最近发现很多客户和技术支援工程师对Cisco ACS3.0对802.1x通过RADUIS附加属性的用户推送很感兴趣。2004年我做过一个完整的测试. 802.1x+Port Security +VLAN assign+PerUser ACL+IP Assign+Guest Vlan。
下面是我的实验环境:(其中IP Assign不成功,ACS仅支持PPP拨号IP分配,支持AAA CLIENT IP POOL的IP分配)
WIN2000 中文版(几乎所有病毒补丁,SP4,JAVA1.3.1)+ACS3.0(ACS3.2测试仍然通过)
C3550交换机 IOS c3550-12.1-20-EA2.bin
现阶段Cisco Catalyst 3550/3750/3560/4500/4900/6500完整支持以上特性。Cisco Catalyst2940/2970部分(不支持perUserACL)支持以上特性。
另外ACS3.2/3.3已测试通过,配置不变。
实验时IP动态分配未成功。怀疑2点:
1、可能当时仅对PPP支持DHCP分配。
2、我的设置有问题:如果采用VLAN assign特性,此时应注意相应VLAN-interface下的DHCP relay必须打开。
C3550交换机 IOS c3550-12.1-20-EA2.bin
Building configuration...
Current configuration : 3913 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname switch
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
ip subnet-zero
ip routing
!
ip accounting-threshold 496752
ip accounting-list 0.0.0.13 255.255.255.0
ip accounting-transits 10000
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
!
interface FastEthernet0/4
switchport mode access
!
interface FastEthernet0/5
switchport mode access
!
interface FastEthernet0/6
switchport mode access
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport mode access
!
interface FastEthernet0/10
switchport mode access
!
interface FastEthernet0/11
switchport mode access
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
interface FastEthernet0/14
switchport mode access
!
interface FastEthernet0/15
switchport mode access
!
interface FastEthernet0/16
switchport mode access
!
interface FastEthernet0/17
switchport mode access
!
interface FastEthernet0/18
switchport mode access
!
interface FastEthernet0/19
switchport mode access
!
interface FastEthernet0/20
switchport mode access
!
interface FastEthernet0/21
mode access
!
interface FastEthernet0/22
switchport mode access
!
interface FastEthernet0/23
switchport mode access
!
interface FastEthernet0/24
switchport mode access
!
interface FastEthernet0/25
switchport mode access
!
interface FastEthernet0/26
switchport mode access
!
interface FastEthernet0/27
switchport mode access
!
interface FastEthernet0/28
switchport mode access
!
interface FastEthernet0/29
switchport mode access
!
interface FastEthernet0/30
switchport mode access
!
interface FastEthernet0/31
switchport mode access
!
interface FastEthernet0/32
switchport mode access
!
interface FastEthernet0/33
switchport mode access
!
interface FastEthernet0/34
switchport mode access
!
interface FastEthernet0/35
switchport mode access
!
interface FastEthernet0/36
switchport mode access
interface FastEthernet0/37
switchport mode access
!
interface FastEthernet0/38
switchport mode access
!
interface FastEthernet0/39
switchport mode access
!
interface FastEthernet0/40
switchport mode access
!
interface FastEthernet0/41
switchport mode access
!
interface FastEthernet0/42
switchport mode access
!
interface FastEthernet0/43
switchport mode access
!
interface FastEthernet0/44
switchport mode access
!
interface FastEthernet0/45
switchport mode access
!
interface FastEthernet0/46
switchport mode access
dot1x port-control auto
!
interface FastEthernet0/47
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/48
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0030.f164.60f7
dot1x port-control auto
dot1x timeout quiet-period 5
dot1x max-req 3
dot1x guest-vlan 2
spanning-tree portfast
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport mode access
!
interface Vlan1
ip address 192.168.70.55 255.255.255.0
!
interface Vlan2
ip address 192.168.10.1 255.255.255.0
!
router rip
network 192.168.10.0
network 192.168.70.0
!
ip classless
ip http server
!
!
radius-server host 192.168.70.13 auth-port 1812 acct-port 1813 key 123456
radius-server retransmit 3
radius-server vsa send accounting
radius-server vsa send authentication
!
line con 0
line vty 5 15
!
!
end