H3C MSG360无线AC对接微软NPS实现802.1X 域账户连接认证

网络架构:

Windows 2022 server AD域+DNS+NPS,DHCP Server位于三层交换机H3C 5500V2,无线AC H3C MSG-360;

前言:

确保网络架构中各个设备网络正常联通能够连接互联网!

首先安装AD域服务器中的CA证书服务,如果你的环境已经有CA,那么只需要安装NPS就可以。

CA服务已安装完毕。

为了保证NPS和无线控制机器之间的EAP验证,需要为NPS服务器重新申请服务器证书(证书服务类型为客户端验证和服务器验证,如果已经存在则不需要再次申请)。

使用MMC控制台,打开证书管理单元

申请新证书

申请完毕

下面安装NPS服务

NPS配置

添加网络验证的交换机或无线AC,非用户终端。

可指定交换机等网络设备获取NPS验证数据,用户在接入设备上直接验证身份。

添加ac客户端

新建连接请求策略

添加条件

默认

默认

默认

参数汇总

新建网络策略

通过用户组,识别用户接入的VLAN。

首先清空系统默认策略,可能会导致用户验证失败。

右键新建

添加拥有无线联网权限的域用户组

类型汇总

默认

选择我们上面申请的证书后直接下一步

汇总完成

去防护墙开放相关radius端口

AC篇

##开启Radius

radius scheme windows-ad //设置Radius名称windows-ad,并进入Radius配置
primary authentication 192.168.50.221 //设置主要身份验证Radius服务器
primary accounting 192.168.50.221 //设置主要计费Radius服务器(可选功能,不做计费,不使用)
secondary authentication 192.168.50.220 //设置备份身份验证服务器(可选功能,无备份服务器,不使用)
secondary accounting 192.168.50.220 //设置备份计费Radius服务器(可选功能,无备份服务器,不使用)
key authentication simple 12345678 //设置访问身份验证服务器共享密钥
key accounting simple 12345678 //访问计费Radius服务器共享密钥(可选功能,不做计费,不使用)
user-name-format without-domain //设置账号格式不带域名(默认带域名,可能无法验证)
nas-ip 192.168.50.3 如果你的AC有多个IP一定要指定

quit //退出

##配置ISP域

domain network.lan //创建域并进入视图
authentication lan-access radius-scheme network.lan //配置接入设备的认证Radius,Radius名称network.lan
authorization lan-access radius-scheme network.lan //配置接入设备的授权Radius,Radius名称network.lan
quit //退出

dot1x //开启全局802.1X

dot1x authentication-method eap //802.1x验证方式为eap

##启用Radius会话控制

radius session-control enable

##无线模板创建参考

wlan service-template ceshi //创建无线模板,名称ceshi
ssid ceshi //无线SSID为ceshi
akm mode dot1x //管理模式为802.1x模式
client-security authentication-mode dot1x //客户端认证模式为802.1x
dot1x domain XXX.com //802.1x域名为XXX.com
cipher-suite ccmp //加密套件CCMP
security-ie rsn //安全信息元素为RSN
client-security authentication fail-vlan 200 //配置vlan
client-security authentication critical-vlan 210 //(可选功能)逃生VLAN,用户认证时,所有认证服务器网络不可达的情况下访问此VLAN。
service-template enable //启用无线服务模板

AC配置信息汇总:

dis cu
#
version 7.1.064, Release 5461P01
#
sysname AC
#
wlan global-configuration
calibrate-channel self-decisive enable all
calibrate-power self-decisive enable all
#
telnet server enable
#
dot1x authentication-method eap
#
dhcp enable
#
dns server 114.114.114.114
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 10
#
vlan 50
#
vlan 100
#
vlan 172
#
wlan service-template ceshi
ssid ceshi
vlan 172
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
client-security authentication fail-vlan 172
dot1x domain network.lan
service-template enable
#
wlan service-template h3c-g-375d40
ssid H3C-G-375D40
vlan 10
akm mode dot1x
cipher-suite ccmp
security-ie rsn
gtk-rekey enable
client-security authentication-mode dot1x
dot1x domain actest
service-template enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.50.3 255.255.255.0
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface172
ip address 172.88.0.2 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
ip address dhcp-alloc
nat outbound
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface GigabitEthernet1/0/4
port link-mode bridge
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 31
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 192.168.50.2
#
undo info-center enable
undo info-center logfile enable
#
ssh server enable
#
radius session-control enable
#
radius scheme windows-ad
primary authentication 192.168.50.221
primary accounting 192.168.50.221
secondary authentication 192.168.50.220 key cipher $c$3$k5w5smgINDCzynJuFDSZbei AkLyLyAE8Vlq6
secondary accounting 192.168.50.220 key cipher $c$3$eUK8sNBVSWGLSofLyaiSou8zCkN YXQ0Gbu2J
key authentication cipher $c$3$aYf6Jv8TU0FN1KhsbF8e3ommiV+/vPLKAlxS
key accounting cipher $c$3$7I2LFk2Z4fc/o1HtxZVJZiVGYbPOtlKHbcY7
user-name-format without-domain
nas-ip 192.168.50.3
#
domain actest
authentication lan-access local
authorization lan-access local
accounting lan-access none
dis cu
#
version 7.1.064, Release 5461P01
#
sysname AC
#
wlan global-configuration
calibrate-channel self-decisive enable all
calibrate-power self-decisive enable all
#
telnet server enable
#
dot1x authentication-method eap
#
dhcp enable
#
dns server 114.114.114.114
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 10
#
vlan 50
#
vlan 100
#
vlan 172
#
wlan service-template ceshi
ssid ceshi
vlan 172
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
client-security authentication fail-vlan 172
dot1x domain network.lan
service-template enable
#
wlan service-template h3c-g-375d40
ssid H3C-G-375D40
vlan 10
akm mode dot1x
cipher-suite ccmp
security-ie rsn
gtk-rekey enable
client-security authentication-mode dot1x
dot1x domain actest
service-template enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.50.3 255.255.255.0
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface172
ip address 172.88.0.2 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
ip address dhcp-alloc
nat outbound
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface GigabitEthernet1/0/4
port link-mode bridge
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 31
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 192.168.50.2
#
undo info-center enable
undo info-center logfile enable
#
ssh server enable
#
radius session-control enable
#
radius scheme windows-ad
primary authentication 192.168.50.221
primary accounting 192.168.50.221
secondary authentication 192.168.50.220 key cipher $c$3$k5w5smgINDCzynJuFDSZbei AkLyLyAE8Vlq6
secondary accounting 192.168.50.220 key cipher $c$3$eUK8sNBVSWGLSofLyaiSou8zCkN YXQ0Gbu2J
key authentication cipher $c$3$aYf6Jv8TU0FN1KhsbF8e3ommiV+/vPLKAlxS
key accounting cipher $c$3$7I2LFk2Z4fc/o1HtxZVJZiVGYbPOtlKHbcY7
user-name-format without-domain
nas-ip 192.168.50.3
#
domain actest
authentication lan-access local
authorization lan-access local
accounting lan-access none
#
domain network.lan
authentication lan-access radius-scheme windows-ad
authorization lan-access radius-scheme windows-ad
accounting lan-access radius-scheme windows-ad
#
domain system
authentication lan-access local
authorization lan-access local
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group guest
authorization-attribute vlan 10
#
user-group system
#
local-user admin class manage
password hash $h$6$LfNqnWkJhHdFjDBo$FT7wEons5fWYLDH6UZsbJwsre9eACcWPtGfUoK4LsI5 /nWtkizPiQnld+zofLxPEpxLRHma1wET7atPoLSQMow==
service-type ssh telnet http https
authorization-attribute user-role network-admin
#
local-user acguest class network
password cipher $c$3$+sgOaTdWHbmawIxWUB7YSEEUQMjm80cYK7kfXd+daAo=
access-limit 100
service-type lan-access
group guest
authorization-attribute user-role network-operator
#
netconf soap http enable
netconf ssh server enable
#
ip http enable
ip https enable
#
smartmc tm username admin password cipher $c$3$UCy6Gkl+jeeBvqiu/fRTBVZ2JSSfV+Y+ enable
#
wlan auto-ap enable
wlan auto-persistent enable
wlan tcp mss 1360
#
wlan ap-group default-group
vlan 1
ap-model SPM-D26X
ap-model SPM-X1-10
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
gigabitethernet 6
gigabitethernet 7
gigabitethernet 8
gigabitethernet 9
gigabitethernet 10
gigabitethernet 11
gigabitethernet 12
ap-model SPM-X1-24
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
gigabitethernet 6
gigabitethernet 7
gigabitethernet 8
gigabitethernet 9
gigabitethernet 10
gigabitethernet 11
gigabitethernet 12
gigabitethernet 13
gigabitethernet 14
gigabitethernet 15
gigabitethernet 16
gigabitethernet 17
gigabitethernet 18
gigabitethernet 19
gigabitethernet 20
gigabitethernet 21
gigabitethernet 22
gigabitethernet 23
gigabitethernet 24
ap-model WAP611H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ap-model WAP611H-U
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ap-model WAP622
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP622-U
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP622H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP622H-U
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP711H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
ap-model WAP712C
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712C-HI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712C-LI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP712H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
ap-model WAP712X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722E-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
ap-model WAP722S
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-HI
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP722S-W2-IOT
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP722X-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP722XS-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP723-W2
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP912X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP922
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP922X
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WAP923
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
smartrate-ethernet 1
ap-model WAP952
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP952E
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
ap-model WAP952H
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WAP953
radio 1
radio enable
service-template h3c-g-375d40
radio 2
radio enable
service-template h3c-g-375d40
radio 3
radio enable
service-template h3c-g-375d40
gigabitethernet 1
gigabitethernet 2
ap-model WT828-Q
ap-model WTU410H
radio 1
radio enable
service-template h3c-g-375d40
ethernet 1
ethernet 2
ethernet 3
#
wlan virtual-ap-group default-virtualapgroup
#
wlan ap 3897-d620-1180 model WAP722E
serial-id 219801A0Q3915BG00428
vlan 1
radio 1
max-power 10
power-lock enable
service-template ceshi
radio 2
max-power 10
power-lock enable
radio disable
service-template ceshi
gigabitethernet 1
gigabitethernet 2
#
cloud-management server domain cloudnet.h3c.com
#
return

以上参考资料来自:

H3C无线控制器与Windows2008NPS结合实现无线终端的802.1X认证 https://blog.51cto.com/lixiaosong/1336731

https://space.bilibili.com/94703843

如需要开启有线网配置802.1x验证查阅:https://www.bilibili.com/read/cv14437266?spm_id_from=333.999.0.0

如需要排查连接错误日志请查看事件管理器

有线交换机配置教程备份

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇