Cisco Cisco Identity Services Engine 1.3 작동 가이드

  

 

 

 

 
 

© 2015 思科系统公司 

第

 16 页  

安全访问操作指南

3850 示例配置 

hostname 3850 

! 

aaa new-model 

aaa session-id common 

aaa authentication dot1x default group radius 

aaa authorization network default group radius  

aaa accounting dot1x default start-stop group radius 

aaa accounting update periodic 15 

! 

aaa server radius dynamic-author 

 client 192.168.201.88 server-key cisco123 

 auth-type any 

! 

vlan 80 

 name AP_VLAN 

vlan 30 

 name WLAN_USER 

vlan 40 

 name WLAN_GUEST 

! 

interface vlan 80 

 ip address 192.168.80.1 

 ip helper 192.168.201.72 

 no shut 

interface vlan 30 

 ip address 192.168.30.1 

 ip helper 192.168.201.72 

 ip helper 192.168.201.88 

 no shut 

interface vlan 40 

 ip address 192.168.40.1 

 ip helper 192.168.201.72 

 ip helper 192.168.201.88 

 no shut 

! 

ip device tracking 

! 

ip dhcp snooping vlan 30, 40 

no ip dhcp snooping information option 

ip dhcp snooping 

! 

ip domain-name example.com 

! 

crypto key generate rsa general-keys modulus 2048 

! 

dot1x system-auth-control 

! 

ip http server 

ip http secure-server 

ip http secure-active-session-modules none 

ip http active-session-modules none 

! 

ip access-list extended REDIRECT-ACL 

 deny udp any host 192.168.201.72 eq 53 

 deny udp any eq bootpc host 192.168.201.72 eq bootps 

 deny ip any host 192.168.201.88 

 permit ip any any 

! 

ip radius source-interface Vlan201 

snmp-server community cisco123 RO 

radius-server attribute 6 on-for-login-auth 

radius-server attribute 8 include-in-access-req 

radius-server attribute 25 access-request include 

radius-server attribute 31 mac format ietf upper-case 

radius-server attribute 31 send nas-port-detail mac-only 

radius-server dead-criteria time 10 tries 3