自学Aruba5.3.2-Aruba安全认证-有PEFNG 许可证环境的认证配置MAC
1. MAC认证配置前言
建议把认证通过前的初始化role定义为denyall,否则不管是不是InterDB中的合法MAC地址用户,都可以正常接入网络。
1.1 MAC认证通过前定义role为“denyall”,认证通过后,定义新的role
1 (Aruba650) (config) #aaa profile mac-profile 2 (Aruba650) (AAA Profile "mac-profile") #mac-server-group mac-server 3 (Aruba650) (AAA Profile "mac-profile") #authentication-mac mac-auth 4 (Aruba650) (AAA Profile "mac-profile") #initial-role denyall #定义认证前初始化的role为deny,禁止所有通信 5 (Aruba650) (AAA Profile "mac-profile") #mac-default-role authenticated #认证通过后,默认派生role为authenticated
1.2 在MAC认证通过前的初始化角色定义role为“denyall”,认证通过后的角色为InterDB建立用户时,给用户定义的服务器派生role。
(InterDB中的用户默认的role是guest,guest允许所有通信)
1 (Aruba650) (config) #aaa server-group mac-server 2 (Aruba650) (Server Group "mac-server") #set role condition role value-of 定义用户获取到role为InterDB服务器建立用户时定义的role。 3 (Aruba650) #local-userdb add username 08:10:17:02:10:e8 password 08:10:17:02:10:e8 role macyk
2. MAC认证配置命令
1 (Aruba650) #configure terminal 2 3 (Aruba650) (config) #aaa server-group mac-server */定义 aaa server-group 服务器派生角色 4 (Aruba650) (Server Group "mac-server") #auth-server Internal */内置服务器 5 (Aruba650) (Server Group "mac-server") #set role condition role value-of */如果匹配服务器派生角色条件,则采用value-of角色(根据服务器返回值的role属性进行角色派生) 6 (Aruba650) (Server Group "mac-server") #exit 7 8 (Aruba650) (config) #aaa authentication mac mac-auth */定义 aaa认证 9 (Aruba650) (MAC Authentication Profile "mac-auth") #case lower ##字符小写 10 (Aruba650) (MAC Authentication Profile "mac-auth") #delimiter colon ##以冒号隔开,格式为aa:bb:cc:dd:ee:ff 11 (Aruba650) (MAC Authentication Profile "mac-auth") #exit 12 13 (Aruba650) (config) #aaa profile mac-profile */定义 aaa profile 14 (Aruba650) (AAA Profile "mac-profile") #mac-server-group mac-server ##关联aaa服务器组 15 (Aruba650) (AAA Profile "mac-profile") #authentication-mac mac-auth ##关联aaa认证 16 (Aruba650) (AAA Profile "mac-profile") #initial-role denyall ##初始化角色 denyall 17 (Aruba650) (AAA Profile "mac-profile") #mac-default-role authenticated ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
18 (Aruba650) (config) #wlan ssid-profile mac-ssid */定义 ssid-profile 19 (Aruba650) (SSID Profile "mac-ssid") #essid macyk ##essid为macyk 20 (Aruba650) (SSID Profile "mac-ssid") #exit 21 22 (Aruba650) (config) #wlan virtual-ap mac-vap */定义 virtual-ap 23 (Aruba650) (Virtual AP profile "mac-vap") #aaa-profile mac-profile ##关联aaa-profile 24 (Aruba650) (Virtual AP profile "mac-vap") #ssid-profile mac-ssid ##关联ssid-profile 25 (Aruba650) (Virtual AP profile "mac-vap") #vlan 179 ##调用用户vlan179 26 (Aruba650) (Virtual AP profile "mac-vap") #exit 27 28 (Aruba650) (config) #ap-group macyk */定义ap-group 29 (Aruba650) (AP group "macyk") #virtual-ap mac-vap ##将virtual-ap加入macyk组内 30 (Aruba650) (AP group "macyk") #exit
1 (Aruba650) #local-userdb add username 00:1f:3c:43:58:85 password 00:1f:3c:43:58:85 role role-mac ##添加用户mac 00:1f:3c:43:58:85至role-mac角色
3. PSK+MAC认证配置命令
1 (Aruba650) #configure terminal
2
3 (Aruba650) (config) #aaa server-group macpsk-server
4 (Aruba650) (Server Group "macpsk-server") #auth-server Internal
5 (Aruba650) (Server Group "macpsk-server") #set role condition role value-of
6 (Aruba650) (Server Group "macpsk-server") #exit
7
8 (Aruba650) (config) #aaa authentication dot1x macpsk-dot1x-auth clone default-psk
9
10 (Aruba650) (config) #aaa authentication mac macpsk-mac-auth
11 (Aruba650) (MAC Authentication Profile "macpsk-mac-auth") #case lower
12 (Aruba650) (MAC Authentication Profile "macpsk-mac-auth") #delimiter colon
13 (Aruba650) (MAC Authentication Profile "macpsk-mac-auth") #exit
14
15 (Aruba650) (config) #aaa profile macpsk-profile
16 (Aruba650) (AAA Profile "macpsk-profile") #authentication-dot1x macpsk-dot1x-auth
17 (Aruba650) (AAA Profile "macpsk-profile") #authentication-mac macpsk-mac-auth
18 (Aruba650) (AAA Profile "macpsk-profile") #mac-server-group macpsk-server
19 (Aruba650) (AAA Profile "macpsk-profile") #initial-role denyall
20 (Aruba650) (AAA Profile "macpsk-profile") #mac-default-role authenticated ##定义dot1x认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
21
22 (Aruba650) (config) #wlan ssid-profile macpask-ssid
23 (Aruba650) (SSID Profile "macpask-ssid") #essid macpsk
24 (Aruba650) (SSID Profile "macpask-ssid") #wpa-passphrase 12345678
25 (Aruba650) (SSID Profile "macpask-ssid") #opmode wpa-psk-tkip
26 (Aruba650) (SSID Profile "macpask-ssid") #opmode wpa2-psk-aes
27 (Aruba650) (SSID Profile "macpask-ssid") #exit
28
29 (Aruba650) (config) #wlan virtual-ap macpsk-vap
30 (Aruba650) (Virtual AP profile "macpsk-vap") #aaa-profile macpsk-profile
31 (Aruba650) (Virtual AP profile "macpsk-vap") #ssid-profile macpsk-ssid
32 (Aruba650) (Virtual AP profile "macpsk-vap") #vlan 100
33 (Aruba650) (Virtual AP profile "macpsk-vap") #exit
34
35 (Aruba650) (config) #ap-group macpskyk
36 (Aruba650) (AP group "macpskyk") #virtual-ap macpsk-vap
37 (Aruba650) (AP group "macpskyk") #exit
1 (Aruba650) #local-userdb add username 00:1f:3c:43:58:85 password 00:1f:3c:43:58:85 role role-mac ##添加用户mac 00:1f:3c:43:58:85至role-mac角色中