交换机+windows ias+windows ad服务实现802.1x身份验证(z)

交换机+windows ias+windows ad服务实现802.1x身份验证,可以按照用户名来控制vlan的分配，即无帐号就无法分配到vlan，也就无法分配到ip地址，不论PC如何接入网络，只要无合法的帐号就不能登陆网络。
802。1x的实现有两种验证方式，一种是MD5的方式，即质询应答的方式，这种方式登陆系统后，需要用户再次输入验证帐号和密码，一种是peap的验证方法，由microsoft支持此验证方法，可以实现一次登陆即验证成功，因此对于user是透明的。
cisco有关于这方面的配置文档，大家可以去查下，cisco的配置只是把交换机配置成一个radius客户端，而策略的定义是在windows ias上实现的（windows官方也有些文档）
目前国内大企业使用的只有台机电，我们公司我也成功的实现了，效果非常的好，大大提高了整个网络的安全性。
写的比较简单，望大家见谅，只是提供些新技术的思路和信息，如有疑问，可以给再问我，谢谢。
.
Step 1: If you do not already have an Active Directory environment setup, you will need to install a Windows 2000 server and configure Active Directory on at least one server. Make sure your DNS servers are setup correctly to function correctly with Active Directory.

Step 2: Install the Microsoft IAS service onto the Domain Controller running Active Directory. IAS can be found on your Windows 2000 Server CD.
• From Control Panel go to Add/Remove Windows Components.
• Select the Networking Services option and click on the “Details” button to add a new network service.
• Select the Internet Authentication Service component to install.

Step 3: Define the IAS RADIUS clients that will authenticate to this IAS server. This will include all the Foundry devices that will be supporting 802.1X client authentication. Create a new IAS client entry for each Foundry device. Foundry devices can also have multiple IAS RADIUS servers defined to eliminate single points of failure.
• From the IAS management screen, right-click on Clients and select New Client.
• Enter the name of the device to give it a “Friendly Name” and select RADIUS as the protocol.
• Enter the IP Address or DNS Name of the Foundry device, select RADIUS Standard as the Client Vendor, check the “Client must always send the signature attribute in the request” option, and enter the shared secret that will be used to identify the Foundry device. This secret must be the same string used on the Foundry device to define the RADIUS server.

Step 4: Create a Remote Access Policy to govern access.
• From the IAS management screen, right-click on Remote Access Policies and select New Remote Access Policy.
• Enter a Policy Friendly Name to describe the policy.
• Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry 802.1X Port Authentication is Day-and-Time-Restriction.
• Set the days and times that users are allowed to authenticate. This example allowed all days and times.


Step 5: Turn on Remote Access Logging.
• From the IAS management screen, select the Remote Access Logging option. On the right pane, right-click the Local File and select Properties.
• Under the “Settings” tab, select the desired logging features.
• Under the “Local File” tab, make sure the Log File Format is set to IAS Format and set the duration to keep the log entries for.

Step 6: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due to the way passwords are handled using EAP-MD5.
• From the “Active Directory Users and Computers” menu option, right-click the name of your Active Directory domain and select Properties.
• From the Properties screen, select the “Group Policy” tab. Highlight the “Default Domain Policy” and click on the “Edit” button.
• Under the “Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy” tree, set the “Store password using reversible encryption…” to Enable.

Step 7: Enable “Dial-In” access and “Password Reversible Encryption” for user accounts.
• After the account is created, double-click on the user account to display the user account Properties.
• Under the “Dial-In” tab, click on the “Allow Access” radio button for Remote Access Permission.
• Under the “Account” tab, check the “Store password using reversible encryption” option.



CONFIGURE REMOYRE ACCESS POLICY
Using the Remote Access Policies option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous step. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom. For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence.
• Right click Remote Access Policies and select New Remote Access Policy.
• Enter a Policy Friendly Name that describes the policy. Each Remote Access Policy will be matched to one VLAN Group. An example may be, “Allow - VLAN 10 Policy”. Select the “Next” button to continue.

New Remote Access Policy for VLAN Group
• The Conditions Window will be displayed. Select “Add” to add the condition that this policy will act on.
• Select the “Windows-Groups” attribute type and click on the “Add” button.

• The Groups window will be displayed. Click on the “Add” button and select the VLAN Group that matches this new policy. Only one VLAN Group should be associated with each policy.
• Select the “OK” and “Next” options in the next few screens to accept the group value.

Adding VLAN Group  
• On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address” to support DHCP.
• On the Edit Dial-In Profile screen, select the “Advanced” tab. The current default parameters returned to the Foundry device should be Service-Type and Framed-Protocol.
• Select the “Add” button to add the additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment.

Connection Attributes Screen
• The RADIUS Attribute screen is displayed. From this list, three RADIUS attributes will be added:
        o Tunnel-Medium-Type
        o Tunnel-Pvt-Group-ID
        o Tunnel-Type

Tunnel-Medium-Type
• Select Tunnel-Medium-Type and click on the “Add” button.
• On the Multivalued Attribute Information screen, click on the “Add” button.
• The Enumerable Attribute Information screen is displayed. Select the “802” value from the Attribute Value drop down box.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen

Tunnel-Pvt-Group-ID

• Select Tunnel-Pvt-Group-ID and click on the “Add” button.
• On the Multivalued Attribute Information screen, click on the “Add” button.
• The Attribute Information screen is displayed. Enter the correct VLAN ID or Name for this policy. Users belonging to the VLAN Group specified in this policy will be assigned to the VLAN ID specified.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen  

Tunnel-Type
• Select Tunnel-Type and click on the “Add” button.
• On the Multivalued Attribute Information screen, click on the “Add” button.
• The Enumerable Attribute Information screen is displayed. Select the Virtual LANs (VLAN) option from the Attribute Value drop down box.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen  and select the “Close” button.