一、这次启用dot1x控制L2L VPN流量的测试拓扑图如下:
参考链接:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vpn_ac_802_1x.html
二、本次实验的基本思路:
A.分支机构与总部配置Site-to-Site VPN,并启用DHCP服务器和dot1x认证。
B.DHCP根据是否经过dot1x认证分派不同的地址池。
C.VPN的感兴趣流屏蔽掉未经过dot1x认证的DHCP地址池地址。
D.从而实现只有经过dot1x认证的用户才能连接总部内网。
---值得注意的是分支机构连接路由器的不能是交换机,只能是hub,思科的解释如下:
Note•If there is a switch located between the router and the supplicant (client PC), the EAPOL frames will not reach the router because the switch discards them.
•A supplicant is an entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator that is attached to the other end of that link.
---如果连接路由器的交换机,可以在交换机上开启DHCP和dot1x,并根据是否认证来分配不同的地址,思路与路由器相同
三.基本配置:
A.Center路由器:
interface Loopback0
ip address 10.1.2.1 255.255.255.0
ip nat insdie
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
ip nat outside
no shut
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat insdie
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip access-list extended nat
deny ip host 10.1.1.100 host 1.1.1.1
deny ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip nat inside sou list nat int e0/0 overload
B.Internet路由器:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
C.Branch路由器:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
ip nat inside
interface Loopback1
ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip nat outside
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-list extended nat
deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
ip nat inside source list nat interface Ethernet0/0 overload
D.Inside和Inside2路由器:
暂时先不配。
四.Site-to-Site VPN配置:
A.Center路由器:
①第一阶段策略:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置感兴趣流:
crypto ipsec transform-set transet esp-des esp-md5-hmac
④配置并应用crypto map:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.1
set transform-set transet
match address vpn
interface Ethernet0/0
crypto map crymap
B.Branch路由器:
①第一阶段策略:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置感兴趣流
crypto ipsec transform-set transet esp-des esp-md5-hmac
④配置并应用crypto map:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address vpn
interface Ethernet0/0
crypto map crymap
五.Branch路由器dot1x配置:
A.启用AAA,配置AAA服务器并测试:
aaa new-model
aaa authentication login noacs line none
line con 0
logging synchronous
radius-server host 10.1.1.100 auth-port 1645 acct-port 1646 key cisco
ip radius source-interface loopback1 (实验测试发现L1接口不稳定,有时radius流量到公网了,改成E0/1内部就看就没有问题)
Branch#test aaa group radius xll cisco new-code
Trying to authenticate with Servergroup radius
User successfully authenticated
B.配置DOT1X认证:
①dot1x只能使用radius认证方式:
aaa authentication dot1x default group radius
②配置DHCP地址池:
ip dhcp pool private
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 0 2
ip dhcp pool public
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
③路由器dot1x认证端配置
identity profile default
template Virtual-Template1
dot1x system-auth-control (全局开启dot1x)
interface Virtual-Template1
ip unnumbered Loopback0
ip access-group control.vpn in (控制进入虚拟模板接口的流量)
ip nat inside
ip access-list extended control.vpn
deny ip 172.16.1.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip any any
interface e0/1
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 36000
dot1x reauthentication
六,测试:
A.Inside路由器:
Inside路由器接口不配置认证,获得的地址为172.16.1.0/24的地址:
Inside(config)#INT E0/0
Inside(config-if)#IP ADdress DHcp
Inside(config-if)#NO SH
Inside(config-if)#
*Mar 1 00:02:24.991: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Mar 1 00:02:25.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
*Mar 1 00:04:09.027: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 172.16.1.2, mask 255.255.255.0, hostname Inside
Inside#ping 10.1.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
B.Inside2路由器:
配置dot1x认证:
dot1x credentials basic-user (配置Router为802.1x的客户端)
username xll
password 0 cisco
interface F0/0
ip address dhcp
dot1x pae supplicant (配置Router为802.1x的客户端)
dot1x credentials basic-user (配置Router为802.1x的客户端)
路由器因为配置了dot1x认证,所以获取的地址池为192.168.1.0/24地址
Inside2(config-if)#
*Mar 1 00:28:27.623: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.3, mask 255.255.255.0, hostname Inside2
EAPOL抓包截图如下:
Inside2#ping 10.1.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/71/156 ms
Inside2#
C.尝试用一台windows 2003虚拟机连接,一直获取的是172.16.1.0/24网段的地址,dot1x认证界面就根本没有弹出。
---可能是因为虚拟机网卡桥接中间有交换机的缘故,此时抓包没有看到有EAPOL的包到达路由器接口。
|