Cisco Cisco Identity Services Engine 1.3 Mode D’Emploi
© 2015 思科系统公司
第
16 页
安全访问操作指南
3850 示例配置
hostname 3850
!
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 15
!
aaa server radius dynamic-author
client 192.168.201.88 server-key cisco123
auth-type any
!
vlan 80
name AP_VLAN
vlan 30
name WLAN_USER
vlan 40
name WLAN_GUEST
!
interface vlan 80
ip address 192.168.80.1
ip helper 192.168.201.72
no shut
interface vlan 30
ip address 192.168.30.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
interface vlan 40
ip address 192.168.40.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
!
ip device tracking
!
ip dhcp snooping vlan 30, 40
no ip dhcp snooping information option
ip dhcp snooping
!
ip domain-name example.com
!
crypto key generate rsa general-keys modulus 2048
!
dot1x system-auth-control
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip access-list extended REDIRECT-ACL
deny udp any host 192.168.201.72 eq 53
deny udp any eq bootpc host 192.168.201.72 eq bootps
deny ip any host 192.168.201.88
permit ip any any
!
ip radius source-interface Vlan201
snmp-server community cisco123 RO
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3