fara_ib
@fara_ib

Как настроить добавление порта в vlan после проверки по 802.1x?

Здравствуйте. Кто-нибудь делал что-нибудь подобное на dlink? Как делали вы? Интересует настройка коммутатора и радиус-сервера чтобы после проверки пользователя он имел доступ в другой vlan находясь в гостевом. У меня вероятно проверка пользователя на сервере проходит, но дальше с вланами тишина.
Спасибо.
Результат подключения клиента к коммутатору. (радиус остановлен и запущен freeradius -X – debug mode)
(192.168.2.57 – это коммутатор dlink, 192.168.2.1 – это сервер радиус.)
spoiler

(11) Received Accounting-Request Id 2 from 192.168.2.57:1813 to 192.168.2.1:1813 length 104
(11) User-Name = "bruno"
(11) Acct-Session-Id = "000000000001"
(11) NAS-Identifier = "D-LINK"
(11) NAS-IP-Address = 192.168.2.57
(11) NAS-Port = 12
(11) Acct-Authentic = RADIUS
(11) Acct-Status-Type = Start
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "F4-30-B9-39-35-8D"
(11) Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) update request {
(11) &Tmp-String-9 := "ai:"
(11) } # update request = noop
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11) EXPAND %{hex:&Class}
(11) -->
(11) EXPAND ^%{hex:&Tmp-String-9}
(11) --> ^61693a
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(11) else {
(11) update request {
(11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> 8239339ed764dc316b058fbd7866bbd6
(11) &Acct-Unique-Session-Id := 8239339ed764dc316b058fbd7866bbd6
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11) accounting {
(11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: EXPAND %t
(11) detail: --> Sat Sep 21 16:58:13 2019
(11) [detail] = ok
(11) [unix] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> bruno
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 2 from 192.168.2.1:1813 to 192.168.2.57:1813 length 0
(11) Finished request
(11) Cleaning up request packet ID 2 with timestamp +235
Waking up in 4.9 seconds.
(10) Cleaning up request packet ID 1 with timestamp +235
Ready to process requests

Тестовый запуск проверки соединения на радиус севере (debug mode)
spoiler
(12) Received Access-Request Id 52 from 127.0.0.1:43242 to 127.0.0.1:1812 length 75
(12) User-Name = "bruno"
(12) User-Password = "boss123"
(12) NAS-IP-Address = 127.0.1.1
(12) NAS-Port = 0
(12) Message-Authenticator = 0x3b4dfe0ce0361b2f0cf1fba6839c7b45
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: No EAP-Message, not doing EAP
(12) [eap] = noop
(12) files: users: Matched entry bruno at line 221
(12) [files] = ok
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = updated
(12) } # authorize = updated
(12) Found Auth-Type = PAP
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) Auth-Type PAP {
(12) pap: Login attempt with password
(12) pap: Comparing with "known good" Cleartext-Password
(12) pap: User authenticated successfully
(12) [pap] = ok
(12) } # Auth-Type PAP = ok
(12) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(12) post-auth {
(12) update {
(12) No attributes updated
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = noop
(12) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:43242 length 0
(12) Tunnel-Type = VLAN
(12) Tunnel-Medium-Type = IEEE-802
(12) Tunnel-Private-Group-Id = "20"
(12) Finished request
Waking up in 4.9 seconds.
(12) Cleaning up request packet ID 52 with timestamp +1987
Ready to process requests

Еще одна проверка пользователя на радиус-сервере.
spoiler
root@ubuntu:/home/sysop# radtest bruno boss123 localhost 0 testing123
Sent Access-Request Id 189 from 0.0.0.0:54931 to 127.0.0.1:1812 length 75
User-Name = "bruno"
User-Password = "boss123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "boss123"
Received Access-Accept Id 189 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"

Настройки clients.conf радиус сервера.
spoiler
… только то что добавил я сам
client SWITCH-01 {
ipaddr = 192.168.2.57
secret = kamisama123
}

Настройки users радиус сервера.
spoiler
… только то что добавил я сам
bruno Cleartext-Password := "boss123"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 20

Настройки коммутатора dlink-dgs (802.1x).
spoiler
# 8021X
enable 802.1x
config 802.1x auth_mode port_based
config 802.1x auth_protocol radius_eap
config 802.1x fwd_pdu system enable
config 802.1x capability ports 1,17-28 none
config 802.1x capability ports 2-16 authenticator
config 802.1x auth_parameter ports 1-28 port_control auto
config 802.1x auth_parameter ports 1-28 direction both quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable
config radius add 1 192.168.2.1 key kamisama123 auth_port 1812 acct_port 1813 timeout 5 retransmit 2
create 802.1x guest_vlan v10
config 802.1x guest_vlan ports 9,10,11,12,13,14,15,16 state enable

DGS-1210-28/ME:5# show radius
spoiler
Command: show radius

Index Ip Address Auth-Port Acct-Port Timeout Retransmit Key
(secs)
----- -------------------------- ------- ------- ------- ---------- ------
1 192.168.2.1 1812 1813 5 2 kamisama123

Total Entries : 1

DGS-1210-28/ME:5# show vlan
spoiler
Command: show vlan

VID : 1 VLAN NAME : default
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 1,17-28
Tagged Ports :
Untagged Ports : 1,17-28
Forbidden Ports :

VID : 10 VLAN NAME : v10
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 9-16
Tagged Ports :
Untagged Ports : 9-16
Forbidden Ports :

VID : 20 VLAN NAME : v20
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 2-8
Tagged Ports :
Untagged Ports : 2-8
Forbidden Ports :

Total Entries : 3
  • Вопрос задан
  • 397 просмотров
Пригласить эксперта
Ответы на вопрос 1
@tamogavk
@deni4ka
Ну вешаешь на порт нужный влан а в настройках authenticate вешаешь гостевой, или нужно в зависимости от пользователя нарезать влаг?
Ответ написан
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы