华为交换机举例：配置802.1X认证（AAA采用本地认证）

华为交换机举例：配置802.1X认证（AAA采用本地认证）

组网需求

如图3-52所示，某公司办公区内终端通过DeviceA接入公司内部网络。DeviceA的下行接口（例如10GE1/0/2）与办公区内终端直接相连。

为了满足企业的高安全性需求，使用802.1X认证+本地认证方式对办公区内终端进行认证，并且认证点部署在DeviceA与办公区内终端直连的接口（例如10GE1/0/2）上。

图3-52 配置802.1X认证组网图

本例中Interface1、Interface2分别代表10GE1/0/1、10GE1/0/2。

操作步骤

操作步骤

配置网络互连互通。

# 创建VLAN并配置接口允许通过的VLAN、IP地址。

<HUAWEI> system-view

[HUAWEI] sysname DeviceA

[DeviceA] vlan batch 10 20

[DeviceA] interface 10ge 1/0/1

[DeviceA-10GE1/0/1] portswitch

[DeviceA-10GE1/0/1] port link-type trunk

[DeviceA-10GE1/0/1] port trunk allow-pass vlan 10

[DeviceA-10GE1/0/1] quit

[DeviceA] interface vlanif 10

[DeviceA-Vlanif10] ip address 192.168.1.10 24

[DeviceA-Vlanif10] quit

[DeviceA] interface 10ge 1/0/2

[DeviceA-10GE1/0/2] portswitch

[DeviceA-10GE1/0/2] port link-type access

[DeviceA-10GE1/0/2] port default vlan 20

[DeviceA-10GE1/0/2] quit

[DeviceA] interface vlanif 20

[DeviceA-Vlanif20] ip address 192.168.2.10 24

[DeviceA-Vlanif20] quit

配置AAA本地认证。

# 配置认证方案“a1”为本地认证。

[DeviceA] aaa

[DeviceA-aaa] authentication-scheme a1

[DeviceA-aaa-authen-a1] authentication-mode local

[DeviceA-aaa-authen-a1] quit

# 配置授权方案“b1”为本地授权。

[DeviceA-aaa] authorization-scheme b1

[DeviceA-aaa-author-b1] authorization-mode local

[DeviceA-aaa-author-b1] quit

# 配置本地用户的用户名、密码和用户接入类型。

[DeviceA-aaa] local-access-user 00e0-fcd4-8828

[DeviceA-aaa-access-user-00e0-fcd4-8828] password cipher Example@123

[DeviceA-aaa-access-user-00e0-fcd4-8828] service-type dot1x

Warning: If the service type of local access users is configured multiple times, the new configuration overwrites the previous one. The new configuration may cause local access users unable to go online. Continue? [Y/N]:y

[DeviceA-aaa-access-user-00e0-fcd4-8828] quit

# 配置业务方案“s1”。通过业务方案“s1”同一个用户名最多可以接入15个用户。

[DeviceA-aaa] service-scheme s1

[DeviceA-aaa-service-s1] access-limit user-name max-num 15

[DeviceA-aaa-service-s1] quit

# 配置域“example.com”，并在域下应用认证方案“a1”、授权方案“b1”和业务方案“s1”。

[DeviceA-aaa] domain example.com

[DeviceA-aaa-domain-example.com] authentication-scheme a1

[DeviceA-aaa-domain-example.com] authorization-scheme b1

[DeviceA-aaa-domain-example.com] service-scheme s1

[DeviceA-aaa-domain-example.com] quit

[DeviceA-aaa] quit

配置802.1X认证。

# 配置802.1X接入模板“d1”。

[DeviceA] dot1x-access-profile name d1

[DeviceA-dot1x-access-profile-d1] dot1x authentication-method pap

[DeviceA-dot1x-access-profile-d1] dot1x timer client-timeout 30

[DeviceA-dot1x-access-profile-d1] quit

# 配置认证模板“p1”，并在其上绑定802.1X接入模板“d1”、指定认证模板下用户的强制认证域为“example.com”。

[DeviceA] authentication-profile name p1

[DeviceA-authen-profile-p1] dot1x-access-profile d1

[DeviceA-authen-profile-p1] access-domain example.com force

[DeviceA-authen-profile-p1] quit

# 在下行接口上绑定认证模板“p1”，开启802.1X认证。以接口10GE1/0/2为例，其他接口配置与其类似。

[DeviceA] interface 10ge 1/0/2

[DeviceA-10GE1/0/2] authentication-profile p1

[DeviceA-10GE1/0/2] quit

配置脚本

DeviceA的配置脚本

#
sysname DeviceA
#
authentication-profile name p1
 dot1x-access-profile d1
 access-domain example.com force
#
vlan batch 10 20
#
aaa
 authentication-scheme a1    
  authentication-mode local
 authorization-scheme b1
  authorization-mode local
 service-scheme s1
  access-limit user-name max-num 15
 domain example.com            
  authentication-scheme a1
  authorization-scheme b1
  service-scheme s1
 local-access-user 00e0-fcd4-8828
  password cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!SKvr${[Fs.<FvBB,.w;M75IN5Z>'!L8G:n-!!!!!2jp5!!!!!!<!!!!k9&fPO<BSRW}jPT(,ewKyfIL"zVtM1~=>e.!!!!!%+%# 
  service-type dot1x 
#  
dot1x-access-profile name d1
 dot1x authentication-method pap
 dot1x timer client-timeout 30
#
interface Vlanif10
 ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
 ip address 192.168.2.10 255.255.255.0
#
interface 10GE1/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface 10GE1/0/2
 port link-type access
 port default vlan 20
 authentication-profile p1
#
return