华为AC6605对接外置第三方Portal认证 - 管理猿 2019 年 08 月 12 日 |访问: 263 次

对接环境:AC放置在防火墙和审计设备下方。通过防火墙做端口映射与公网Portal完成对接认证。
AC内网IP:172.16.10.253
AC软件版本:AC6605V200R008C10SPC300.006
AC公网IP:219.1.1.x(映射172.16.10.253的UDP2000端口)
PortalIP:104.219.50.83
一:开启AC6605并输出日志到telnet操作

<ac6605>ter deb
<ac6605>ter mon
<ac6605>ter log
<ac6605>debugging web all
<ac6605>debugging radius all
<ac6605>debugging portal all
<ac6605>debugging udp packet ##需要的时候开启,Portal对接大部分是UDP报文。
<ac6605>sys
[ac6605]info-center enable

二:AC配置Portal认证,省略大部分无关配置

<219.1.1.x>dis cu
#
 sysname 219.1.1.x   ##考虑直接配置source-ip作为传参可能出现问题,使用系统名称作为AC-IP的传参
#
undo hwtacacs enable 
#
vlan batch 10 16 32 100
#
stp enable
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
authentication-profile name zhuomai     ##创建认证模板,最终关联到VAP模板中
 mac-access-profile mac_access_profile  ##MAC-tigger认证模板,默认即可
 portal-access-profile zhuomai          ##Portal的认证接入模板
 free-rule-template default_free_rule   ##允许认证前访问的资源模板
 authentication-scheme zhuomai          ##认证方案
 accounting-scheme zhuomai              ##记账方案
 radius-server zhuomai                  ##关联Radius服务器
#
domain zhuomai                          ##默认认证域,如上面的认证模板没有指定认证方案,会使用默认认证域认证,上方已经配置认证方案,这条可以undo掉
#
portal captive-adaptive enable          ##使能
#
dhcp enable
#
management-port isolate enable
management-plane isolate enable
#
diffserv domain default
#
radius-server template default
radius-server template zhuomai         ##认证服务器模板,配置share-key   
 radius-server shared-key cipher %^%#3ZE11uT:jN=WWh/R=.EQ1!49D#$[l$kJ6BZ|:X\+%^%#
 radius-server authentication 104.219.50.83 1812 weight 80   ##认证服务器地址和认证端口,非要配置source-ip,请配置完认证服务器模板后test-aaa下(test-aaa 用户名 密码 radius-template zhuomai)
 radius-server accounting 104.219.50.83 1813 weight 80       ##记账服务器地址和记账端口
 undo radius-server user-name domain-included                ##认证的用户名中不包含域
 calling-station-id mac-format hyphen-split mode2            ##Radius过程中传递的MAC格式,本条可不配
radius-server authorization 104.219.50.83 shared-key cipher  %^%#"l6<F3@n0"S9Q,3*'}x@$+~),+|Y*:Xnsb>l,RO:%^%# server-group zhuomai 
                                                             ##授权COA下线
#                                         
pki realm default                         
 rsa local-key-pair default               
 enrollment self-signed                   
#                                         
ssl policy default_policy type server     
 pki-realm default                        
 version tls1.0 tls1.1 tls1.2             
 ciphersuite rsa_aes_128_cbc_sha rsa_aes_128_sha256 rsa_aes_256_sha256 
#                                         
ike proposal default                      
 encryption-algorithm aes-256             
 dh group14                               
 authentication-algorithm sha2-256        
 authentication-method pre-share          
 integrity-algorithm hmac-sha2-256        
 prf hmac-sha2-256                        
#                                         
free-rule-template name default_free_rule                ##认证资源白名单,DNS和Portal服务器必须放行,其他根据实际环境添加
 free-rule 1 destination ip 114.114.114.114 mask 255.255.255.255
 free-rule 2 destination ip 104.219.50.83 mask 255.255.255.255
 free-rule 3 destination ip 202.103.24.68 mask 255.255.255.255
 free-rule 4 destination ip 202.103.44.150 mask 255.255.255.255 source ip any
 free-rule 5 destination any source ip 114.114.114.114 mask 255.255.255.255
 free-rule 6 destination any source ip 104.219.50.83 mask 255.255.255.255
 free-rule 7 destination any source ip 202.103.44.150 mask 255.255.255.255
 free-rule 8 destination any source ip 202.103.24.68 mask 255.255.255.255
 free-rule 9 destination ip 172.16.10.253 mask 255.255.255.255
 free-rule 10 destination ip any source ip 172.16.10.253 mask 255.255.255.255
 free-rule 11 destination ip any source ip 172.16.16.1 mask 255.255.255.255
 free-rule 12 destination ip 172.16.16.1 mask 255.255.255.255
 free-rule 13 destination ip 172.16.32.1 mask 255.255.255.255 source ip any
 free-rule 14 destination ip any source ip 172.16.32.1 mask 255.255.255.255
 free-rule 15 destination ip 219.1.1.x mask 255.255.255.255
 free-rule 16 destination ip any source ip 219.1.1.x mask 255.255.255.255
#                                         
url-template name zhuomai                 ##URL传参模板,
 url https://104.219.50.83:4432/   
 url-parameter ap-ip apip redirect-url wlanuserfirsturl ssid ssid user-ipaddress wlanuserip user-mac usermac sysname wlanacip
 url-parameter mac-address format delimiter : normal  ##传参URL中MAC格式
#                                         
web-auth-server zhuomai                  ##Portal服务器模板
 server-ip 104.219.50.83                 ##Portal服务器地址
 port 50100                              ##Portal服务器的服务端口,默认50100
 shared-key cipher %^%#jv^$%+<eN"Zw6]K^mZwX3\]}P4_j}R^&`xMxI3a6%^%#  ##Portal协议部分共享密钥
 url https://104.219.50.83:4432          ##Portal认证是重定向给终端的URL地址
 url-template zhuomai                    ##关联URL传参模板
 user-sync                               ##用户同步,避免挂死在认证平台。本条可不配
 source-ip 172.16.10.253                 ##本条可不配,需要配置则填写AC实有IP地址
#                                         
portal-access-profile name portal_access_profile ##接入模板,内置默认的
#                                         
portal-access-profile name zhuomai        ##接入模板
 web-auth-server zhuomai direct           ##关联Portal服务器模板和指定认证方式。其中direct认MAC和IP,layer3只认IP
#                                         
portal-access-profile name HJGCDX         ##同上
 web-auth-server zhuomai direct           
#                                         
aaa                                       ##指定认证方案的地方,删除掉了多余配置
 authentication-scheme zhuomai            ##认证方案模板
  authentication-mode radius              ##关联认证方式,指定为radius
 accounting-scheme zhuomai                ##记账方案模板
  accounting-mode radius                  ##关联记账方式,指定为Radius
  accounting start-fail online            ##记账失败允许用户上线  
 domain zhuomai                           ##认证域名,本条可以不要
  authentication-scheme zhuomai           
  accounting-scheme zhuomai               
  radius-server zhuomai                   
#                                         
interface Vlanif10                        
 description AP_GuanLi                    
 ip address 172.16.10.253 255.255.255.0   ##AC的实有地址

#                                         
interface Eth-Trunk1                      
 description to S7706-WW-CORE01           
 port link-type trunk                     
 undo port trunk allow-pass vlan 1        
 port trunk allow-pass vlan 2 to 4094     
#                                         
interface GigabitEthernet0/0/1            
 port link-type access                    
 port default vlan 100                    
#                                         
interface GigabitEthernet0/0/2            
 port link-type access                    
 port default vlan 100                    
#                                         
interface GigabitEthernet0/0/3            
#                                              
#                                         
interface GigabitEthernet0/0/23           
 port media type fiber                    
 combo-port fiber                         
 eth-trunk 1                              
#                                         
interface GigabitEthernet0/0/24           
 port media type fiber                    
 combo-port fiber                         
 eth-trunk 1                              
#                                         
interface XGigabitEthernet0/0/1           
#                                         
interface XGigabitEthernet0/0/2           
#                                         
interface NULL0                           
#                                         
 info-center channel 9 name loghost1      
 info-center source default channel 9 log level emergencies
 info-center loghost 172.17.1.200 channel 9
 info-center monitor channel 0            
 info-center timestamp log format-date    
#                                         
 undo snmp-agent                          
#                                         
 stelnet server enable                    
 undo telnet server enable                
 undo telnet ipv6 server enable           
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1   
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1   
#                                         
ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
#                                         
capwap source interface vlanif10          
#                                         
user-interface con 0                      
 authentication-mode password             
 set authentication password cipher %^%#`QDVEcVOJ7\79./BdeaL@nc`Hr%SI:V~^vItmk1-301[@_kVlHtVXlUxw@}7%^%#
user-interface vty 0                      
 authentication-mode aaa                  
 screen-length 32                         
 protocol inbound ssh                     
user-interface vty 1                      
 authentication-mode aaa                  
 screen-length 42                         
 protocol inbound ssh                     
user-interface vty 2 4                    
 authentication-mode aaa                  
 protocol inbound ssh                     
user-interface vty 16 20                  
 protocol inbound all                     
#                                         
wlan                                      
 traffic-profile name default             
 security-profile name HJGCDX             
 security-profile name default            
 security-profile name default-wds        
  security wpa2 psk pass-phrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes
 security-profile name default-mesh       
  security wpa2 psk pass-phrase %^%#o[7"I"t]\4xd-e7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
 ssid-profile name HJGCDX                 
  ssid HJGCDX                             
 ssid-profile name default                
 vap-profile name HJGCDX                  
  forward-mode tunnel                     
  service-vlan vlan-id 16                 
  ssid-profile HJGCDX                     
  security-profile HJGCDX                 
  authentication-profile zhuomai    ##关联最上方的认证模板        
 vap-profile name default                 
  authentication-profile zhuomai          
 wds-profile name default                 
 mesh-handover-profile name default       
 mesh-profile name default                
 regulatory-domain-profile name default   
 air-scan-profile name default            
 rrm-profile name default                 
  dynamic-edca enable                     
 radio-2g-profile name default            
 radio-5g-profile name default            
 wids-profile name default                
 wireless-access-specification            
 ap-system-profile name default           
 port-link-profile name default           
 wired-port-profile name default          
 serial-profile name preset-enjoyor-toeap         
 ap-group name default                    
  radio 0                                 
   vap-profile HJGCDX wlan 1              
  radio 1                                 
   vap-profile HJGCDX wlan 1              
 provision-ap                             
#                                         
device-profile profile-name @default_device_profile
 device-type default_type_phone           
 enable                                   
 rule 0 user-agent sub-match Android      
 rule 1 user-agent sub-match iPhone       
 rule 2 user-agent sub-match iPad         
 if-match rule 0 or rule 1 or rule 2      
#                                         
dot1x-access-profile name dot1x_access_profile
#                                         
mac-access-profile name mac_access_profile
 mac-authen username macaddress format with-hyphen
mac-access-profile name HJGCDX            
 mac-authen username macaddress format with-hyphen
#                                         
 undo ntp-service enable                  
#                                         
return                                   

三:最后
这里面没有定义使用Portal版本,默认V1&V2
服务器端设置的标准-V2-CHAP

标签:none

添加新评论