Cisco C2960X系列启用有线802.1X准入和动态VLAN

CISCO C2960X系列启用有线
802.1X准入
基于802.1x+AD+DHCP+NPS实现网络权限动态分配
2019-6-12
[公司名称]
[公司地址]
Cisco C2960X系列启用有线802.1X准入
（基于802.1x+AD+DHCP+NPS实现网络权限动态分配）
1 公司的AD和DHCP服务器是默认存在的，这里就不做配置。

2 交换机配置
2.1公司原交换机配置命令：
AL-C2960X-48TS-A1FTEST#sh running-config
Building configuration...
Current configuration : 3815 bytes
!
! Last configuration change at 21:43:17 utc Tue Jun 11 2019
! NVRAM config last updated at 21:41:24 utc Tue Jun 11 2019
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname AL-C2960X-48TS-A1FTEST
!
boot-start-marker
boot-end-marker
!
enable password 7 1531021F027256314263827
!
username admin password 7 020*******F34D52D711D16
aaa new-model
!
aaa authentication login bpt group radius local
aaa authentication login nopassword none
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
clock timezone utc 8 0
switch 1 provision ws-c2960x-24ps-l
!
no ip domain-lookup
ip domain-name
!
dot1x system-auth-control
!
spanning-tree mode mst
spanning-tree portfast default
spanning-tree extend system-id
!
spanning-tree mst configuration
name pacific
revision 10
instance 1 vlan 1-3
instance 2 vlan 5-8, 49-50
instance 3 vlan 9-10, 12, 51, 53
instance 4 vlan 13-15, 17, 88, 200
!
errdisable recovery cause udld
errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause psecure-violation errdisable recovery cause port-mode-failure errdisable recovery cause dhcp-rate-limit errdisable recovery cause pppoe-ia-rate-limit errdisable recovery cause mac-limit errdisable recovery cause vmps
errdisable recovery cause storm-control errdisable recovery cause inline-power errdisable recovery cause arp-inspection errdisable recovery cause loopback errdisable recovery cause small-frame errdisable recovery cause psp
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
!
interface GigabitEthernet1/0/4 !
interface GigabitEthernet1/0/5 !
interface GigabitEthernet1/0/6 !
interface GigabitEthernet1/0/7 !
interface GigabitEthernet1/0/8 !
interface GigabitEthernet1/0/9 !
interface GigabitEthernet1/0/10 !
interface GigabitEthernet1/0/11 !
interface GigabitEthernet1/0/12 !
interface GigabitEthernet1/0/13 !
interface GigabitEthernet1/0/14 !
interface GigabitEthernet1/0/15 !
interface GigabitEthernet1/0/16 !
interface GigabitEthernet1/0/17 !
interface GigabitEthernet1/0/18 !
interface GigabitEthernet1/0/19 !
interface GigabitEthernet1/0/20 !
interface GigabitEthernet1/0/21 !
interface GigabitEthernet1/0/22 !
interface GigabitEthernet1/0/23 !
interface GigabitEthernet1/0/24 !
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.168.199 255.255.254.0
!
ip default-gateway 192.168.168.3
ip http server
ip http secure-server
!
ip ssh authentication-retries 5
ip ssh version 2
!
radius-server retransmit 2
radius-server timeout 2
radius-server deadtime 1
!
radius server Primary-Radius
address ipv4 192.168.2.30 auth-port 1645 acct-port 1646 timeout 3
retransmit 3
key 7 1407135080450223238
!
radius server Alternate-Radius
address ipv4 192.168.2.17 auth-port 1645 acct-port 1646 timeout 3
retransmit 3
key 7 06160E2245248352001A
!
line con 0
logging synchronous
login authentication nopassword
line vty 0 4
login authentication bpt
transport input ssh
line vty 5 15
transport input none
!
ntp server 192.168.0.5
ntp server 192.168.2.7 prefer
end
2.2radius 配置命令（原交换机已有Radius配置命令，这里不就需要重新输入命令）aaa authentication login bpt group radius local
!
radius-server retransmit 2
radius-server timeout 2
radius-server deadtime 1
!
radius server Primary-Radius
address ipv4 192.168.2.30 auth-port 1645 acct-port 1646
timeout 3
retransmit 3
key 7 071F20543F4740F1006
!
radius server Alternate-Radius
address ipv4 192.168.2.17 auth-port 1645 acct-port 1646
timeout 3
retransmit 3
key 7 031452A32080F059284F
! 指定radius服务器IP、端口号和进行交互的使用的密码
2.3新增加交换机配置命令
2.3.1在全局配置增加以下命令
AL-C2960X-48TS-A1FTE(config)#aaa new-model
！启用aaa
AL-C2960X-48TS-A1FTE(config)#aaa authentication dot1x default group radius
! dot1x使用radius做认证
AL-C2960X-48TS-A1FTE(config)#aaa authorization network default group radius
! 使用802.1x协议去动态分配vlan的话,上边的这句命令一定要有
AL-C2960X-48TS-A1FTE(config)#dot1x system-auth-control
! 允许802.1x port-based 认证
AL-C2960X-48TS-A1FTE(config-if)#authentication timer inactivity 30
! 认证响应超时
2.3.2在接口模式下增加以下命令
AL-C2960X-48TS-A1FTE(config)#interface g1/0/1
! 进入G1/0/1端口配置
AL-C2960X-48TS-A1FTE(config-if)#switchport mode access
! dot1x指定vlan, switchport mode必须为access
AL-C2960X-48TS-A1FTE(config-if)#authentication port-control auto
! 端口认证控制
AL-C2960X-48TS-A1FTE(config-if)#dot1x pae authenticator
! 认证端口开启
3 Radius服务器设置
3.1 添加Radius策略配置3.1.1添加Radius策略
3.1.2添加Radius策略条件（Windows Group、NAS Port Type、Authentication Type）
3.1.3添加Radius约束条件（Authentication Methods）
3.1.4添加Radius约束条件（Settings）
3.2 添加Radius客户端
4 电脑端配置
4.1 打开有线网卡的802.1X认证服务，改为自动
4.2在本地有线网卡启用IEEE802.1X身份验证
5 查看802.1X认证通过的用户。