（华为）802.1x认证点部署在汇聚交换机，接入交换机管理地址免认证配置

原创

a371933136 2021-08-13 10:11:40 ©著作权

文章标签 802.1x dot1x 3c JAVA 文章分类 Java 后端开发

©著作权归作者所有：来自51CTO博客作者a371933136的原创作品，请联系作者获取转载授权，否则将追究法律责任

---汇聚配置
<HJ>dis cu
!Software Version V200R010C00SPC600
#
sysname HJ
#
undo info-center enable
#
vlan batch 10 20 250
#
authentication mac-move enable vlan all            //开启MAC迁移功能
#
undo authentication pre-authen-access enable
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name dot1x
 dot1x-access-profile dot1x
 access-domain dot1x dot1x
#
access-user arp-detect default ip-address 0.0.0.0
#
clock timezone BJ add 08:00:00
#
radius-server template default
radius-server template dot1x              
 radius-server shared-key cipher %^%#uErQPRyP="3cx|')X$mHuf>KE9wk@%!E7l9;:~uJ%^%#
 radius-server authentication 10.130.16.42 1812 weight 80
 undo radius-server user-name domain-included
#                                         
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authentication-scheme dot1x
  authentication-mode radius
 authentication-scheme none
  authentication-mode none
 authorization-scheme default
 accounting-scheme default
 accounting-scheme none
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 domain dot1x
  authentication-scheme dot1x
  radius-server dot1x
 domain none                              
  authentication-scheme none
  accounting-scheme none
  radius-server default
 local-user admin password irreversible-cipher $1a$DoCABFK"@$$nLP:TXKZoNnDm84Qbpe+"t2ZL)(MeXvz6w61}~I;$
 local-user admin privilege level 15
 local-user admin service-type terminal ssh http
#
interface Vlanif1
#
interface Vlanif250
 ip address 10.130.250.10 255.255.255.0
#
interface GigabitEthernet0/0/1
 description #to-HX#
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 description #to-JR#
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2 to 4094
 authentication-profile dot1x
#
interface GigabitEthernet0/0/3            
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#                                         
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12                 
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24           
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface XGigabitEthernet0/0/3
#
interface XGigabitEthernet0/0/4
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.130.250.1
#
snmp-agent
snmp-agent local-engineid 800007DB03785860CD5C20
snmp-agent sys-info version v3
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#
static-user 10.130.250.11 vlan 250 interface GigabitEthernet0/0/2 detect mac-address 7858-60cd-5c40 domain-name none
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
dot1x-access-profile name dot1x
#
mac-access-profile name mac_access_profile
#
return
<HJ>

---接入配置
<JR>dis cu
!Software Version V200R010C00SPC600
#
sysname JR
#
undo info-center enable
#
vlan batch 10 20 250
#
stp bpdu-protection
#
authentication mac-move enable vlan all            //开启MAC迁移功能
authentication mac-move detect enable              //使能MAC迁移前探测功能
#    
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
clock timezone BJ add 08:00:00
#
radius-server template default
#
free-rule-template name default_free_rule
#                                         
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user admin password irreversible-cipher $1a$2s>BSh4^n5$Ho;[)IvODEp;`M~Nz,yD:}_D1xF`93AS`m<ex9w#$
 local-user admin privilege level 15
 local-user admin service-type terminal ssh http
#
interface Vlanif1
#
interface Vlanif250
 ip address 10.130.250.11 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk                     
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2 to 4094
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/4
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/5
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#                                         
interface GigabitEthernet1/0/6
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/7
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/8
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/9
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/10
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/11
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/12
 port link-type access
 port default vlan 10
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/13
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/14
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/15
 port link-type access
 port default vlan 20                     
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/16
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/17
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/18
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/19
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/20
 port link-type access                    
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/21
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/22
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/23
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet1/0/24
 port link-type access
 port default vlan 20
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface XGigabitEthernet1/0/1
#
interface XGigabitEthernet1/0/2
#
interface XGigabitEthernet1/0/3
#
interface XGigabitEthernet1/0/4           
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.130.250.1
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
<JR>