Ò»¡¢¹¦ÄÜÐèÇó

       ¶ÔÈÏÖ¤Óû§½øÐÐÉÏÍøȨÏÞ¿ØÖÆ£¬Óû§Í¨¹ýÈÏÖ¤ºó½ûÖ¹»òÔÊÐíÓû§·ÃÎÊijЩÌض¨×ÊÔ´

¶þ¡¢ÅäÖÃÒªµã

1.ÎÒ˾É豸²¿Êðʵʩ»òÕßʹÓÃSA¿Í»§¶Ë1xÈÏÖ¤·½Ê½ÇëʹÓÃÈñ½Ý˽ÓÐACL½øÐв¿Êð¡£

2.ÊÛÇ°²âÊÔ¿ÉÒÔʹÓÃ˼¿Æ˽ÓÐÊôÐÔÏ·¢ACL£¬¸Ã·½°¸Ê¹ÓÃ˼¿Æ˽ÓеÄ1ºÅRadiusÊôÐÔÏ·¢£¬²»½¨ÒéÕýʽ²¿ÊðʹÓá£

Èý¡¢SMPÅäÖò½Öè

1¡¢½øÈëSMPÅäÖýçÃ棬µ¥»÷¡°¹ÜÀíÓû§Ä£°å¡±>¡°ÉÏÍøȨÏÞ¿ØÖÆ¡±£¬½øÈëÌí¼Ó¡°ÉÏÍøȨÏÞ¿ØÖÆÁÐ±í¡±½çÃ棻

2¡¢¶Ô¡±ÉÏÍøÓû§ACLÊÚȨ¡°¹¦ÄܽøÐб༭£¬Ö±½ÓÌí¼ÓҪϷ¢µÄACL¡£

ËÄ¡¢Ë¼¿Æ˽ÓÐACL£¬Èñ½ÝÉ豸ÅäÖÃ

ÎÞÏßACÉ豸ÅäÖÃ

AC1#sh run

 

Building configuration...

Current configuration : 4323 bytes

 

!

version RGOS 10.4(1b17), Release(73027)(2012�10?16?�����21:37:14 C

ST -diabloneo-laptop)

hostname AC1

localeap eap-gtc pap-forward

localeap cert-key serverkey.pem password ruijie

localeap cert servercert.pem

!

aaa new-model

!

!

!

aaa accounting network default start-stop group radius

aaa authorization network default group radius

aaa authentication login default local none

aaa authentication dot1x default group radius

aaa authentication dot1x localeap group radius

aaa authentication web-auth default group radius

!

!

!

nfpp

!

!

vlan-group 1

 vlan-list 200,255

 default-vlan 200

 vlan-assign-mode dot1x

!

vlan 1

!

vlan 200

!

vlan 255

!

vlan 256

!

vlan 257

!

!

username admin password admin

username admin privilege 15

no service password-encryption

service dhcp

ip fragment-quota 200

ip http authentication local

!

!

!

!

!

!

!

!

!

link-check disable

!

!

!

portal-server eportalv2 ip 56.0.19.165 url http://56.0.19.165/eportal/index.jsp

web-auth direct-host 56.0.174.254

web-auth portal key ruijie

web-auth portal eportalv2

http redirect direct-site 56.0.19.165 arp

http redirect direct-site 56.0.174.254

http redirect port 8081

!

wlan-config 1 ruijie_web

 no enable-qos

 enable-broad-ssid

!

!

wlan-config 2 ruijie_dot1x

 no enable-qos

 enable-broad-ssid

!

!

wlan-config 4 open

 no enable-qos

 enable-broad-ssid

!

!

ap-group dot1

!

!

ap-group open

 interface-mapping 4 255

!

!

ap-group 1

 interface-mapping 2 group 1

!

!

ap-group web

 interface-mapping 1 255

!

!

ap-group dot1x

 interface-mapping 2 257

!

!

ap-group default

!

!

ap-config all

 antenna receive 7 radio 1

 antenna receive 7 radio 2

 antenna transmit 5 radio 1

 antenna transmit 5 radio 2

!

!

!

!

!

ac-controller

 country CN

 802.11g network rate 1 mandatory

 802.11g network rate 2 mandatory

 802.11g network rate 5 mandatory

 802.11g network rate 11 mandatory

 802.11g network rate 6 supported

 802.11g network rate 9 supported

 802.11g network rate 12 supported

 802.11g network rate 18 supported

 802.11g network rate 24 supported

 802.11g network rate 36 supported

 802.11g network rate 48 supported

 802.11g network rate 54 supported

 802.11b network rate 1 mandatory

 802.11b network rate 2 mandatory

 802.11b network rate 5 mandatory

 802.11b network rate 11 mandatory

 802.11a network rate 6 mandatory

 802.11a network rate 9 supported

 802.11a network rate 12 mandatory

 802.11a network rate 18 supported

 802.11a network rate 24 mandatory

 802.11a network rate 36 supported

 802.11a network rate 48 supported

 802.11a network rate 54 supported

 ap-serial AP220-I AP220-I hw-ver 1.x

 ac-name AC1

!

radius vendor-specific extend

radius-server host 56.0.19.164 key ruijie

enable secret 5 $1$hdsg$r5Cx8A0w48CC25Ey

enable service web-server

!

!

!

!

!

wids

 countermeasures enable

 countermeasures interval 100

 device attack mac-address 821a.a916.95ba

 device attack mac-address 0026.cb81.6c91

 device attack mac-address 0026.cb81.6c9e

!

dot1x authentication default

dot1x eapol-tag

interface GigabitEthernet 0/1

 switchport access vlan 255

!

interface GigabitEthernet 0/2

!

interface GigabitEthernet 0/3

!

interface GigabitEthernet 0/4

 switchport access vlan 257

!

interface GigabitEthernet 0/5

!

interface GigabitEthernet 0/6

!

interface GigabitEthernet 0/7

!

interface GigabitEthernet 0/8

 switchport mode trunk

!

interface Loopback 0

 ip address 5.5.5.5 255.255.255.255

!

interface VLAN 255

 no ip proxy-arp

 ip address 56.0.174.249 255.255.255.240

!

interface VLAN 256

 no ip proxy-arp

 ip address 56.0.174.226 255.255.255.240

!

interface VLAN 257

 no ip proxy-arp

 ip address 56.0.174.194 255.255.255.224

!

!

!

!

!

!

!

!

!

!

!

!

wlansec 1

 web-auth portal eportalv2

 webauth

!

!

wlansec 2

 security rsn enable

 security rsn ciphers aes enable

 security rsn akm 802.1x enable

 dot1x authentication localeap

!

!

!

!

ip route 0.0.0.0 0.0.0.0 56.0.174.250

ip route 192.168.0.0 255.255.255.0 56.0.174.250

!

!

snmp-server host 56.0.19.156 traps version 2c ruijie

snmp-server enable traps

snmp-server community ruijie rw

line con 0

 speed 115200

line vty 0 4

 exec-timeout 0 0

 speed 115200

!

!

end

AC1#

 

Î塢˼¿Æ˽ÓÐACL£¬Ë¼¿ÆÉ豸ÅäÖÃ

Switch#sh run

Building configuration...

 

Current configuration : 5975 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa group server radius default

 server 56.0.19.164 auth-port 1812 acct-port 1813

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting update periodic 1

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

!

!

!

aaa session-id common

switch 1 provision ws-c3750g-24ts-1u

system mtu routing 1500

ip subnet-zero

!

!

!

mls qos

dot1x system-auth-control

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

class-map match-all cmap-ruijie

 match access-group 1

!

!

policy-map ruijie

policy-map pmap-ruijie

 class cmap-ruijie

  police 1000000 8192 exceed-action drop

policy-map policy-map-ruijie

!

!

!

!

interface GigabitEthernet1/0/1

 switchport mode access

 authentication port-control auto

 dot1x pae authenticator

!

interface GigabitEthernet1/0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

!

interface GigabitEthernet1/0/3

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/4

 switchport access vlan 255

 switchport mode access

!        

interface GigabitEthernet1/0/5

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/6

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/7

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/8

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/9

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/10

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/11

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/12

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/13

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/14

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/15

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/16

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/17

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/18

 switchport access vlan 255

!

interface GigabitEthernet1/0/19

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/22

 switchport access vlan 255

 switchport mode access

!        

interface GigabitEthernet1/0/23

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/24

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/25

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/26

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/27

 switchport access vlan 255

 switchport mode access

!

interface GigabitEthernet1/0/28

 switchport access vlan 255

 switchport mode access

!

interface Vlan1

 no ip address

!

interface Vlan199

 ip address 56.1.2.250 255.255.255.0

!

interface Vlan255

 ip address 56.0.174.246 255.255.255.240

!

ip default-gateway 56.0.174.250

ip classless

ip route 0.0.0.0 0.0.0.0 56.0.174.250

ip http server

!

!

!

!

snmp-server community ruijie RW

snmp-server community public RW

radius-server host 56.0.19.164 auth-port 1812 acct-port 1813 key ruijie

radius-server key ruijie

radius-server vsa send authentication

!

control-plane

!

!

line con 0

line vty 5 15

!

end