I ron s hield w hite p aper

tải về 1.4 Mb.

Chế độ xem pdf

trang	23/23
Chuyển đổi dữ liệu	27.02.2022
Kích	1.4 Mb.
	#50647

1 ... 15 16 17 18 19 20 21 22 23

10480-8021xportAuth

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

• When the Permissions window is

displayed, select the “Grant

remote access permission”

option and select “Next”. This

will grant access based on group

membership.

• When the User Profile window

appears, select the “Edit Profile”

button.

Figure 25. Granting Permissions and User Profile Screens

The Edit Dial-In Profile screen will be displayed and there will be several tabs displayed.

• On the Edit Dial-In Profile screen, select the

“Authentication” tab and check the “Extensible

Authentication Protocol” option.

• From the “… EAP type” drop-down box, select “MD5-

Challenge” option to support the Foundry devices.

Uncheck all other authentication types listed under the

drop down-box.

Figure 26. Authentication Tab Settings

• On the Edit Dial-In Profile screen, select the

“Encryption” tab and check the “Strongest”

encryption option. This step is not required for EAP-

MD5, but is performed as a safeguard to eliminate

weaker encryption options is used in the future.

Figure 27. Encryption Tab Settings

March 2003

Version 1.0.0

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

• On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address”

to support DHCP.

• On the Edit Dial-In Profile screen, select the

“Advanced” tab. The current default parameters

returned to the Foundry device should be Service-

Type and Framed-Protocol.

• Select the “Add” button to add the additional three

RADIUS VLAN attributes required for 802.1X

Dynamic VLAN Assignment.

Figure 28. Connection Attributes Screen

• The RADIUS Attribute screen is displayed.

From this list, three RADIUS attributes will be

added:

Tunnel-Medium-Type

Tunnel-Pvt-Group-ID

Tunnel-Type

Figure 29. RADIUS Attribute Screen

• Select Tunnel-Medium-Type and click on the

“Add” button.

• On the Multivalued Attribute Information screen,

click on the “Add” button.

• The Enumerable Attribute Information screen is

displayed. Select the “802” value from the Attribute

Value drop down box.

• Select “OK” to accept the value.

• Return to the RADIUS Attribute Screen (Figure 29)

Figure 30. 802 Attribute Setting for Tunnel-Medium-Type

March 2003

Version 1.0.0

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

• Select Tunnel-Pvt-Group-ID and click on the

“Add” button.

• On the Multivalued Attribute Information screen,

click on the “Add” button.

• The Attribute Information screen is displayed. Enter

the correct VLAN ID or Name for this policy. Users

belonging to the VLAN Group specified in this policy

will be assigned to the VLAN ID specified.

• Select “OK” to accept the value.

• Return to the RADIUS Attribute Screen (Figure 29)

Figure 31. VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID

• Select Tunnel-Type and click on the “Add” button.

• On the Multivalued Attribute Information screen,

click on the “Add” button.

• The Enumerable Attribute Information screen is

displayed. Select the Virtual LANs (VLAN) option

from the Attribute Value drop down box.

• Select “OK” to accept the value.

• Return to the RADIUS Attribute Screen (Figure 29)

and select the “Close” button.

Figure 32. VLAN Attribute Setting for Tunnel-Type

The completed Advanced Tab should resemble the

illustration in Figure 33.

Repeat this step, Configuring Remote Access Policies,

for each VLAN Group defined in the Active Directory.

Remember to place the most general Remote Access

Policies at the bottom of the list and the most specific at

the top of the list.

Figure

33.

Completed

Advanced

Tab

March 2003

Version 1.0.0

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

Creating Port-Based VLANs

Port-Based VLANs must be created on each Foundry device participating in the 802.1X Dynamic VLAN Assignment

topology. 802.1X Dynamic VLAN Assignment is only supported on port-based VLANs. This feature cannot be

used to place an 802.1X-enabled port into a Layer 3 protocol VLAN.

Step 1: Create the necessary Port-Based VLANs on each Foundry device. The VLAN IDs or Names must match

the Tunnel-Pvt-Group-ID used in the Remote Access Policies created in the previous step.

To create the port-based VLAN: Syntax: vlan by port

To add ports: Syntax: untagged ethernet | pos

[to
| ethernet
]

To turn on Spanning Tree Protocol: Syntax: [no] spanning-tree

EXAMPLE

This example creates a port-based VLAN with the VLAN ID of 10 and assigns an untagged uplink port E7/24 to

the VLAN. Users matching the VLAN Group ID of 10 will be automatically added to this VLAN using 802.1X

Dynamic VLAN Assignment.

Dept_Switch-1(config)# vlan 10 by port

Dept_Switch-1(config-vlan-10)# untagged eth 7/24

Dept_Switch-1(config-vlan-10)# spanning-tree

Dept_Switch-1(config-vlan-10)# exit

Dept_Switch-1(config)# write memory

Step 2: Repeat this Step 1 for each Port-Based VLAN that needs to be created.

Testing The Dynamic VLAN Feature

In order to successfully test the 802.1X Dynamic VLAN Assignment feature, the following components must be

fully installed and configured according to the procedures outlined in this White Paper:

• IAS RADIUS Server

• Active Directory Server

• Foundry 802.1X capable device with version 07.6.03 code or later

• 802.1X compliant workstation or file server

Make sure the order of the Remote Access Policies is correct. The VLAN Group Policies should be listed ahead of

any other general policies – such as the Day-And-Time Restriction Policy.

Step 1: To ensure that Microsoft’s IAS service recognizes all the new Remote Access Policies and changes, stop

and start the IAS service. This can be done from the Internet Authentication Service management screen by

right clicking on the Internet Authentication Service (local) option and selecting Stop Service to stop the

IAS service and Start Service to start the IAS service.

March 2003

Version 1.0.0

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

Step 2: Using a workstation that is configured properly for 802.1X client support, connect to the Foundry

device’s 802.1X enabled port.

Step 3. Follow the steps outlined in the section, “

Testing The Client Connection” to authenticate the client. Use

one of the accounts that were added to a valid VLAN Group created on the Active Directory server.

Step 4. Once the client is authenticated, check the Foundry device to make sure the client’s port is added to

the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN

assignment:

Syntax: show run

Displays the dynamically assigned ports in each Port-Based VLAN.

Syntax: show interface

Displays detailed port information showing the original Layer 2 VLAN the

port belonged to before the automatic assignment and the VLAN

membership after the automatic assignment.

EXAMPLE – Show Run Command

This example shows the results of the “show run” command. An 802.1X client was authenticated using a valid

Windows account on the Active Directory server that is a member of VLAN Group 5. . From the “show run”

illustration, the 802.1X client is connected to port Ethernet 22. After successful authentication, port Ethernet 22

is automatically assigned to Port-Based VLAN 5 as an untagged port.

SW-telnet@FI4802-PREM#show run

ver 07.6.03B2T51

dot1x-enable

enable ethe 20 to 29

vlan 1 name DEFAULT-VLAN by port

vlan 10 by port

vlan 20 by port

vlan 5 by port

untagged ethe 22

EXAMPLE – Show Interface Command

This example shows the dynamic VLAN information for port Ethernet 22 after the automatic VLAN assignment

was made. Note the original VLAN ID was 1 and the new dot1x-RADIUS assigned VLAN is 5.

SW-telnet@FI4802-PREM#sho int e22

FastEthernet22 is up, line protocol is up

Hardware is FastEthernet, address is 00e0.8041.a315 (bia 00e0.8041.a315)

Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx

Member of L2 VLAN ID 5 (dot1x-RADIUS assigned), original L2 VLAN ID is 1,

port is untagged, port state is FORWARDING

STP configured to ON, priority is level0, flow control enabled

mirror disabled, monitor disabled

Not member of any active trunks

Not member of any configured trunks

No port name

March 2003

Version 1.0.0

I

RON

S

HIELD

W

HITE

P

APER

HITE

APER

: 802.1X P

ORT

UTHENTICATION

W

ITH

ICROSOFT

’

CTIVE

IRECTORY

Foundry Networks, Inc.

Headquarters

2100 Gold Street

P.O. Box 649100

San Jose, CA 95164-9100

U.S. and Canada Toll-free: (888) TURBOLAN

Direct telephone: +1 408.586.1700

Fax: 1-408-586-1900

Email: info@foundrynet.com

Web: http://www.foundrynet.com

Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the “Iron” family of marks are

trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other

trademarks are the properties of their respective owners.

March 2003

Version 1.0.0

Document Outline

Written By: Philip Kwan
March 2003 Summary
Contents
Disclaimer
Nomenclature
Related Publications
Trademarks
802.1X Port Authentication Basics
Microsoft’s IAS Server
- Sample IAS Installation
- IAS Installation Procedure
Configuring 802.1X Port Authentication
- Other 802.1X Commands
- Multiple Host Situations
Configuring Windows Clients
- Testing The Client Connection
- Additional Tips
- Other 802.1X Clients Tested
Configuring Foundry’s Dynamic VLAN Feature
- - - Attribute NameTypeValue
- Configuring VLAN Groups
- Configuring Remote Access Policies
Creating Port-Based VLANs
- - - EXAMPLE
Testing The Dynamic VLAN Feature

tải về 1.4 Mb.

Chia sẻ với bạn bè của bạn:

1 ... 15 16 17 18 19 20 21 22 23