NetBuddy.Org论坛 - cisco6509做dot1x认证遇到的问题


	欢迎访客 ( 登陆 \| 注册 )

NetBuddy.Org论坛 ->技术论坛 ->网络世界

cisco6509做dot1x认证遇到的问题

« 上一篇主题 | 下一篇主题 »

跟踪主题 | 邮寄主题 | 打印主题

feieboy

1. cisco6509做dot1x认证遇到的问题

HP : 0 / 189

MP : 30 / 3026

EXP : 57%

武林侠客

成员等级: 8
发表总数: 92
金币总数: 191
所属组别: 普通成员
注册日期: 2003/07/22

网络结构
10.10.0.27(tac3.3)--------6509(10.10.0.66)--------pc.
6509上面用catos6.4.5.
配置如下：
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Mon Sep 19 2005, 10:49:34
!
#version 6.4(5)
!
set password $1$KVKp$VxyBTy.sUvxvHDDlm3Pgl0
set enablepass $1$KR39$mKs1k.XdbL/zvarwlhGup.
!
#!
#snmp
set snmp community read-only mysy
set snmp community read-write yangyong
!

#radius
set radius server 10.10.0.27 auth-port 1812 primary
set radius key fei-mysy
!
#vtp
set vtp domain mysy
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 2 name shanxiaovpn type ethernet mtu 1500 said 100002 state active
set vlan 3 name jikexi type ethernet mtu 1500 said 100003 state active
set vlan 4 name dianxinkuandai type ethernet mtu 1500 said 100004 state active
set vlan 5 name 301zhongdianjifang-jkx type ethernet mtu 1500 said 100005 state
active
set vlan 6 name jiaoyuwangduan210 type ethernet mtu 1500 said 100006 state activ
e
set vlan 7 name fuwuqi-wgzx type ethernet mtu 1500 said 100007 state active
set vlan 8 name 202jifang-jkx type ethernet mtu 1500 said 100008 state active
set vlan 9 name 203jifang-jkx type ethernet mtu 1500 said 100009 state active
set vlan 10 name 204jifang-jkx type ethernet mtu 1500 said 100010 state active
set vlan 11 name 205jifang-jkx type ethernet mtu 1500 said 100011 state active
set vlan 12 name 206jifang-jkx type ethernet mtu 1500 said 100012 state active
set vlan 13 name 207jifang-jkx type ethernet mtu 1500 said 100013 state active
set vlan 14 name 208jifang-jkx type ethernet mtu 1500 said 100014 state active
set vlan 15 name 304xiangmujifang-jkx type ethernet mtu 1500 said 100015 state a
ctive
set vlan 16 name yuanbian type ethernet mtu 1500 said 100016 state active
set vlan 17 name jiaowuchu-shebeichu type ethernet mtu 1500 said 100017 state ac
tive
set vlan 18 name waiyuxi-xueguongbu type ethernet mtu 1500 said 100018 state act
ive
set vlan 19 name tushuguan-fuwuqi-bangong type ethernet mtu 1500 said 100019 sta
te active
set vlan 20 name tushguan-dianziyuelan type ethernet mtu 1500 said 100020 state
active
set vlan 21 name wulixi-huaxuexi type ethernet mtu 1500 said 100021 state active

set vlan 22 name shewuxi-shuxuexi type ethernet mtu 1500 said 100022 state activ
e
set vlan 23 name wangluozhongxing type ethernet mtu 1500 said 100023 state activ
e
set vlan 25 name dialer2610 type ethernet mtu 1500 said 100025 state active
set vlan 26 name shanjiaolou type ethernet mtu 1500 said 100026 state active
set vlan 27 name shuxuexijifang type ethernet mtu 1500 said 100027 state active
set vlan 28 name jiaoyuxi type ethernet mtu 1500 said 100028 state active
set vlan 29 name xilishiyanshi type ethernet mtu 1500 said 100029 state active
set vlan 30 name shebeichu type ethernet mtu 1500 said 100030 state active
set vlan 31 name fuwuqi-wangluozhongxing-1 type ethernet mtu 1500 said 100031 st
ate active
set vlan 32 name dianxinkuan-2 type ethernet mtu 1500 said 100032 state active
set vlan 33 name 2611xm type ethernet mtu 1500 said 100033 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 0 stemaxhop 0 backupcrf off
!
#ip
set interface sc0 1 10.10.0.66/255.255.255.224 10.10.0.95

set ip route 0.0.0.0/0.0.0.0 10.10.0.65
set ip alias default 0.0.0.0
!
#spantree
#vlan <VlanId>
set spantree fwddelay 15 1003
set spantree maxage 20 1003
set spantree disable 1005
set spantree fwddelay 15 1005
set spantree maxage 20 1005
!
#syslog
set logging level ld 2 default
set logging level privatevlan 2 default
!
#set boot command
set boot config-register 0x102
set boot system flash bootflash:cat6000-sup.6-4-5.bin
set boot system flash bootflash:cat6000-sup.5-3-5a-CSX.bin
!
#igmp
set igmp disable
!
#qos
set qos enable
set qos wred 1p2q2t tx queue 1 40:80 70:100
set qos wred 1p2q2t tx queue 2 40:80 70:100
set qos policer aggregate egree_1Mbps rate 1000 burst 20 drop
clear qos acl all
#ip-vlan
set qos acl ip ip-vlan trust-ipprec aggregate egree_1Mbps ip any any
#
commit qos acl all
!
#port channel
set port channel 2/5-8 15
set port channel 2/1-4 74
set port channel 3/13-14 607
set port channel 3/17-18 818
set port channel 3/15-16 942
set port channel 3/19-20 945
set port channel 3/37-40 956
!
# default port status is enable
!
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1
!
#module 2 : 8-port 1000BaseX Ethernet
set module name 2
set port name 2/2 connect-jiaowuchu
set port name 2/3 3524-wgzx
set port name 2/4 connect-yuanbian
set port name 2/5 connect-tushuguan
set udld enable 2/1,2/4,2/8
set trunk 2/2 nonegotiate isl 1-1005,1025-4094
set trunk 2/3 nonegotiate isl 1-1005,1025-4094
set trunk 2/4 nonegotiate isl 1-1005,1025-4094
set trunk 2/5 nonegotiate isl 1-1005,1025-4094
set trunk 2/6 nonegotiate isl 1-1005,1025-4094
set port channel 2/1-8 mode off
!
#module 3 : 48-port 10/100BaseTX Ethernet
set vlan 2 3/8,3/10
set vlan 4 3/1
set vlan 6 3/3,3/5
set vlan 7 3/2,3/4,3/13-22,3/25,3/27-28
set vlan 23 3/24,3/46
set vlan 25 3/12
set vlan 31 3/35
set vlan 32 3/9
set vlan 33 3/11
set port name 3/1 connect-pix520
set port name 3/2 connect-dns
set port name 3/3 connect-dhcp
set port name 3/4 toshibaweb
set port name 3/6 connect-cisco3200
set port name 3/7 connect-2924-wgzx
set port name 3/8 dianxing-vpn
set port name 3/9 dhcp-wgzx
set port name 3/10 dianxing-vpn
set port name 3/12 cisco2610-dialer
set port name 3/15 sql-oa
set port name 3/16 sql-oa
set port name 3/17 jiaowuserver-b
set port name 3/19 mysy-web
set port name 3/20 mysy-web
set port name 3/22 yangshaojun-cd
set port name 3/23 xinlishi-huawei3026
set port name 3/25 test-game
set port dot1x 3/46 port-control auto
set trunk 3/6 on isl 1-1005,1025-4094
set trunk 3/7 on isl 1-1005,1025-4094
set trunk 3/8 off negotiate 1-1005,1025-4094
set trunk 3/23 on dot1q 1-1005,1025-4094
clear trunk 3/37 1-1005,1025-2094
set trunk 3/37 off negotiate 2095-4094
clear trunk 3/38 1-1005,1025-2094
set trunk 3/38 off negotiate 2095-4094
set trunk 3/46 off negotiate 1-1005,1025-4094
set spantree portfast 3/46 enable
set spantree portvlancost 3/15 cost 16
set spantree portvlancost 3/16 cost 16
set spantree portvlancost 3/19 cost 99 16
set spantree portvlancost 3/20 cost 99 16
set port qos 3/1 vlan-based
set port channel 3/15-16 mode off
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
!
#module 7 empty
!
#module 8 empty
!
#module 9 empty
!
#module 15 : 1-port Multilayer Switch Feature Card
!
#module 16 empty
!
#switch port analyzer
set span 3/1 3/13 both inpkts disable learning enable multicast enable create
end

acs3.3配置（win2003sp1中文版)
还有就是在acs中，AAA　server 和AAA　client各有什么用呢，我这样设了一个AAA client没有什么用的呢、

附带图片

发表于2005/09/19, 11:27

samenlia

2. Re:cisco6509做dot1x认证遇到的问题

HP : 0 / 104

MP : 13 / 1441

EXP : 19%

江湖小虾

成员等级: 5
发表总数: 41
金币总数: 238
所属组别: 普通成员
注册日期: 2004/04/27

AAA　client就是配置要认证的交换机了，输入交换机的ip地址就行了。
AAA Server估计是指定外挂的Radius服务器吧，看acs的图片，应该其本身就具备了aaa server功能了。

发表于2005/09/20, 16:50

newcomer

3. Re:cisco6509做dot1x认证遇到的问题

HP : 0 / 243

MP : 45 / 3209

EXP : 75%

江湖豪客

成员等级: 10
发表总数: 137
金币总数: 145
所属组别: 普通成员
注册日期: 2004/07/9

AAA server是做分布式ACS部署时的配置选项。AAA Clinet就是配置802.1x的网络设备，对于交换机而言，建议选用IETF格式

发表于2005/09/21, 23:31

feieboy

4. Re:cisco6509做dot1x认证遇到的问题

HP : 0 / 189

MP : 30 / 3026

EXP : 57%

武林侠客

成员等级: 8
发表总数: 92
金币总数: 191
所属组别: 普通成员
注册日期: 2003/07/22

谢谢大家，今天终于给搞定了！有个关健的地方，就是system config下有个Global Authentication Setup 里有个选项是EAP-MD5
Allow EAP-MD5
启用后，重启就行了。不过我打开那个页面时，他是选上了的，但是我重新一次就ok了，不知道是什么原因。下一步就是看如何通过acs服务统计流量！

发表于2005/09/27, 16:21

主题评分

未评分. 匿名用户无权对主题进行评分

0 名会员正在浏览该主题 (0 名游客和 0 名隐身会员)

0 名会员:

有 3 篇回复自 2005/09/19, 11:27

跟踪主题 | 邮寄主题 | 打印主题

<< Back to 网络世界