search cancel

LAN Enforcer + Cisco Aironet AP1200 + Microsoft IAS authentication configure

book

Article ID: 163422

calendar_today

Updated On:

Products

Network Access Control

Issue/Introduction

SNAC Configure

Resolution

1. 网络基本情况
SEP客户端通过CISCO-AP1200无线接入网络,AP启用802.1x,SEPM与LAN ENFORCER实施HI和EAP认证,Radius服务器使用Microsoft IAS和AD,利用RADIUS服务器验证用户合法性。

SEPM,LAN ENFORCER,Microsoft IAS服务器和Cisco AP都连接至Cisco Catalyst 3560上,Catalyst 3560上划分两个VLAN,分别是:
VLAN 10 ------ SVI IP address: 10.200.21.2/24
VLAN 20 ------ SVI IP address: 192.168.255.2/24

SEPM,LAN ENFORCER,Microsoft IAS 服务器网段是10.200.21.0/24,,网关是10.200.21.2
SEPM IP address: 10.200.21.48
LAN ENFORCER IP address: 10.200.21.91
Microsoft IAS IP address:  10.200.21.49

AP,SEP客户端的网段是192.168.255.0/24,网关是192.168.255.2
AP IP address: 192.168.255.3
SEP IP address: 192.168.255.200

 

2. SEPM configure
客户端组策略-802.1X认证—--为无线接入客户机创建组

客户端组策略-802.1X认证—--开启802.1X认证

LAN Enforcer添加RADIUS服务器(IAS服务器)

添加AP1200(交换机类型为:Cisco Aironet Series)

为AP1200设置IP地址

配置主机完整性检查规则

3. RADIUS Server(IAS) configure
添加RADIUS客户机

添加RADIUS远程接入策略---接入方法设置为:无线接入

添加RADIUS远程接入策略—允许远程接入选项配置

添加RADIUS远程接入策略—EAP 认证方式配置

添加RADIUS远程接入策略—PEAP 认证方式配置

添加RADIUS远程接入策略—添加属性Ignore-User-Dialin-Properties


4. Cisco Aironet AP 1200 configure
AP 配置:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$dEJj$MzWzlXjNhBHF15UvzTwgv1
!
aaa new-model
!
!
#RADIUS服务器组配置
aaa group server radius rad_eap
 server 10.200.21.91 auth-port 1812 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
#配置端口LOGIN EAP认证方法
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
#SSID配置(AP接入VLAN,EAP 认证,key-management--wpa)
dot11 ssid LuisTest
   vlan 20
   authentication open eap eap_methods
   authentication key-management wpa
!
power inline negotiation prestandard source
!
!
username Cisco password 7 1531021F0725
!
bridge irb
!
!
#开启DOT11RADIO0接入
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
#无线接入加密模式设置
 encryption vlan 20 mode ciphers tkip
 !
#设置SSID
 ssid LuisTest
 !
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
#BRIDGE-GROUP设置
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
#BVI 接口IP地址配置
interface BVI1
 ip address 192.168.255.3 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.255.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

#radius source-interface
ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h
#RADIUS SERVER配置
radius-server host 10.200.21.91 auth-port 1812 acct-port 1646 key 7 095F5704180B031708
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

注意: RADIUS 服务器10.200.21.91为Enforcer,而不是IAS服务器
交换机3560配置

SEPM,RADIUS,ENFORCER等服务器接入配置(VLAN10)
Interface GigabitEthernet0/1
  Description link2SEPM
  Switchport access vlan 10

Interface GigabitEthernet0/1
  Description link2RADIUS
  Switchport access vlan 10

Interface GigabitEthernet0/1
  Description link2Enforcer
  Switchport access vlan 10

interface Vlan10
 ip address 10.200.21.2 255.255.255.0
!

AP接入交换机配置(ap接入的端口属于VLAN 20):
interface GigabitEthernet0/11
 description link2AP-1242
 switchport access vlan 20
!
!
interface Vlan20
 ip address 192.168.255.2 255.255.255.0
!

5. SEP client configure
添加WIFI接入网络---a)添加SSID,2)认证方式:WPA,3)数据加密模式:TKIP
 
EAP认证设置:a)选择Protected EAP(PEAP)认证方法,b)取消:验证服务器证书,c)认证算法选择:EAP-MSCHAP V2

客户机成功接入后的网络连接状态显示

Attachments