
配置项 |
数据 |
---|---|
管理VLAN |
VLAN100 |
业务VLAN |
VLAN101 |
AC源接口 |
VLANIF100:10.23.100.1/24 |
DHCP服务器 |
|
AP的IP地址池 |
10.23.100.2~10.23.100.254/24 |
STA的IP地址池 |
10.23.101.2~10.23.101.254/24 10.23.20.101~10.23.20.254/24 |
RADIUS认证参数 |
|
认证成功后可访问的资源 |
|
802.1x接入模板 |
|
认证模板 |
|
AP组 |
|
域管理模板 |
|
SSID模板 |
|
安全模板 |
|
VAP模板 |
|
配置项 |
数据 |
---|---|
用户账号 |
|
设备名称 |
AC6605 |
设备IP地址 |
10.23.102.2/32 |
RADIUS共享密钥 |
huawei@123 |
服务 |
|
|
|
授权ACL |
3002 |
动态VLAN |
VLAN20 |
配置思路
- 配置网络互通。
- 配置WLAN基本业务。
- 配置AC与RADIUS服务器的对接参数、认证成功后的网络访问权限等。
- 配置Aruba ClearPass服务器。
- 添加用户。
- 添加AC。
- 配置配置文件。
- 配置策略。
- 配置服务。
操作步骤
- 配置网络互通
# 配置接入交换机SwitchA的接口GE0/0/1和GE0/0/3加入VLAN20、VLAN100和VLAN101,GE0/0/2接入VLAN20。
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 20 100 101 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101 [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101 [SwitchA-GigabitEthernet0/0/3] quit
# 配置汇聚交换机SwitchB的接口GE0/0/1加入VLAN20、VLAN100和VLAN101,GE0/0/2加入VLAN100和VLAN102,GE0/0/3加入VLAN103,GE0/0/4加入VLAN104,GE0/0/5加入VLAN105。<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 20 100 to 105 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type trunk [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type trunk [SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103 [SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103 [SwitchB-GigabitEthernet0/0/3] quit [SwitchB] interface gigabitethernet 0/0/4 [SwitchB-GigabitEthernet0/0/4] port link-type trunk [SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104 [SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104 [SwitchB-GigabitEthernet0/0/4] quit [SwitchB] interface gigabitethernet 0/0/5 [SwitchB-GigabitEthernet0/0/5] port link-type trunk [SwitchB-GigabitEthernet0/0/5] port trunk pvid vlan 105 [SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 105 [SwitchB-GigabitEthernet0/0/5] quit
# 在汇聚交换机SwitchB上创建VLANIF102、VLANIF103、VLANIF104和VLANIF105接口,并配置下一跳为Router的缺省路由。[SwitchB] interface vlanif 102 [SwitchB-Vlanif102] ip address 10.23.102.1 24 [SwitchB-Vlanif102] quit [SwitchB] interface vlanif 103 [SwitchB-Vlanif103] ip address 10.23.103.2 24 [SwitchB-Vlanif103] quit [SwitchB] interface vlanif 104 [SwitchB-Vlanif104] ip address 10.23.104.1 24 [SwitchB-Vlanif104] quit [SwitchB] interface vlanif 105 [SwitchB-Vlanif105] ip address 10.23.105.2 24 [SwitchB-Vlanif105] quit [SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# 在AC上创建用于授权的VLAN20,配置AC的接口GE0/0/1加入VLAN100和VLAN102,创建VLANIF102接口,并配置指向RADIUS服务器的静态路由。<AC6605> system-view [AC6605] sysname AC [AC] vlan batch 20 100 101 102 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 [AC-GigabitEthernet0/0/1] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address 10.23.102.2 24 [AC-Vlanif102] quit [AC] ip route-static 10.23.103.0 24 10.23.102.1
# 配置Router的接口GE0/0/1的IP地址,并配置指向STA网段的静态路由。<Huawei> system-view [Huawei] sysname Router [Router] interface gigabitethernet 0/0/1 [Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24 [Router-GigabitEthernet0/0/1] quit [Router] ip route-static 10.23.101.0 24 10.23.104.1
- 配置AC作为DHCP服务器为AP分配IP地址,SwitchB作为DHCP服务器为STA分配IP地址
# 在AC上配置VLANIF100接口为AP提供IP地址。
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit
- 配置AP上线
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name default [AC-wlan-regulate-domain-default] country-code cn [AC-wlan-regulate-domain-default] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# 配置AC的源接口。
[AC] capwap source interface vlanif 100
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。ap auth-mode命令缺省情况下为MAC认证,如果之前没有修改其缺省配置,可以不用执行ap auth-mode mac-auth。
举例中使用的AP为AP5030DN,具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频,射频1为5GHz射频。
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all Total AP information: nor : normal [1] ------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - ------------------------------------------------------------------------------------------------- Total: 1
- 配置AP射频的信道和功率
射频的信道和功率自动调优功能默认开启,如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例,实际配置中请根据AP的国家码和网规结果进行配置。
# 关闭AP射频0的信道和功率自动调优功能,并配置AP射频0的信道和功率。[AC-wlan-view] ap-id 0 [AC-wlan-ap-0] radio 0 [AC-wlan-radio-0/0] calibrate auto-channel-select disable [AC-wlan-radio-0/0] calibrate auto-txpower-select disable [AC-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/0] eirp 127 [AC-wlan-radio-0/0] quit
# 关闭AP射频1的信道和功率自动调优功能,并配置AP射频1的信道和功率。[AC-wlan-ap-0] radio 1 [AC-wlan-radio-0/1] calibrate auto-channel-select disable [AC-wlan-radio-0/1] calibrate auto-txpower-select disable [AC-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/1] eirp 127 [AC-wlan-radio-0/1] quit [AC-wlan-ap-0] quit
- 在AC上配置802.1X认证
- 配置认证成功后的授权参数ACL3002
[AC] acl 3002 [AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0 [AC-acl-adv-3002] rule 2 deny ip destination any [AC-acl-adv-3002] quit
- 配置Aruba ClearPass服务器
- 在AC上测试用户是否能够通过RADIUS认证
[AC] test-aaa huawei huawei123 radius-template wlan-net pap Info: Account test succeed.
- 检查配置结果
- 员工认证通过后,能够访问业务服务器和实验室。
- 认证通过后,在AC上执行命令display access-user,可以看到员工的在线信息。
[AC] display access-user access-type dot1x ------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------ 460 huawei 10.23.20.254 8000-6e74-e78a Success ------------------------------------------------------------------------------ Total: 1, printed: 1
配置文件
SwitchA的配置文件
# sysname SwitchA # vlan batch 20 100 to 101 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 20 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 20 100 to 101 # return
SwitchB的配置文件
# sysname SwitchB # vlan batch 20 100 to 105 # dhcp enable # interface Vlanif20 ip address 10.23.20.1 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 10.23.20.2 10.23.20.100 # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface Vlanif103 ip address 10.23.103.2 255.255.255.0 # interface Vlanif104 ip address 10.23.104.1 255.255.255.0 # interface Vlanif105 ip address 10.23.105.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 102 # interface GigabitEthernet0/0/3 port link-type trunk port trunk pvid vlan 103 port trunk allow-pass vlan 103 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 104 port trunk allow-pass vlan 104 # interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 105 port trunk allow-pass vlan 105 # ip route-static 0.0.0.0 0.0.0.0 10.23.104.2 # return
Router的配置文件
# sysname Router # interface GigabitEthernet0/0/1 ip address 10.23.104.2 255.255.255.0 # ip route-static 10.23.101.0 255.255.255.0 10.23.104.1 # return
AC的配置文件
# sysname AC # vlan batch 20 100 to 102 # authentication-profile name wlan-net dot1x-access-profile wlan-net authentication-scheme wlan-net radius-server wlan-net # dhcp enable # radius-server template wlan-net radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU%^%# radius-server authentication 10.23.103.1 1812 weight 80 radius-attribute set NAS-Identifier huaweiac # acl number 3002 rule 1 permit ip destination 10.23.105.1 0 rule 2 deny ip # aaa authentication-scheme wlan-net authentication-mode radius # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 102 # ip route-static 10.23.103.0 255.255.255.0 10.23.102.1 # capwap source interface vlanif100 # wlan security-profile name wlan-net security wpa-wpa2 dot1x aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 radio 1 channel 20mhz 149 eirp 127 # dot1x-access-profile name wlan-net # return