Procurve Radius Server Anbindung: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| (18 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | =Freeradius= | ||
| + | *head -3 /etc/freeradius/users | ||
| + | 60eb69962da5 Cleartext-Password := "60eb69962da5" | ||
| + | xinux Cleartext-Password := "suxer" | ||
| + | rudi Cleartext-Password := "wiggel" | ||
| + | *tail -8 /etc/freeradius/clients.conf | ||
| + | client lan-clients { | ||
| + | ipaddr = 192.168.240.0 | ||
| + | netmask = 21 | ||
| + | secret = sysadm | ||
| + | require_message_authenticator = no | ||
| + | nastype = other | ||
| + | } | ||
| + | |||
=Radius Server Einrichten= | =Radius Server Einrichten= | ||
*configure terminal | *configure terminal | ||
| Zeile 4: | Zeile 18: | ||
*radius-server key sysadm | *radius-server key sysadm | ||
*end | *end | ||
| − | = | + | =Radius Server Status anzeigen= |
| − | * | + | *show radius |
| − | + | <pre> | |
| − | + | Status and Counters - General RADIUS Information | |
| + | |||
| + | Deadtime(min) : 0 | ||
| + | Timeout(secs) : 5 | ||
| + | Retransmit Attempts : 3 | ||
| + | Global Encryption Key : sysadm | ||
| + | |||
| + | Auth Acct | ||
| + | Server IP Addr Port Port Encryption Key | ||
| + | --------------- ----- ----- -------------------------------- | ||
| + | 192.168.244.49 1812 1813 | ||
| + | </pre> | ||
| + | |||
=Set general port-access Parameters= | =Set general port-access Parameters= | ||
*configure terminal | *configure terminal | ||
| Zeile 14: | Zeile 40: | ||
*aaa authentication console login radius local | *aaa authentication console login radius local | ||
*aaa authentication console enable radius local | *aaa authentication console enable radius local | ||
| + | =Automatisch im Privmode= | ||
*aaa authentication login privilege-mode | *aaa authentication login privilege-mode | ||
| + | ==wenn Service-Type 6 am radiusserver gesetzt ist== | ||
| + | DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net" | ||
| + | Service-Type = 6, | ||
| + | DEFAULT Auth-Type := Reject | ||
| + | |||
| + | =Authentifizierungseinstellungen anzeigen= | ||
| + | *show authentication | ||
| + | <pre> | ||
| + | Status and Counters - Authentication Information | ||
| + | |||
| + | Login Attempts : 3 | ||
| + | Respect Privilege : Disabled | ||
| + | |||
| + | | Login Login Enable Enable | ||
| + | Access Task | Primary Secondary Primary Secondary | ||
| + | ----------- + ---------- ---------- ---------- ---------- | ||
| + | Console | Radius Local Radius Local | ||
| + | Telnet | Local None Local None | ||
| + | Port-Access | EapRadius | ||
| + | Webui | Local None Local None | ||
| + | SSH | Radius Local Radius Local | ||
| + | Web-Auth | ChapRadius | ||
| + | MAC-Auth | ChapRadius | ||
| + | </pre> | ||
| + | |||
| + | =Generelle Parameter= | ||
| + | *configure terminal | ||
| + | *aaa authentication port-access eap-radius | ||
*end | *end | ||
=Macbased Access= | =Macbased Access= | ||
*configure terminal | *configure terminal | ||
*aaa port-access mac-based 22 | *aaa port-access mac-based 22 | ||
| + | =Config anzeigen= | ||
| + | *show port-access ethernet 22 mac-based config | ||
| + | <pre> | ||
| + | Port Access MAC-Based Configuration | ||
| + | |||
| + | MAC Address Format : no-delimiter | ||
| + | |||
| + | Client Client Logoff Re-Auth Unauth Auth | ||
| + | Port Enabled Limit Moves Period Period VLAN ID VLAN ID | ||
| + | ----- -------- ------ ------ --------- --------- -------- -------- | ||
| + | 22 Yes 2 No 300 0 0 0 | ||
| + | </pre> | ||
| + | =Clients anzeigen= | ||
| + | ==Nicht erfolgreich== | ||
| + | *show port-access ethernet 22 mac-based | ||
| + | <pre> | ||
| + | Port Access MAC-Based Status | ||
| + | |||
| + | Authenticated Unauthenticated Current | ||
| + | Port Clients Clients VLAN ID | ||
| + | ----- ------------- --------------- -------- | ||
| + | 22 0 1 10 | ||
| + | </pre> | ||
| + | *show port-access ethernet 22 mac-based clients | ||
| + | <pre> | ||
| + | Port Access MAC-Based Client Status | ||
| + | |||
| + | Port MAC Address Session Status Time | ||
| + | ----- ------------- --------------------- -------- | ||
| + | 22 00040e-0b182d rejected-no vlan 3 secs | ||
| + | </pre> | ||
| + | |||
| + | ==Erfolgreich== | ||
| + | *show port-access ethernet 22 mac-based | ||
| + | <pre> | ||
| + | Port Access MAC-Based Status | ||
| + | |||
| + | Authenticated Unauthenticated Current | ||
| + | Port Clients Clients VLAN ID | ||
| + | ----- ------------- --------------- -------- | ||
| + | 22 1 0 10 | ||
| + | </pre> | ||
| + | *show port-access ethernet 22 mac-based clients | ||
| + | <pre> | ||
| + | Port Access MAC-Based Client Status | ||
| + | |||
| + | Port MAC Address Session Status Time | ||
| + | ----- ------------- --------------------- -------- | ||
| + | 22 60eb69-962da5 authenticated 2 mins | ||
| + | |||
| + | </pre> | ||
| + | =Mehrere Ports Mackontrolle über Radius= | ||
| + | *aaa port-access mac-based ethernet 21-24 | ||
=Links= | =Links= | ||
*http://wiki.freeradius.org/vendor/HP#port-authentication-mechanisms | *http://wiki.freeradius.org/vendor/HP#port-authentication-mechanisms | ||
| + | *http://wiki.freeradius.org/guide/mac-auth | ||
| + | *http://whp-aus2.cold.extweb.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap05-RADIUS.pdf?utm_source=affiliate&utm_medium=cpa&utm_campaign=adgoal+DE+%2528ehem.+oxono%2529&utm_content=0&jumpid=af_zky3rxgb21/site:adgoal+DE+%2528ehem.+oxono%2529 | ||
Aktuelle Version vom 23. Januar 2018, 16:06 Uhr
Freeradius
- head -3 /etc/freeradius/users
60eb69962da5 Cleartext-Password := "60eb69962da5" xinux Cleartext-Password := "suxer" rudi Cleartext-Password := "wiggel"
- tail -8 /etc/freeradius/clients.conf
client lan-clients {
ipaddr = 192.168.240.0
netmask = 21
secret = sysadm
require_message_authenticator = no
nastype = other
}
Radius Server Einrichten
- configure terminal
- radius-server host 192.168.244.49 auth-port 1812 acct-port 1813
- radius-server key sysadm
- end
Radius Server Status anzeigen
- show radius
Status and Counters - General RADIUS Information
Deadtime(min) : 0
Timeout(secs) : 5
Retransmit Attempts : 3
Global Encryption Key : sysadm
Auth Acct
Server IP Addr Port Port Encryption Key
--------------- ----- ----- --------------------------------
192.168.244.49 1812 1813
Set general port-access Parameters
- configure terminal
- aaa authentication ssh login radius local
- aaa authentication ssh enable radius local
- aaa authentication console login radius local
- aaa authentication console enable radius local
Automatisch im Privmode
- aaa authentication login privilege-mode
wenn Service-Type 6 am radiusserver gesetzt ist
DEFAULT Ldap-Group == "cn=switch,ou=groups,dc=xinux,dc=net"
Service-Type = 6,
DEFAULT Auth-Type := Reject
Authentifizierungseinstellungen anzeigen
- show authentication
Status and Counters - Authentication Information
Login Attempts : 3
Respect Privilege : Disabled
| Login Login Enable Enable
Access Task | Primary Secondary Primary Secondary
----------- + ---------- ---------- ---------- ----------
Console | Radius Local Radius Local
Telnet | Local None Local None
Port-Access | EapRadius
Webui | Local None Local None
SSH | Radius Local Radius Local
Web-Auth | ChapRadius
MAC-Auth | ChapRadius
Generelle Parameter
- configure terminal
- aaa authentication port-access eap-radius
- end
Macbased Access
- configure terminal
- aaa port-access mac-based 22
Config anzeigen
- show port-access ethernet 22 mac-based config
Port Access MAC-Based Configuration
MAC Address Format : no-delimiter
Client Client Logoff Re-Auth Unauth Auth
Port Enabled Limit Moves Period Period VLAN ID VLAN ID
----- -------- ------ ------ --------- --------- -------- --------
22 Yes 2 No 300 0 0 0
Clients anzeigen
Nicht erfolgreich
- show port-access ethernet 22 mac-based
Port Access MAC-Based Status
Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
----- ------------- --------------- --------
22 0 1 10
- show port-access ethernet 22 mac-based clients
Port Access MAC-Based Client Status Port MAC Address Session Status Time ----- ------------- --------------------- -------- 22 00040e-0b182d rejected-no vlan 3 secs
Erfolgreich
- show port-access ethernet 22 mac-based
Port Access MAC-Based Status
Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
----- ------------- --------------- --------
22 1 0 10
- show port-access ethernet 22 mac-based clients
Port Access MAC-Based Client Status Port MAC Address Session Status Time ----- ------------- --------------------- -------- 22 60eb69-962da5 authenticated 2 mins
Mehrere Ports Mackontrolle über Radius
- aaa port-access mac-based ethernet 21-24
Links
- http://wiki.freeradius.org/vendor/HP#port-authentication-mechanisms
- http://wiki.freeradius.org/guide/mac-auth
- http://whp-aus2.cold.extweb.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap05-RADIUS.pdf?utm_source=affiliate&utm_medium=cpa&utm_campaign=adgoal+DE+%2528ehem.+oxono%2529&utm_content=0&jumpid=af_zky3rxgb21/site:adgoal+DE+%2528ehem.+oxono%2529