以前有介绍过基于Windows2012 NPS的Radius 无线认证方案,文章:https://blog.51cto.com/hubuxcg/1636719?cid=702921#702921 今天介绍下,基于Windows 2012 NPS Radius配置动态VLAN! NPS的初始配置部分,请参考前在的文章,这里只介绍和VLAN配置相关的。 1、 在NPS的策略中,添加连接策略,选择安全有线(以太网)连接 ![](https://s4.51cto.com/images/blog/201803/27/20d8568646f7b05bdd906a41709d31ca.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 2、 添加需要调用RAIDS的网络设备名称、IP地址和认证密码,后面配置网络设置时需要。 ![](https://s4.51cto.com/images/blog/201803/27/86e653207439bf4db5a6e57766974c50.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 3、 选择认证方式:PEAP ![](https://s4.51cto.com/images/blog/201803/27/5215595d04521d2e8e8df28e3a5841aa.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 4、 选择已有的证书 ![](https://s4.51cto.com/images/blog/201803/27/d39c7cae45ab386c085dec927e37e31f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 5、 添加用户,这里需要换用户配置VLAN的,所以我们选择已配置好的组:VLAN100 ![](https://s4.51cto.com/images/blog/201803/27/81e23847c651b14f72ca16fe10b06e15.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 6、 配置传输控制,打开配置: ![](https://s4.51cto.com/images/blog/201803/27/52253492f2d9be8dae2e96382d23dc46.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 7、 Tunnel-type:VLAN ![](https://s4.51cto.com/images/blog/201803/27/4376777b9ceb88187354f277b3ecf03f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 8、 Tunnel-Medium-type:802 ![](https://s4.51cto.com/images/blog/201803/27/638686f58bdf78f54a06b8bfc5cb249b.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 9、 Tunnel-Pvt-Group-ID:100(交换机上的VLAN ID ) ![](https://s4.51cto.com/images/blog/201803/27/158065bad71894b03983714d840fe8ed.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 10、 以上三项配置完成点完成。 ![](https://s4.51cto.com/images/blog/201803/27/5b2a3299c141e083b7d46b736eddd7a6.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 11、 配置完成后的结果如下: ![](https://s4.51cto.com/images/blog/201803/27/6f7e4865ed69760ca9f9dc1117cbc09b.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 12、 重复以上操作,依次添加需要配置的用户组\VLAN对应配置: ![](https://s4.51cto.com/images/blog/201803/27/67d25d051a0e803c79ba2811b146ae45.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 13、 确认退出,到此Windows端的Radius配置完成,下面是Cisco交换机的认证配置:在交换机上启用Radius\配置Raidus服务器信息: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 192.168.1.2 key 123456 radius-server vsa send authentication 14、 对交换机的端口配置VLAN\启用PAE认证 switchport mode access authentication port-control auto dot1x pae authenticator spanning-tree portfast 15、 配置完成!