【Cisco】【安全】【CCNA】配置802.1x EAP-MD5 radius认证

配置802.1x EAP-MD5 radius认证

• 配置802.1x EAP-MD5 radius认证
  • 介绍
  • 如何配置802.1x
    • 全局下开启802.1x认证，接口下开启802.1x认证
    • 配置AAA的Radius认证服务器
  • ACS5.3安装(视频）
  • 采用radius方式进行802.1x认证（实验视频）
  • 参考文献

介绍

1. 如何配置802.1x
2. ACS5.3安装(视频）
3. 采用radius方式进行802.1x认证（实验）

如何配置802.1x

1. 全局下开启802.1x认证，接口下开启802.1x认证
2. 配置AAA的Radius认证服务器

全局下开启802.1x认证，接口下开启802.1x认证

R12(config)#dot1x system-auth-control
R12(config-if)#dot1x port-control auto 

auto参数说明

R12(config-if)#dot1x port-control
auto                PortState will be set to AUTO
force-authorized    PortState set to Authorized
force-unauthorized  PortState will be set to UnAuthorized 

Auto —enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address.

force-authorized —disables 802.1x authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without 802.1x-based authentication of the client. This is the default setting.

force-unauthorized —causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port.

配置AAA的Radius认证服务器

激活3A认证

R12(config)#aaa new-model

配置802.1x采用radius方式进行认证

R12(config)#aaa authentication dot1x default group radius

配置Radius Server

R12(config)#radius-server host 192.168.119.119 auth-port 1645 acct-port 1646 key cisco 

**注：**If auth-port and acct-port are not specified, the default value of auth-port is 1645 and the default value of acct-port is 1646

配置ACS Radius认证服务器
Network Resources—>Network Devices and AAA Clients ，在此添加AAA认证客户端（设备IP，不是PC的IP）

Users and Identity Stores—>Internal Identity Stores—>Users,在此创建用户

配置完成之后可以在设备上使用“test aaa group radius 用户名 密码 new-code” 命令来测试用户是否正常，详细信息请参考Enhanced Test Command。

至此配置802.1x任务完成。

ACS5.3安装(视频）

参见：https://www.youtube.com/watch?v=C1iy2xiErj4

采用radius方式进行802.1x认证（实验视频）

参见：https://www.youtube.com/watch?v=MlpFnE6Lemc

参考文献

1. Configuring IEEE 802.1x Port-Based Authentication
2. RADIUS Commands
3. Enhanced Test Command

2017年10月12日更新