终端服务器干什么用的

知802.
1XAAA杨海严2017-08-05发表胖AP结合远程radius服务器做802.
1X认证的典型配置在胖AP上开启802.
1X,无线终端802.
1X认证接入网络,认证服务器为iMC服务器.

无线终端属于vlan10,使用192.
168.
10.
0/24网段地址,网关192.
168.
10.
1在胖AP上;胖AP使用vlan-interface1(地址为192.
168.
0.
50)与三层交换机互联;iMC服务器的地址为10.
88.
142.
172.

(1)胖AP配置#和三层交换机互联地址interfaceVlan-interface1ipaddress192.
168.
0.
50255.
255.
255.
0#缺省路由,下一跳指向三层交换机iproute-static0.
0.
0.
00.
0.
0.
0192.
168.
0.
1#vlan10#无线终端业务网关interfaceVlan-interface10ipaddress192.
168.
10.
1255.
255.
255.
0#无线终端dhcp地址池,分配192.
168.
10.
0/24网段、网关地址和dnsdhcpserverip-poolvlan10network192.
168.
10.
0mask255.
255.
255.
0gateway-list192.
168.
10.
1dns-list114.
114.
114.
114#dhcp禁止分配网关地址dhcpserverforbidden-ip192.
168.
10.
1#使能dhcpdhcpenable#使能端口安全port-securityenable#802.
1x认证方式为eapdot1xauthentication-methodeap#配置radius方案,指定认证(授权)、计费服务器地址和密钥radiusschemeyanghaiyanserver-typeextendedprimaryauthentication10.
88.
142.
172primaryaccounting10.
88.
142.
172keyauthenticationsimple123456keyaccountingsimple123456user-name-formatwithout-domainnas-ip192.
168.
0.
50#配置域,调用radius方案domainyanghaiyanauthenticationlan-accessradius-schemeyanghaiyanauthorizationlan-accessradius-schemeyanghaiyanaccountinglan-accessradius-schemeyanghaiyan#配置无线BSS接口为hybrid口,pvid设置为业务vlan10,untagged业务vlan10,端口模式设置为userlogin-secure-ext,强制认证域,关闭802.
1X握手和组播触发interfaceWLAN-BSS10portlink-typehybridundoporthybridvlan1porthybridvlan10untaggedporthybridpvidvlan10port-securityport-modeuserlogin-secure-extport-securitytx-key-type11keydot1xmandatory-domainyanghaiyanundodot1xhandshakeundodot1xmulticast-trigger#新建加密类型的无线服务模板,配置ssid、加密套件和安全iewlanservice-template10cryptossidyhy_fat-ap_imc-1xcipher-suiteccmpsecurity-iersnservice-templateenable#radio下服务模板和BSS接口绑定interfaceWLAN-Radio1/0/2service-template10interfacewlan-bss10(2)三层交换机配置#和iMC服务器互联地址interfaceVlan-interface1ipaddress10.
88.
142.
102255.
255.
255.
0#连接iMC服务器接口interfaceGigabitEthernet1/0/1#vlan50#和AP互联地址interfaceVlan-interface50ipaddress192.
168.
0.
1255.
255.
255.
0#连接AP接口interfaceGigabitEthernet1/0/5portaccessvlan50poeenable#无线终端网段的回程路由,下一跳指向APiproute-static192.
168.
10.
024192.
168.
0.
50(3)iMC服务器配置#导入根证书#导入服务器证书,注意要输入私钥密码#增加接入设备,注意业务类型为"LAN接入业务",密码要正确,以AP的管理地址(192.
168.
0.
50)增加到设备列表#增加接入策略,首选EAP类型选择"EAP-PEAP",子类型为"EAP-MSCHAPv2"#增加接入服务,调用接入策略#增加接入用户,配置账号密码,调用接入服务(4)测试#打开iNode客户端,安全类型选WPA2,加密类型AES,选PEAP子类型MS-CHAPV2#输入账号密码,认证成功#认证通过后,无线终端和iMC服务器连通性正常#iMC服务器上查看用户已经在线#查看终端在线表项displaywlanclientTotalNumberofClients:1ClientInformationSSID:yhy_fat-ap_imc-1xMACAddressUserNameAPID/RIDIPAddressVLAN6480-99e9-3478bTNZG.
.
.
1/2192.
168.
10.
310#查看终端详细信息diswlanclientverboseTotalNumberofClients:1ClientInformationMACAddress:6480-99e9-3478UserName:b2cJHRgDMXQtSx1jJ1F+fQJPZcM=yhyAID:1RadioInterface:WLAN-Radio1/0/2SSID:yhy_fat-ap_imc-1xBSSID:70f9-6daf-ee10Port:WLAN-BSS10VLAN:10……RSSI:36Rx/TxRate:65/144.
4ClientType:WPA2(RSN)AuthenticationMethod:OpenSystemAuthenticationMode:CentralAKMMethod:Dot1X4-WayHandshakeState:PTKINITDONEGroupKeyState:IDLEEncryptionCipher:AES-CCMP……(1)无线终端、胖AP、三层交换机和iMC服务器是跨三层组网的,要注意配置路由,否则可能导致认证失败或者业务不通.
(2)导入的根证书和服务器证书一定要是配套的,另外注意iMC服务器的系统时间要正确,否则可能导致证书导入失败.
(3)iMC服务器上接入策略和iNode客户端参数最好保持一致,否则可能导致认证不上.