使用802.1x進行自動VLAN分配

[psac]

設備環境：Cisco Catalyst 3550-24-EMI（IOS：12.1(14)EA1 EMI），Cisco Secure ACS v3.1

1、和802.1x相關的交換機主要配置內容：

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!---如果只是做802.1x認證，則aaa authorization network這句可不要，如要做VLAN分配或per-user ACL，則必須做network authorization

dot1x system-auth-control
!---注意在12.1(14)EA1版以後802.1x的配置有了修改，此句enable 802.1x

interface FastEthernet0/1
description To Server_Farm
switchport mode access
dot1x port-control auto
dot1x max-req 3
spanning-tree portfast
!---dot1x port-control auto句在F0/1上enable dot1x，另外注意在F0/1口下我並沒有給它賦VLAN


radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key radius_string
radius-server vsa send authentication
!---radius-server host 1.2.3.4句定義radius server信息，並給出驗證字串
!---因為要配置VLAN分配必須使用IETF所規定的VSA(Vendor-specific attributes）值，radius-server vsa send authentication句允許交換機識別和使用這些VSA值。

配置802.1x動態分配VLAN所用到的VSA值規定如下：
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

2、和802.1x相關的ACS主要配置內容：
這個配置要看圖了，另外附帶說一點，Cisco我的文件說ACS 3.0之前是不支持802.1x的。因為802.1x使用radius進行認證，所以在選用認證傳輸協定時我選用的是RADIUS(IETF)，而預設是Cisco的TACACS+。
在Interface Configuration中對RADIUS(IETF)進行配置，在組用戶內容中選[64]Tunnel-Type、[65] Tunnel-Medium-Type、[81]Tunnel-Private-Group-ID（見下圖）。
在Group Setup中對RADIUS Vendor-Specific Attributes值進行編輯：勾選[64]Tunnel-Type，將tag 1的值選為VLAN；勾選[65] Tunnel-Medium-Type，將tag 1的值選為802；勾選[81]Tunnel-Private-Group-ID，將tag 1的值設為7，表明為VLAN 7（見下圖）。設定完後，Submit+Rest。

3、工作站端的設定：
WINXP本身內裝對802.1x的支持，微軟在前不久出了一個修正檔可以讓WIN2K也支持802.1x，需要注意的是WIN2K SP4已經內裝了對802.1x的支持，SP3以下可使用此修正檔：
http://support.microsoft.com/default...b;en-us;313664

安裝完此修正檔後，802.1x預設是不啟動的，可在服務中手動開啟Wireless Configuration服務，開啟此服務後，在網路卡連接內容中會多出一欄Authenticatioin，在此欄中勾選Enable network access control using IEEE 802.1x，同時在EAP type中選MD5-Challenge。

4、測試：
在所有設定完成後，可以觀察到802.1x enable的F0/1口上狀態燈顯示為黃燈，而在工作站端過一會後會彈出一個認證視窗，在用戶名/密碼處填入ACS中定義好的用戶名/密碼，域名處不填，同時觀察WIN2K systray處的連接圖示，上面會有和認證服務器聯繫及認證用戶的浮動提示，同時F0/1的狀態燈也會順利變為綠燈。
認證通過後檢驗VLAN值是否已正確分配：先ping VLAN7的網關位址，通；再ping其它VLAN的網關位址，通；最後看可否上Internet，通。

ACS Interface Configuration設定
( cisco system: group setup)
ACS Group Setup設定

網路連接內容設定( local area conncetion Properties)

Md5
--------------------------------------------------------------------------------
如對802.1x傳輸協定瞭解不清，可參看以下概念介紹：

*Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the IEEE 802.1X specification.)

*Authentication server —performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

*Switch (edge switch or wireless access point) —controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.