|
|
 |
|
|
| 1. help! 有谁知道使用802.1x和mac地址帮定一起用吗? |
  |
|
 |
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
使用cisco,起用dot1x,为了防止使用其他的电脑上网,还应绑定端口和mac地址,在使用cisco设备,有谁知道这怎么实现啊?谢谢! |
|
|
|
| 2. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
 |
|
HP : 0 / 106
MP : 14 / 1602
EXP : 27%
|
|
江湖小虾
成员等级: 5
发表总数: 42
金币总数: 70
所属组别: 普通成员
注册日期: 2003/11/25
|
现在只有XP支持
|
|
|
|
| 3. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
那是客户端啊.先不用考虑啊
|
|
|
|
| 4. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
有没有人知道啊
|
|
|
|
| 5. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
 |
|
HP : 92 / 925
MP : 718 / 16287
EXP : 3%
|
|
名动江湖
成员等级: 38
发表总数: 2154
金币总数: 201
所属组别: 核心成员
注册日期: 2003/01/3
|
请参考提问的技巧
http://bbs.netbuddy.org/news/428.html
|
|
|
|
| 6. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
知道了,谢谢!
问题是:在局域网的用户的访问控制中,希望使用dot1x控制上网的用户名和密码,同时,还要求使用指定的机器上网(所以,想到了mac绑定),但在cisco交换机中,起用802,1x
就不能启用mac绑定.能否有什么方法实现啊?
应该清楚了啊
谢谢! |
|
|
|
| 7. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 106
MP : 14 / 1602
EXP : 27%
|
|
江湖小虾
成员等级: 5
发表总数: 42
金币总数: 70
所属组别: 普通成员
注册日期: 2003/11/25
|
我不太了解你的情况,如果你只是要控制LAN USER上Internet,可以用Proxy Server验证username and password.如果你要控制LAN USER内网之间访问,用access-list足够了,若要用802.1x可以查cisco document cd or cisco site上在相关switch的software config中有一章节的详细config.建议还是用pppoe认证方式. |
|
|
|
| 8. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
要控制LAN USER上网,是上局域网,就是控制可以上网机器只能使用我们登记的机器(有登记mac地址),同时要使用我们分配的用户名和密码.cisco文档我看过,没有提到能否实现.
还有pppoe认证方式怎么实现啊?能介绍哪里有pppoe认证方式的资料啊!
谢谢! |
|
|
|
| 9. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
 |
|
HP : 108 / 1085
MP : 1090 / 19033
EXP : 41%
|
|
江湖游客
成员等级: 44
发表总数: 3271
金币总数: 941
所属组别: 核心成员
注册日期: 2003/01/10
|
简单点就在交换机上绑定MAC和port,通过代理认证上网。
复杂点可以启用dot1x,用户认证后分配相应的vlan,DHCP服务器上将MAC与IP绑定,通过cisco acs为每个用户download acl。
(acs好像有将用户名与MAC绑定的功能!?)
再有兴趣可以研究一下cisco IBNS
Under an IEEE 802.1X-based technology initiative called Cisco Identity-Based Networking Services (IBNS), Cisco is giving organizations the tools to reinforce network security by authenticating users based not only on the MAC and IP addresses of their client devices but also on their personal identity. IBNS spans a broad range of Cisco LAN infrastructure products—including Catalyst® switches, Aironet® 1100 and 1200 series access points, and the Cisco Secure Access Control Server (ACS)—to identify users attempting to gain access to the wired or wireless LAN (WLAN).
http://www.cisco.com/en/US/about/ac123/ac1...cd800b19a3.html |
|
|
|
| 10. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
谢谢大勇
DHCP服务器上可以将MAC与IP绑定.但用户只要自己设ip地址(在分配的vlan)内,不用dhcp分配,使用我们分配的用户名和密码,仍可上网.
我就是想了解acs是否可将用户名与MAC绑定的???
|
|
|
|
| 11. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
acs及交换机使用radius 认证,但不知道哪几项是可以设置mac地址绑定的,radius的各个项目如下:
RADIUS TYPES
(last updated 2003-09-15)
The RFC "Remote Authentication Dial In User Service (RADIUS)"
[RFC2058, RFC2865] defines a type code. The IANA registry of
these codes is listed here.
RADIUS Attribute Types
- RADIUS Attribute Values
RADIUS Packet Type Codes
- RADIUS Codes
RADIUS Attribute Types
----------------------
Defined in RFC 2865 unless otherwise indicated.
VALUE DESCRIPTION REFERENCE
------ ----------- ---------
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor-Specific
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40 Acct-Status-Type [RFC2866]
41 Acct-Delay-Time [RFC2866]
42 Acct-Input-Octets [RFC2866]
43 Acct-Output-Octets [RFC2866]
44 Acct-Session-Id [RFC2866]
45 Acct-Authentic [RFC2866]
46 Acct-Session-Time [RFC2866]
47 Acct-Input-Packets [RFC2866]
48 Acct-Output-Packets [RFC2866]
49 Acct-Terminate-Cause [RFC2866]
50 Acct-Multi-Session-Id [RFC2866]
51 Acct-Link-Count [RFC2866]
52 Acct-Input-Gigawords [RFC2869]
53 Acct-Output-Gigawords [RFC2869]
54 (unassigned)
55 Event-Timestamp [RFC2869]
56-59 (unassigned)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
64 Tunnel-Type [RFC2868]
65 Tunnel-Medium-Type [RFC2868]
66 Tunnel-Client-Endpoint [RFC2868]
67 Tunnel-Server-Endpoint [RFC2868]
68 Acct-Tunnel-Connection [RFC2867]
69 Tunnel-Password [RFC2868]
70 ARAP-Password [RFC2869]
71 ARAP-Features [RFC2869]
72 ARAP-Zone-Access [RFC2869]
73 ARAP-Security [RFC2869]
74 ARAP-Security-Data [RFC2869]
75 Password-Retry [RFC2869]
76 Prompt [RFC2869]
77 Connect-Info [RFC2869]
78 Configuration-Token [RFC2869]
79 EAP-Message [RFC2869]
80 Message-Authenticator [RFC2869]
81 Tunnel-Private-Group-ID [RFC2868]
82 Tunnel-Assignment-ID [RFC2868]
83 Tunnel-Preference [RFC2868]
84 ARAP-Challenge-Response [RFC2869]
85 Acct-Interim-Interval [RFC2869]
86 Acct-Tunnel-Packets-Lost [RFC2867]
87 NAS-Port-Id [RFC2869]
88 Framed-Pool [RFC2869]
89 (unassigned)
90 Tunnel-Client-Auth-ID [RFC2868]
91 Tunnel-Server-Auth-ID [RFC2868]
92-93 (Unassigned)
94 Originating-Line-Info [Trifunovic]
95 NAS-IPv6-Address [RFC3162]
96 Framed-Interface-Id [RFC3162]
97 Framed-IPv6-Prefix [RFC3162]
98 Login-IPv6-Host [RFC3162]
99 Framed-IPv6-Route [RFC3162]
100 Framed-IPv6-Pool [RFC3162]
101 Error-Cause Attribute [RFC3576]
192-223 Experimental Use [RFC2058]
224-240 Implementation Specific [RFC2058]
241-255 Reserved [RFC2058]
RADIUS Attribute Values
-----------------------
Defined in RFC 2865 unless otherwise indicated.
Values for RADIUS Attribute 6, Service-Type:
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
12 Voice [Chiba]
13 Fax [Chiba]
14 Modem Relay [Chiba]
15 IAPP-Register [IEEE 802.11f][Kerry]
16 IAPP-AP-Check [IEEE 802.11f][Kerry]
17 Authorize Only [RFC3576]
Values for RADIUS Attribute 7, Framed-Protocol:
1 PPP
2 SLIP
3 AppleTalk Remote Access Protocol (ARAP)
4 Gandalf proprietary SingleLink/MultiLink protocol
5 Xylogics proprietary IPX/SLIP
6 X.75 Synchronous
7 GPRS PDP Context [Moore]
Values for RADIUS Attribute 10, Framed-Routing:
0 None
1 Send routing packets
2 Listen for routing packets
3 Send and Listen
Values for RADIUS Attribute 13, Framed-Compression:
0 None
1 VJ TCP/IP header compression
2 IPX header compression
3 Stac-LZS compression
Values for RADIUS Attribute 15, Login-Service:
0 Telnet
1 Rlogin
2 TCP Clear
3 PortMaster (proprietary)
4 LAT
5 X25-PAD
6 X25-T3POS
7 (unassigned)
8 TCP Clear Quiet (suppresses any NAS-generated connect
string)
Values for RADIUS Attribute 29, Termination-Action:
0 Default
1 RADIUS-Request
Values for RADIUS Attribute 40, Acct-Status-Type [RFC 2866]:
1 Start [RFC 2866]
2 Stop [RFC 2866]
3 Interim-Update [RFC 2866]
4-6 (unassigned)
7 Accounting-On [RFC 2866]
8 Accounting-Off [RFC 2866]
9 Tunnel-Start [RFC 2867]
10 Tunnel-Stop [RFC 2867]
11 Tunnel-Reject [RFC 2867]
12 Tunnel-Link-Start [RFC 2867]
13 Tunnel-Link-Stop [RFC 2867]
14 Tunnel-Link-Reject [RFC 2867]
15 Failed [RFC 2866]
Values for RADIUS Attribute 45, Acct-Authentic [RFC 2866]:
1 RADIUS
2 Local
3 Remote
4 Diameter [Calhoun]
Values for RADIUS Attribute 49, Acct-Terminate-Cause [RFC 2866]:
1 User Request
2 Lost Carrier
3 Lost Service
4 Idle Timeout
5 Session Timeout
6 Admin Reset
7 Admin Reboot
8 Port Error
9 NAS Error
10 NAS Request
11 NAS Reboot
12 Port Unneeded
13 Port Preempted
14 Port Suspended
15 Service Unavailable
16 Callback
17 User Error
18 Host Request
19 Supplicant Restart [RFC3580]
20 Reauthentication Failure [RFC3580]
21 Port Reinitialized [RFC3580]
22 Port Administratively Disabled [RFC3580]
Values for RADIUS Attribute 61, NAS-Port-Type [RFC 2865]:
0 Async
1 Sync
2 ISDN Sync
3 ISDN Async V.120
4 ISDN Async V.110
5 Virtual
6 PIAFS
7 HDLC Clear Channel
8 X.25
9 X.75
10 G.3 Fax
11 SDSL - Symmetric DSL
12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase
Modulation
13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone
14 IDSL - ISDN Digital Subscriber Line
15 Ethernet
16 xDSL - Digital Subscriber Line of unknown type
17 Cable
18 Wireless - Other
19 Wireless - IEEE 802.11
20 Token-Ring [RFC3580]
21 FDDI [RFC3580]
22 Wireless - CDMA2000 [McCann]
23 Wireless - UMTS [McCann]
24 Wireless - 1X-EV [McCann]
25 IAPP [IEEE 802.11f][Kerry]
Values for RADIUS Attribute 64, Tunnel-Type [RFC 2868]:
1 Point-to-Point Tunneling Protocol (PPTP)
2 Layer Two Forwarding (L2F)
3 Layer Two Tunneling Protocol (L2TP)
4 Ascend Tunnel Management Protocol (ATMP)
5 Virtual Tunneling Protocol (VTP)
6 IP Authentication Header in the Tunnel-mode (AH)
7 IP-in-IP Encapsulation (IP-IP)
8 Minimal IP-in-IP Encapsulation (MIN-IP-IP)
9 IP Encapsulating Security Payload in the Tunnel-mode
(ESP)
10 Generic Route Encapsulation (GRE)
11 Bay Dial Virtual Services (DVS)
12 IP-in-IP Tunneling
13 Virtual LANs (VLAN) [RFC3580]
Values for RADIUS Attribute 65, Tunnel-Medium-Type [RFC 2868]:
1 IPv4 (IP version 4)
2 IPv6 (IP version 6)
3 NSAP
4 HDLC (8-bit multidrop)
5 BBN 1822
6 802 (includes all 802 media plus Ethernet "canonical
format")
7 E.163 (POTS)
8 E.164 (SMDS, Frame Relay, ATM)
9 F.69 (Telex)
10 X.121 (X.25, Frame Relay)
11 IPX
12 Appletalk
13 Decnet IV
14 Banyan Vines
15 E.164 with NSAP format subaddress
Values for RADIUS Attribute 72, ARAP-Zone-Access [RFC 2869]:
1 Only allow access to default zone
2 Use zone filter inclusively
3 (not used)
4 Use zone filter exclusively
Values for RADIUS Attribute 76, Prompt [RFC 2869]:
0 No Echo
1 Echo
Values for RADIUS Attribute 101, Error-Cause Attribute [RFC3576]:
201 Residual Session Context Removed
202 Invalid EAP Packet (Ignored)
401 Unsupported Attribute
402 Missing Attribute
403 NAS Identification Mismatch
404 Invalid Request
405 Unsupported Service
406 Unsupported Extension
501 Administratively Prohibited
502 Request Not Routable (Proxy)
503 Session Context Not Found
504 Session Context Not Removable
505 Other Proxy Processing Error
506 Resources Unavailable
507 Request Initiated
End of RADIUS Attribute Values.
RADIUS Packet Type Codes
------------------------
RADIUS Codes (decimal) are assigned as follows:
# Message Reference
---- ------------------------- ---------
1 Access-Request [RFC2865]
2 Access-Accept [RFC2865]
3 Access-Reject [RFC2865]
4 Accounting-Request [RFC2865]
5 Accounting-Response [RFC2865]
6 Accounting-Status [RFC2882]
(now Interim Accounting)
7 Password-Request [RFC2882]
8 Password-Ack [RFC2882]
9 Password-Reject [RFC2882]
10 Accounting-Message [RFC2882]
11 Access-Challenge [RFC2865]
12 Status-Server (experimental) [RFC2865]
13 Status-Client (experimental) [RFC2865]
21 Resource-Free-Request [RFC2882]
22 Resource-Free-Response [RFC2882]
23 Resource-Query-Request [RFC2882]
24 Resource-Query-Response [RFC2882]
25 Alternate-Resource-
Reclaim-Request [RFC2882]
26 NAS-Reboot-Request [RFC2882]
27 NAS-Reboot-Response [RFC2882]
28 Reserved
29 Next-Passcode [RFC2882]
30 New-Pin [RFC2882]
31 Terminate-Session [RFC2882]
32 Password-Expired [RFC2882]
33 Event-Request [RFC2882]
34 Event-Response [RFC2882]
40 Disconnect-Request [RFC3575]
41 Disconnect-ACK [RFC3575]
42 Disconnect-NAK [RFC3575]
43 CoA-Request [RFC3575]
44 CoA-ACK [RFC3575]
45 CoA-NAK [RFC3575]
50 IP-Address-Allocate [RFC2882]
51 IP-Address-Release [RFC2882]
250-253 Experimental Use
254 Reserved
255 Reserved [RFC2865]
REFERENCES
----------
[RFC2058] Rigney, C., A. Rubens, W. Simpson, and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2058,
Livingston, Merit, Daydreamer, January 1997.
[RFC2059] Rigney, C., "RADIUS Accounting", RFC 2059, Livingston,
November 1996.
[RFC2865] Rigney, W., S. Willens, A. Rubens, and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2865, June 2000.
[RFC2867] Zorn, G., B. Aboba, D. Mitton, "RADIUS Accounting
Modifications for Tunnel Protocol Support", RFC 2867,
June 2000.
[RFC2868] Zorn, G., D. Leifer, A. Rubens, J. Shriver, M. Holdrege,
I. Goyret, "RADIUS Attributes for Tunnel Protocol Support",
RFC 2868, June 2000.
[RFC2869] Rigney, C., W. Willats, P. Calhoun, "RADIUS Extensions",
RFC 2869, June 2000.
[RFC3162] B. Aboba, G. Zorn, and D. Mitton, "RADIUS and IPv6",
RFC 3162, August 2001.
[RFC3580] P. Congdon, B. Aboba, A. Smith, G. Zorn, and J. Roese,
"IEEE 802.1X RADIUS Usage Guidelines", RFC 3580, September 2003.
[RFC3575] B. Aboba, "IANA Considerations for RADIUS (Remote Authentication
Dial In User Service)", RFC 3575, July 2003.
PEOPLE
------
[Calhoun] Pat Calhoun, <pcalhoun@diameter.org>, May 2001.
[Chiba] Murtaza Chiba, <mchiba@cisco.com], June 2001.
[IEEE 802.11f]
[Kerry] Stuart Kerry, stuart.kerry@philips.com>, January 2003.
[McCann] Pete McCann, <mccap@lucent.com>, March 2002.
[Moore] Jeff Moore, <jeff.moore@cisco.com>, February 2001.
[Trifunovic] Nenad Trifunovic, <Nenad.Trifunovic@mci.com>, October 1998.
[]
|
|
|
|
| 12. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
有人知道吗?
|
|
|
|
| 13. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
 |
|
HP : 243 / 1219
MP : 1503 / 21389
EXP : 79%
|
|
测试中......
成员等级: 49
发表总数: 4509
金币总数: 301
所属组别: 核心成员
注册日期: 2003/01/10
|
RADIUS不能做
 |
|
|
|
| 14. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 110
MP : 14 / 1655
EXP : 43%
|
|
江湖小虾
成员等级: 5
发表总数: 44
金币总数: 78
所属组别: 普通成员
注册日期: 2003/12/2
|
那用什么可以啊?好多人说可以的 啊 |
|
|
|
| 15. Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?... |
|
|
|
|
|
HP : 0 / 404
MP : 112 / 6443
EXP : 17%
|
|
名动江湖
成员等级: 17
发表总数: 338
金币总数: 694
所属组别: 核心成员
注册日期: 2003/07/28
|
我的个人意见:太多的安全限制不但是在给用户添使用麻烦,很多时候也是在给自己添麻烦,多一项安全限制就多一层技术复杂度,也给排错造成很大困难。
我觉得做这么几个已经够了:
1、MAC/端口绑定,用port security来做;
2、IP/端口绑定,用port acl来做,对2950G来说应该需要EMI的版本;
3、端口隔离,用protected port做。
这样无论他改IP,还是改MAC都没用了。802.1x又加了一个用户名的认证,但目前Cisco交换机的802.1x只能做到根据用户名动态分配VLAN(我试过可以),还可以做到downloadable acl(这个没试成,我那个ACS有点问题)。
有些东西太多放到技术层面上不太好。 |
|
|
|
| 16. Re: Re:help! 有谁知道使用802.1x和mac地址帮定一起用吗?...... |
|
|
|
|
|
HP : 0 / 404
MP : 112 / 6443
EXP : 17%
|
|
名动江湖
成员等级: 17
发表总数: 338
金币总数: 694
所属组别: 核心成员
注册日期: 2003/07/28
|
另802.1x和port security间的关系可看此文档:
http://www.cisco.com/univercd/cc/td/doc/pr...21x.htm#1063385 |
|
|
|
