本帖最后由 炫炫 于 2020-11-19 15:33 编辑
1.802.1X阶段: [HUAWEI]dis access-user #用户认证开始状态
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
104 081f71365782 10.254.3.4 081f-7136-5782 Pre-authen
------------------------------------------------------------------------------ 该状态下用户状态为等待认证,交换机会主动发认证请求包至PC电脑,在PC电脑看来就是弹出了一个802.1X的登录认证框 当然注意,如果是用PC自带的802.1X客户端配合全网行为管理需要开启对应802.1X服务和eap服务
[HUAWEI]dis access-user #Radius服务器宕机情况下的用户认证开始状态 ------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
18 081f71365782 10.254.3.4 081f-7136-5782 AAA-server-down
------------------------------------------------------------------------------
[HUAWEI]dis access-user #802.1x认证成功
------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------
121 zyk 10.254.3.4 081f-7136-5782 Success
------------------------------------------------------------------------------ 2.802.1X逃生配置 检测radius服务器宕机:
[HUAWEI]radius-server dead-interval 5 #5秒钟出现1次无响应则认证失败将服务器置为down
[HUAWEI]radius-server dead-count 1
宕机处理:
[HUAWEI-aaa]service-scheme sangfor_fail #创建radius服务器宕机模板,用户默认vlan3
[HUAWEI-aaa-service-sangfor_fail]user-vlan 3
[HUAWEI-authen-profile-sangfor_apf]authentication event authen-server-down action authorize service-scheme sangfor_fail
[HUAWEI-authen-profile-sangfor_apf]authentication event authen-server-up action re-authen
#radius服务器宕机,用户处于AAA-server-down情况下,自动进入vlan3并在radius服务器恢复的时候强行要求所有用户认证 健康恢复:
[HUAWEI-radius-sangfor_radius]radius-server testuser username zyk password cipher 123 #radius模板设置检测机制,5S检测一次,有回包就重新将radius服务器设置为up
[HUAWEI-radius-sangfor_radius]radius-server detect-server interval 5 :睡觉: 后续有时间了再做个全网行为管理802.1x的详细教程
|