实验拓扑:
sw:
vlan data
vlan 5
vlan 10
vlan 18
int f0/24
sw mo acc
sw acc vlan 5
spanning-tree portfast
int f0/4
sw mo acc
sw acc vlan 5
spanning-tree portfast
int vlan 5
ip add 137.78.5.158 255.255.255.0
aaa new-model
aaa authentication login noacs line none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host 137.78.5.186 key cisco
dot1x system-auth-control
int f0/4
dot1x port-control auto
line vty 0 15
login auth noacs
privilege level 15
line conole 0
login auth noacs
privilege level 15
server:
1.创建域dot1x.com
2.创建组group1 group2 computer1 computer2
3.创建用户user1 user2,把用户加入组把机器加入组
4.创建阻止单位group1 group2把用户机器组加入组织单位,组织单位group1里边应该有(user1 group1 computer1电脑)
5.安装iis安装证书服务器
6.把证书放到c盘根目录
7.配置group1 group2组策略,计算机配置,a.在受信任的根证书颁发机构---导入根证书,b.自动证书申请设置---计算机
8.安装java插件,安装acs4.0
9.给acs申请证书
10.安装根证书,安装acs的个人证书
11.global authentication setup--peap--allow eap-mschapv2
12.外部数据库配置,a.configure domain list,b.enable peap machine authentication
13.组影射
14.定义aaa client
15.配置基于组的vlan授权
16.多重启几次电脑
17.在接口启用dot1x
标签:aaa,证书,vlan,sw,PEAP,dot1x,完整,group1,版本 From: https://www.cnblogs.com/smoke520/p/18365106