关于接入交换机radius配置
1、关闭port-security
undo port-security enable
2、开启dot1x认证
dot1x
dot1x authentication-method eap #认证方法eap可选
dot1x retry 1 #失败尝试认证次数
dot1x timer reauth-period 28800 #重认证时间
3、开启mac认证(mac和dot1x可同时用 也可单独用)
mac-authentication #开启mac认证
mac-authentication timer reauth-period 28800
4、配置远程radius
radius scheme radius_name
primary authentication 1.1.1.1 1812 key simple 123456 #ip、端口、密码 (主)
secondary authentication 1.1.1.2 1812 key simple 123456 # 备
user-name-format without-domain #可选 用户认证不带ISP域名
attribute 31 mac-format section one uppercase #可选 Radius Calling-station-ID Mac地址全大写,无分隔符//用于兼容性
5、动态授权功能(可选)
radius dynamic-author server
client ip 1.1.1.1 key simple 123456
client ip 1.1.1.2 key simple 123456
6、ISP域绑定radius
domain domain_name
authentication lan-access radius-scheme radius_name
authorization lan-access radius-scheme radius_name
7、接口配置
interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 10 20 untagged #以vlan10为认证成功vlan,vlan20为认证失败vlan
port hybrid pvid vlan 10
mac-vlan enable
stp edged-port
#dot1x认证
dot1x
undo dot1x handshake
dot1x mandatory-domain domain_ioa
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x auth-fail vlan 20
dot1x critical vlan 10 //认证服务器无法连接时逃生vlan
dot1x critical eapol //当用户进入到逃生vlan向用户发送认证成功报文
dot1x re-authenticate //开启重认证
#mac认证
mac-authentication
mac-authentication domain domain_ioa
mac-authentication guest-vlan 20
mac-authentication critical vlan 10 //认证服务器down时逃生vlan
mac-authentication re-authenticate //重认证开启
