无线终端通过 RADIUS 服务器 MAC 认证 +AP 三层注册

文档 坑, 大家 注意 观察

实验代码

       配置 SW DHCP

一.         建立 地址

A P VLAN 2 0 分配 IP 址、 无线 V LAN 线 设备 移动 VLAN 2 00 IP

 

[ SW dhcp]dhcp server ip-pool vlan 2 0 / A P

[ SW dhcp-dhcp-pool- vlan 2 0 ]network 192.168. 2 0 . 0 24 / 范围

[ SW dhcp-dhcp-pool- vlan 2 0 ]gateway-list 192.168. 2 0 . 1 /

[ SW dhcp-dhcp-pool- vlan 2 0 ] opti on 43 hex 80070 00001c0a86402   / A C IP op tion43

 

[ SW dhcp]dhcp server ip-pool vlan200 / 线 V LAN

[ SW dhcp-dhcp-pool- vlan 2 0 0 ]network 192.168.2 00 .0 24

[ SW dhcp-dhcp-pool- vlan 20 0 ]gateway-list 192.168.2 00 . 1

[ SW dhcp]dhcp ser ver forbidden-ip 192.168. 2 0 . 1 / 分配 2 0.1

[ SW dhcp]dhcp server forbidden-ip 192.168. 2 00 . 1 1 92.168. 2 00. 2 / 分配 2 00.1 2 00. 2

 

[ SW dhcp] dhcp enable / 使 DHCP 服务

 

配置 VLAN V LAN

[ SW dhcp] vlan 100

[ SW dhcp- vlan100 ] vlan 20 0

 

[SWdhcp-vlan200]vlan 10

[SWdhcp-vlan10]port g 1/0/11

 

[SWdhcp-vlan10] vlan 20

 

[SWdhcp-vlan 2 0]int g 1/0/10

[SWdhcp-GigabitEthernet1/0/10]port link-type trunk

[SWdhcp-GigabitEt hernet1/0/10]port trunk permit vlan 2 0 200

[SWdhcp-GigabitEthernet1/0/10]port trunk pvid vlan 2 0

 

[SWdhcp-GigabitEthernet1/0/10]int g 1/0/1

[SWdhcp-GigabitEthernet1/0/1]port link-type trunk

[SWdhcp-GigabitEthernet1/0/ 1 ]port trunk permit vlan 100 200

 

[SWd hcp-GigabitEthernet1/0/2]int vlan 10

[SWdhcp-Vlan-interface10]ip ad 192.168.10.1 24

[SWdhcp-GigabitEthernet1/0/2]int vlan 2 0

[SWdhcp-Vlan-interface 2 0]ip ad 192.168. 2 0.1 24

[SWdhcp-Vlan-interface10]int vlan 100

[SWdhcp-Vlan-interface100]ip ad 192.168.100.1 24

[SWdhcp-Vlan-interface100]int v lan 200

[SWdhcp-Vlan-interface200]ip ad 192.168.200.1 24

 

       配置 AC

配置 VLAN V LAN

[AC1]vlan 100

[AC1-vlan100]vlan 200

[AC1-vlan200]int g 1/ 0/1

[AC1-GigabitEthernet1/0/1]port link-type trunk

[AC1-GigabitEthernet1/0/1]port trun k permit vlan 100 200

[AC1-GigabitEthernet1/0/1]int vlan 100

[AC1-Vlan-interface100]ip ad 192.168.100.2 24

[AC1-Vlan-interface100]int vlan 200

[AC1-Vlan-interface200]ip ad 192.168.200.2 24

[AC1-Vlan-interface200]quit

 

配置 radius 服务 方案

[AC1]radius scheme l u

[AC1-radius-lu] primary authentication 192.168.10.2

[AC1-radius-lu] primary accounting 192.168.10.2

[AC1-radius-lu]key a uthentication simple h3c

[AC1-radius-lu]key accounting simple h3c

[AC1-radius-lu]user-name-format without-domain

[AC1-radius-lu] nas -i p 192.168.100.2 // n ap - ip 注意: IP

配置 认证 方式, 绑定 radius 服务 方案

[AC1-radius-lu]domain lu dz

[AC1-isp-lu dz ]authentication lan-access radius-scheme lu

[AC1-isp-lu dz ]authorization lan-access radius-scheme lu

[AC1-isp-lu dz ]accounting lan-access radius-scheme lu

[AC1-isp-lu dz ]q uit

 

配置 MAC 认证 格式, 缺省 方式 写),

[AC1]mac-authentication user-name-format mac-address without- hyphen lowercase

配置 无线服务模板

# 创建无线服务模板 1 ,并进入无线服务模板视图。

[AC1] wlan service-template l u

# 配置 SSID lu

[AC1-wlan-s t- lu ] ssid lu

# 配置客户端从无线服务模板 lu 上线后会被加入 VLAN 200

[AC1-wlan-st- lu ] vlan 200

# 配置客户端接入 认证方式为 MAC 地址认证。

[AC1-wlan-st- lu ] client-security authentication-mode mac

# 配置 MAC 地址认证用户使用的 ISP 域为 lu

[AC1-wlan-st- lu ] mac-authentication domain lu d z

[AC1-wlan-st- lu ] service-templat e enable

[AC1-wlan-st- lu ] quit

 

配置 AP 认证

# 创建 AP ,配置 AP 名称为 lu ,型号名称选择 WA 6 320 -hcl ,并配置序列号 2 19801A0YD8166E 00012

[AC1] wlan ap lu model WA 6 320 -hcl

[AC-wlan-ap- lu ] serial-id 219801A0YD8166E00012

 

[AC1-wlan-ap- lu ] radio 2

[AC1-wlan-ap- lu -radio-2] service-template lu

# 开启 Radio 2 的射频功能。

[AC1-wlan-ap- lu -radio-2] radio enable

[AC1-wlan-ap- lu -radio-2] qu it

[AC1- wlan-ap- lu ] quit

 

六: 配置 静态

[AC1 ]ip route-static 0.0.0.0 0 192.168.100.1

 

 

       配置 R adius

R a dius 服务 物理 安装 虚拟 NIC: VirtualBo x Host -Only Ethernet Ada pter IP 配置 1 92 . 168.10. 2 连接 HCL

 

用户名:参与接入的计算机的 MAC 地址(小写无连字符和空格)

密码: 参与接入的计算机的 MAC 地址(小写无连字符和空格)

NAS 密钥: h3c (同 ra dius 服务器认证方案中的 key authentication h 3c key accounting h3c

四、实验截图

radius 服务器上添加一个账号进行连接,连接成功,计时开

这是在 DHCP 上的截图,客户机成功的获取到 vlan 2 00 网段的 IP

客户机连接, AC 上的信息提 示成功。