0
点赞
收藏
分享

微信扫一扫

自学Aruba5.3.3-Aruba安全认证-有PEFNG 许可证环境的认证配置Captive-Portal


自学Aruba5.3.3-Aruba安全认证-有PEFNG 许可证环境的认证配置Captive-Portal

1. Captive-Portal认证配置前言

1.1 新建web认证服务器派生角色

在导入了PEFNG许可证后,系统不会对Web认证的aaa authentication captive-protal自动生成一个对应的role,因此需要为认证前的用户派生一个角色,并设置弹出认证界面。

1.2 新建web认证服务器派生角色

由于Policy“logon-control”中的允许ping的rule,使得web认证的用户接入SSID后,可以ping通其他地址,容易给客户造成误解。因此建议把配置web认证前,把策略“logon-control”中的允许ping关闭。 

1 (Aruba650) (config) #ip access-list session logon-control
2 (Aruba650) (config-sess-logon-control)# no any any "svc-icmp" deny ## 关闭logon-control角色中ping功能

1 (Aruba650) (config) #user-role yk-web           */ 定义Captive-Portal的角色为yk-web
2 (Aruba650) (config-role) #session-acl logon-control
3 (Aruba650) (config-role) #session-acl captiveportal
4 (Aruba650) (config-role) #session-acl vpnlogon
5 (Aruba650) (config-role) #captive-portal web-auth
6 (Aruba650) (config-role) #exit

2.Captive-Portal认证配置命令

2.1 采用InterDB认证服务器完成Captive-Portal认证

1 (Aruba650) (config) #aaa server-group web-server
2 (Aruba650) (Server Group "web-server") #auth-server Internal
3 (Aruba650) (Server Group "web-server") #set role condition role value-of
4 (Aruba650) (Server Group "web-server") #exit
5
6 (Aruba650) (config) #aaa authentication captive-portal web-auth
7 (Aruba650) (Captive Portal Authentication Profile "web-auth") #server-group web-server
8 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http ##采用http进行认证
9 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1 ##认证后自动跳转1s
10 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit
12
13 (Aruba650) (config) #ip access-list session logon-control
14 (Aruba650) (config-sess-logon-control)# no any any "svc-icmp" deny ##关闭ping
15
16 (Aruba650) (config) #user-role yk-web
17 (Aruba650) (config-role) #session-acl logon-control
18 (Aruba650) (config-role) #session-acl captiveportal
19 (Aruba650) (config-role) #session-acl vpnlogon
20 (Aruba650) (config-role) #captive-portal web-auth
21 (Aruba650) (config-role) #exit
22
23 (Aruba650) (config) #aaa profile web-profile
24 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面
25 (Aruba650) (AAA Profile "web-profile") #exit
26
27 (Aruba650) (config) #wlan ssid-profile web-ssid
28 (Aruba650) (SSID Profile "web-ssid") #essid webyk
29 (Aruba650) (SSID Profile "web-ssid") #exit
30
31 (Aruba650) (config) #wlan virtual-ap web-vap
32 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile
33 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid
34 (Aruba650) (Virtual AP profile "web-vap") #vlan 1
35 (Aruba650) (Virtual AP profile "web-vap") #exit
36
37 (Aruba650) (config) #ap-group webyk
38 (Aruba650) (AP group "webyk") #virtual-ap web-vap
39 (Aruba650) (AP group "webyk") #exit

1 (Aruba650) #local-userdb add username test1 password 123456 role web-1     ##建立两两个用户test1 test2 对应派生的角色web-1 web-2
2 (Aruba650) #local-userdb add username test2 password 123456 role web-2

2.2 采用LDAP认证服务器完成Captive-Portal认证

2.2.1 LDAP相关的配置

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa authentication-server ldap ad
3 (Aruba650) (LDAP Server "ad") #host 172.18.50.30
4 (Aruba650) (LDAP Server "ad") #admin-dn cn=rui,cn=Users,dc=ruitest,dc=com
5 (Aruba650) (LDAP Server "ad") #admin-passwd 123456
6 (Aruba650) (LDAP Server "ad") #allow-cleartext
7 (Aruba650) (LDAP Server "ad") #base-dn cn=Users,dc=ruitest,dc=com
8 (Aruba650) (LDAP Server "ad") #preferred-conn-type clear-text
9 (Aruba650) (LDAP Server "ad") #exit

1 (Aruba650) #aaa test-server pap ad carlos 123456  ##测试是否和LDAP服务器建立连接
2

1 (Aruba650) # aaa query-user ad carlos     ##  参看用户carlos,LADP返回的值
2
3 objectClass: top
4 objectClass: person
5 objectClass: organizationalPerson
6 objectClass: user
7 cn: carlos
8 sn: carlos
9 distinguishedName: CN=carlos,CN=Users,DC=ruitest,DC=com ##返回值的用户组,AC可以根据返回值匹配来定义该用户所属的组
10 instanceType: 4
11 whenCreated: 20180117082111.0Z
12 whenChanged: 20180417082815.0Z
13 displayName: carlos
14 uSNCreated: 368694
15 memberOf: CN=tech1,CN=Users,DC=ruitest,DC=com
16 uSNChanged: 368706
17 name: wang1
18 objectGUID: n\240\203\277T\345\002K\235\202y\351\372\240<\376
19 userAccountControl: 66048
20

2.2.2 无线相关的配置

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa server-group web-server
3 (Aruba650) (Server Group "web-server") #no auth-server Internal
4 (Aruba650) (Server Group "web-server") #auth-server ad
5 (Aruba650) (Server Group "web-server") #set role condition memberOf equals CN=tech1,CN=Users,DC=ruitest,DC=com set-value web-1 ##返回组名为test1,匹配到role web-1
6 (Aruba650) (Server Group "web-server") #set role condition memberOf equals CN=tech2,CN=Users,DC=ruitest,DC=com set-value web-2
7 (Aruba650) (Server Group "web-server") #exit
8
9 (Aruba650) (config) #aaa authentication captive-portal web-auth
10 (Aruba650) (Captive Portal Authentication Profile "web-auth") # server-group web-server
11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http
12 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1
13 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
14 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit
15
16 (Aruba650) (config) #user-role yk-web
17 (Aruba650) (config-role) #session-acl logon-control
18 (Aruba650) (config-role) #session-acl captiveportal
19 (Aruba650) (config-role) # session-acl vpnlogon
20 (Aruba650) (config-role) #captive-portal web-auth
21 (Aruba650) (config-role) #exit
22
23 (Aruba650) (config) #aaa profile web-profile
24 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面
25 (Aruba650) (AAA Profile "web-profile") #exit
26
27 (Aruba650) (config) #wlan ssid-profile web-ssid
28 (Aruba650) (SSID Profile "web-ssid") #essid web
29 (Aruba650) (SSID Profile "web-ssid") #exit
30
31 (Aruba650) (config) #wlan virtual-ap web-vap
32 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile
33 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid
34 (Aruba650) (Virtual AP profile "web-vap") #vlan 1
35 (Aruba650) (Virtual AP profile "web-vap") #exit
36
37 (Aruba650) (config) #ap-group webyk
38 (Aruba650) (AP group "webyk") #virtual-ap web-vap
39 (Aruba650) (AP group "webyk") #exit

2.3 采用Radis认证服务器完成Captive-Portal认证

2.3.1 Radis相关的配置 

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa authentication-server radius ias
3 (Aruba650) (RADIUS Server "ias") #host 172.18.50.88
4 (Aruba650) (RADIUS Server "ias") #key 123456
5 (Aruba650) (RADIUS Server "ias") #exit

1 (Aruba650) #aaa test-server mschapv2 ias carlos 123456  ##测试是否和IAS服务器建立连接
2 Authentication Successful ##认证成功

   AS的远程访问策略中,需要注意的设置如下:

 

自学Aruba5.3.3-Aruba安全认证-有PEFNG 许可证环境的认证配置Captive-Portal_初始化

2.3.2 无线相关的配置 

1 (Aruba650) #configure terminal 
2 (Aruba650) (config) #aaa server-group web-server
3 (Aruba650) (Server Group "web-server") #no auth-server Internal
4 (Aruba650) (Server Group "web-server") #auth-server ad
5 (Aruba650) (Server Group "web-server") #set role condition role value-of
6 (Aruba650) (Server Group "web-server") #exit
7
8 (Aruba650) (config) #aaa authentication captive-portal web-auth
9 (Aruba650) (Captive Portal Authentication Profile "web-auth") # server-group web-server
10 (Aruba650) (Captive Portal Authentication Profile "web-auth") #protocol-http
11 (Aruba650) (Captive Portal Authentication Profile "web-auth") #redirect-pause 1
12 (Aruba650) (Captive Portal Authentication Profile "web-auth") #default-role authenticated ##定义认证后的默认角色,如果没有服务器派生角色产生,用户将得到该角色
13 (Aruba650) (Captive Portal Authentication Profile "web-auth") #exit
14
15 (Aruba650) (config) #user-role yk-web
16 (Aruba650) (config-role) #session-acl logon-control
17 (Aruba650) (config-role) #session-acl captiveportal
18 (Aruba650) (config-role) # session-acl vpnlogon
19 (Aruba650) (config-role) #captive-portal web-auth
20 (Aruba650) (config-role) #exit
21
22 (Aruba650) (config) #aaa profile web-profile
23 (Aruba650) (AAA Profile "web-profile") #initial-role yk-web ##认证前的初始化派生角色,跳转到Captive-Portal认证页面
24 (Aruba650) (AAA Profile "web-profile") #exit
25
26 (Aruba650) (config) #wlan ssid-profile web-ssid
27 (Aruba650) (SSID Profile "web-ssid") #essid web
28 (Aruba650) (SSID Profile "web-ssid") #exit
29
30 (Aruba650) (config) #wlan virtual-ap web-vap
31 (Aruba650) (Virtual AP profile "web-vap") #aaa-profile web-profile
32 (Aruba650) (Virtual AP profile "web-vap") #ssid-profile web-ssid
33 (Aruba650) (Virtual AP profile "web-vap") #vlan 1
34 (Aruba650) (Virtual AP profile "web-vap") #exit
35
36 (Aruba650) (config) #ap-group webyk
37 (Aruba650) (AP group "webyk") #virtual-ap web-vap
38 (Aruba650) (AP group "webyk") #exit

举报

相关推荐

0 条评论