Исходное сообщение
"Cisco 802.1x + freeradius + dynamic port assignment" Отправлено vlakas, 21-Июл-09 12:13
Доброго времени суток. Есть Freeradius 2.1.6 on Debian Lenny, Cisco Catalyst 2950, Win XP Home как supplicant. Надо на этом добре поднять 802.1x таким образом, чтобы при аутентификации пользователь в соответствии со своим логином и паролем попадал в нужный ему VLAN. Аутентификация пользователей на Win XP Home (как ни странно но у хомяка есть 802.1x supplicant; к сожалению другой винды с поддержкой данного стандарта нет) проходит нормально и порт переходит в состояние "UP". Только вот остается в 1-м VLAN. Версия IOS: sw-1#sh version Cisco Internetwork Operating System Software IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1) Copyright © 1986-2005 by cisco Systems, Inc. Compiled Fri 21-Oct-05 01:59 by yenanh Image text-base: 0x80010000, data-base: 0x80568000 ROM: Bootstrap program is C2950 boot loader sw-1 uptime is 39 minutes System returned to ROM by power-on System image file is "flash:/c2950-i6q4l2-mz.121-22.EA6.bin" cisco WS-C2950G-24-EI-DC (RC32300) processor (revision L0) with 21013K bytes of memory. Processor board ID FOC1007Y0VV Last reset from system-reset Running Enhanced Image 24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:17:0E:D6:3F:40 Motherboard assembly number: 73-7411-05 Power supply part number: 34-1677-01 Motherboard serial number: FOC10071WMM Power supply serial number: DAB09510A3U Model revision number: L0 Motherboard revision number: A0 Model number: WS-C2950G-24-EI-DC System serial number: FOC1007Y0VV Configuration register is 0xF Из манов кашководов: To configure VLAN assignment you need to perform these tasks: • Enable authentication, authorization, and accounting (AAA) authorization. • Enable IEEE 802.1x authentication (the VLAN assignment feature is automatically enabled when you configure IEEE 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: – [64] Tunnel-Type = VLAN – [65] Tunnel-Medium-Type = IEEE 802 – [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value IEEE 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” Конфигурация Cisco: sh run Building configuration... Current configuration : 2079 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname sw-1 ! aaa new-model aaa group server radius myradius server 10.0.0.101 auth-port 1812 acct-port 1813 ! aaa authentication login default group myradius local aaa authentication enable default group myradius enable aaa authentication dot1x default group myradius local enable secret 5 $1$MO.u$AFBnnSHdM1h8p6D8.rkPJ0 ! username enable secret 5 $1$ziOU$KGZYwClC71P8oQF9zOSc7. username localuser1 privilege 5 secret 5 $1$AG84$/588WvRr2DQntTWbffWuJ/ username localuser2 privilege 5 secret 5 $1$SfED$AChgcdrnUnO.k0hh57Gcc. username localadmin privilege 15 secret 5 $1$7PR3$vHBECst3LgFm8YeS.5iU41 ip subnet-zero ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id dot1x system-auth-control ! ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 switchport access vlan 100 switchport mode access ! interface FastEthernet0/3 switchport mode access dot1x port-control auto dot1x reauthentication spanning-tree portfast interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan100 ip address 10.0.0.1 255.255.255.0 no ip route-cache ! ip http server radius-server host 10.0.0.101 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server key test8021x ! line con 0 line vty 5 15 ! ! end Конфиг пользователей freeradius: /usr/etc/raddb/users ... user1 Cleartext-Password := "test8021x" cisco-avpair = "tunnel-type=VLAN", cisco-avpair = "tunnel-medium-type=802 media", cisco-avpair = "tunnel-private-group-id=100" ... Поскольку RADIUS работает нормально, прочих конфигов не привожу. Спасибо