RADIUS 服务器进行 MAC 验证

时间:2021-06-10 17:50:40

RADIUS 服务器进行 MAC 验证 , 配置 nat ,使无线接入端连接外网 一、 实验目的:通过 Radius 服务器的 mac 验证和路由器上的 nat 配置,使得在局域网内的无线设备可以上网。

二、实验拓扑图:

RADIUS 服务器进行 MAC 验证

三、使用的设备列表:

S3610交换机 3台

AR28路由器 1台

AP 无线路由器 1台

AC 无线控制器 1台

Radius 服务器 1台

四、具体的配置:


步骤一:在 AC 上设置用户和做 mac 地址绑定,以及设计无线 网

RADIUS 服务器进行 MAC 验证

<h3c>sys

[h3c]sysname AC( 注意, AC 为 WA2620-AGN ,本 AC 改名字的时 候不能只打 sys+名字,需要的是完整才能打出来 sysname+名字 ) [AC]int vlan 1

[AC-vlan-interfacel]undo ip add

[AC-vlan-interfacel]vlan 2

[AC-vlan2]vlan 4

[AC-vlan4]int vlan 4

[AC-vlan-interface4]ip add 192.168.4.1 24

[AC-vlan-interface4]quit

[AC]radius scheme yu

[AC-radius-yu]server-type extended

[AC-radius-yu]primary authentication 192.168.5.1

[AC-radius-yu]primary accounting 192.168.5.1

[AC-radius-yu]key authentication h3c(radius 上默认的密钥为 h3c , 可以重设,所以在配置上需要一致,所以这里配置 h3c )

[AC-radius-yu]key accounting h3c

[AC-radius-yu]user-name-format without-domain(注意:这条指令的 意思是,不用域名,让你在 radius 添加账户时可以不带域名 )

[AC]radius scheme yu

[AC-isp-yu]authentication lan-access radius-scheme yu

[AC-isp-yu]authorization lan-access radius-scheme lu

[AC-isp-yu]accounting lan-access radius-scheme lu

[AC]int g1/0/1

[AC-GigabitEthernet1/0/1]port link-type trunk

[AC-GigabitEthernet1/0/1]port trunk permit vlan 1 to 2 4 [AC]interface WLAN-ESS7

[AC-WLAN-ESS7] port access vlan 2

[AC-WLAN-ESS7]port-security port-mode mac-authentication [AC]wlan service-template 7 clear

[AC-wlan-st-7]ssid yu

[AC-wlan-st-7]bind WLAN-ESS 7

[AC-wlan-st-7] service-template enable

[AC]wlan ap yu model wa2620-agn

[AC-wlan-ap-yu]serial-id 219801A0A89112G03396

[AC-wlan-ap-yu]radio 2

[AC-wlan-ap-yu-radio-2]service-template 7

[AC-wlan-ap-yu-radio-2]radio enable

[AC]ip route-static 0.0.0.0 0.0.0.0 192.168.4.254

[AC]local – user 90c1151c77db

[AC-luser-90c1151c77db]password simple 90c1151c77db


(这里是接入的无线客户端的 mac 地址 )

步骤二:在 AC 交换模块上配置连接

RADIUS 服务器进行 MAC 验证

<ac>oap connet slot 0

<acsw>sys

[acsw]int vlan 1

[acsw-vlan-interfacel]undo ip add

[acsw-vlan-interfacel]vlan 2

[acsw-vlan2]vlan 4

[acsw-vlan4]quit

[acsw]interface GigabitEthernet1/0/8

[acsw- GigabitEthernet1/0/8]port link-type trunk

[acsw- GigabitEthernet1/0/8]port trunk permit vlan 1 to 2 4 [acsw]int g1/0/9

[acsw- GigabitEthernet1/0/9] port link-type trunk

[acsw- GigabitEthernet1/0/9] port trunk permit vlan 1 to 2 4 步骤三:配置 Dhcp 中继交换机上的 ip 地址池

RADIUS 服务器进行 MAC 验证

[dhcp]vlan 3

[dhcp]dhcp enable

[dhcp]dhcp server ip-pool 1

[dhcp-pool-pool1]network 192.168.1.0 24


[dhcp-pool-pool1]gateway-list 192.168.1.254

[dhcp-pool-pool1]option 43 hex 80070000 01C0A804 01 [dhcp-pool-pool2]network 192.168.2.0 24

[dhcp-pool-pool2]gateway-list 192.168.2.254

[dhcp]int vlan 3

[dhcp-vlan-interface3]ip add 192.168.3.1 24

[dhcp]int e1/0/24

[dhcp-Ethernet1/0/24] port access vlan 3

[dhcp]rip 1

[dhcp-rip-1]network 192.168.3.0

[dhcp]dhcp server forbidden-ip 192.168.1.254

[dhcp]dhcp server forbidden-ip 192.168.2.254

步骤四:作为连接所有设备的交换机,配置其中继功能

RADIUS 服务器进行 MAC 验证

[sw]vlan 2

[sw-vlan2]vlan 3

[sw-vlan3]vlan 4

[sw-vlan4]vlan 5

[sw-vlan5]vlan 6

[sw-vlan6]quit

[sw] dhcp relay server-group 1 ip 192.168.3.1

[sw]int vlan 1


[sw-vlan-interfacel]ip add 192.168.1.254 24 [sw-vlan-interfacel]dhcp select relay

[sw-vlan-interfacel]dhcp relay server-select 1 [sw-vlan-interface2]ip address 192.168.2.254 24 [sw-vlan-interface2]dhcp select relay

[sw-vlan-interface2]dhcp relay server-select 1 [sw-vlan-interface3]ip address 192.168.3.254 24 [sw-vlan-interface4]ip address 192.168.4.254 24 [sw-vlan-interface5]ip address 192.168.5.254 24 [sw-vlan-interface6] ip address 192.168.6.254 24 [sw]int e1/0/5

[sw-Ethernet1/0/5]port access vlan 5

[sw]int e1/0/6

[sw- Ethernet1/0/6]port access vlan 2

[sw]int e1/0/8

[sw-Ethernet1/0/8]port link-type trunk

[sw-Ethernet1/0/8]port trunk permit vlan 1 to 2 4 [sw]int e1/0/24

[sw- Ethernet1/0/24]port access vlan 3

[sw]rip 1

[sw-rip-1]network 192.168.1.0

[sw-rip-1]network 192.168.2.0

[sw-rip-1] network 192.168.3.0

[sw-rip-1] network 192.168.4.0

[sw-rip-1] network 192.168.5.0

[sw-rip-1] network 192.168.6.0

[sw]dhcp enble

[sw]ip route-static 0.0.0.0 0.0.0.0 192.168.6.1(这里指向下一跳的地 址,即连接外网的路由器的接口地址 )

步骤五 :配置路由器上的路由功能

RADIUS 服务器进行 MAC 验证

[RA]acl number 2000

[RA-acl-basic-2000]rule 1 permit source 192.168.2.0 0.0.0.255 [RA-acl-basic-2000]rule 2 permit source 192.168.6.0 0.0.0.255 [RA]rip

[RA-rip]network 192.168.2.0

[RA-rip] network 192.168.6.0

[RA]int e0/0

[RA- Ethernet0/0]ip add 192.168.6.1 24

[RA]int e0/1

[RA- Ethernet0/1]ip address 10.3.102.33 24

[RA- Ethernet0/1]nat outbound 2000

[RA]ip route-static 0.0.0.0 0.0.0.0 10.3.102.1

至此,基本配置全部完成

步骤五:测试配置结果

查看 3层注册是否成功

RADIUS 服务器进行 MAC 验证

假如 3层注册不成功,我们应该一环环进行检查, ping 测试 AC ping switch测试

RADIUS 服务器进行 MAC 验证

DHCP ping switch测试

RADIUS 服务器进行 MAC 验证

3层注册成功后,我们检查下 DHCP 获取情况

RADIUS 服务器进行 MAC 验证

建立起 RADIUS 服务器

RADIUS 服务器进行 MAC 验证

手机连接过程与结果

RADIUS 服务器进行 MAC 验证

手机客户端连接后的 DHCP 获取情况

RADIUS 服务器进行 MAC 验证

查看一下路由器上 nat 转换的情况

RADIUS 服务器进行 MAC 验证

接下来看看我们连接的手机是不是可以正常的上网

RADIUS 服务器进行 MAC 验证




标签:

相关文章