配置 Cisco Access Registrar 与 LEAP

下载选项

  • PDF     (177.8 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (75.6 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (71.8 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2006 年 1 月 19 日
文档 ID:28901

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

简介

Cisco网络服务访问登记(AR) 3.0支持小型可扩展认证协议(LEAP) (Cisco无线)。本文显示如何配置无线Aironet客户端工具和Cisco Aironet 340, 350或者1200系列接入点(AP) LEAP认证的对Cisco AR。

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco Aironet® 340, 350或者1200系列接入点

  • AP固件11.21或以上Cisco LEAP的

  • Cisco Aironet 340或350系列网络接口界面卡(NIC)

  • 固件版本4.25.30或以上Cisco LEAP的

  • 网络驱动程序接口技术规范(NDIS) 8.2.3或以上Cisco LEAP的

  • Aironet客户端工具(ACU)版本5.02或以上

  • Cisco Access Registrar 3.0或以后要求运行和验证Cisco LEAP和MAC验证请求

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您是在真实网络上操作,请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置 EAP-Cisco 无线 (CISCO LEAP)

此部分包括Cisco LEAP基本配置在思科AR服务器、AP和多种客户端的。

逐步指导

遵从这些说明配置LEAP :

  1. 更换思科AR服务器的端口。

    AP发送关于用户数据报协议(UDP)端口1812 (验证)和1813的RADIUS信息(核算)。默认情况下因为思科AR在UDP端口1645和1646侦听,您在UDP端口1812和1813必须配置思科AR侦听。

    1. 发出cd /radius/advanced/ports命令。

    2. 发出add 1812命令添加端口1812。

    3. 如果计划执行核算,发出add 1813命令添加端口1813。

    保存配置,然后重新启动服务。

  2. 添加对思科AR服务器的AP,发出这些命令:

    • cd /Radius/Clients

    • 添加ap350-1

    • cd ap350-1

    • 设置IP地址171.69.89.1

    • 设置sharedsecret cisco

  3. 要配置有线等效保密(WEP)密钥会话超时,请发出这些命令:

    注意: 802.1x指定重新验证选项。Cisco LEAP算法使用此选项超时用户的当前WEP会话密钥和发出一新的WEP会话密钥。

    • cd /Radius/Profiles

    • 添加ap-profile

    • cd ap-profile

    • cd属性

    • 设置session-timeout 600

  4. 要创建使用配置文件的用户组在步骤3添加了,发出这些命令:

    • cd /Radius/Usergroups

    • 添加ap-group

    • cd ap-group

    • 设置baseprofile ap-profile

    用户在此用户组中继承配置文件和反之接收会话超时。

  5. 要创建用户列表和添加的用户用户对在步骤定义的用户组4,发出这些命令:

    • cd /Radius/Userlists

    • 添加ap用户

    • cd ap用户

    • 添加user1

    • cd user1

    • set password思科

    • 集合组ap-group

  6. 要创建本地认证和授权服务使用UserService “ap-userservice”和设置服务类型为“eap-leap”,请发出这些命令:

    • cd /Radius/Services

    • 添加ap-localservice

    • cd ap-localservice

    • set type eap-leap

    • 设置UserService ap-userservice

  7. 要创建用户服务“ap-userservice”使用定义的用户列表在步骤5,请发出这些命令:

    • cd /Radius/Services

    • 添加ap-userservice

    • cd ap-localservice

    • set type本地

    • 设置userlist ap-users

  8. 要设置默认验证和授权请服务思科AR使用对定义的服务在步骤6,发出这些命令:

    • cd /radius

    • 设置defaultauthenticationservice ap-localservice

    • 设置defaultauthorizationservice ap-localservice

  9. 要保存和重新加载配置,请发出这些命令:

    • 保存

    • 重新加载

在 AP上 启用 EAP-Cisco (CISCO LEAP)

逐步指导

遵从这些步骤启用在AP的Cisco LEAP :

  1. 浏览对AP。

  2. 从Summary Status页,请点击设置

  3. 在服务菜单,请点击Security > Authentication服务器

  4. 选择802.1x版本运行在802.1x协议版本下拉菜单的此AP。

  5. 配置思科AR的IP地址在服务器名/IP文本框的。

  6. 验证下拉菜单设置为RADIUS的服务器类型。

  7. 更换波尔特文本框对1812。这是使用的正确IP端口号与思科AR。

  8. 配置有在思科AR使用的值的共享秘密文本框。

  9. 选择EAP Authentication复选框

  10. 修改超时文本框,如果如此希望。这是认证请求的超时值思科AR的。

  11. 点击OK键返回到Security Setup屏幕。

    如果也执行认为的RADIUS,请验证核算设置页的端口与在思科AR配置的端口一致(1813的集)。

  12. 单击 Radio Data Encryption (WEP)

  13. 通过键入在WEP密钥1文本框的一40或128比特的关键值配置广播WEP密钥。

  14. 选择认证类型使用。确保,最少, Network-EAP复选框选择。

  15. 验证下拉菜单设置为可选或全部加密的Use of Data Encryption。可选允许使用非WEP和WEP客户端同样AP的。注意这是不安全操作模式。请使用完全加密,当可能。

  16. 点击OK键完成。

配置ACU 6.00

逐步指导

遵从这些步骤配置ACU :

  1. 打开 ACU。

  2. 点击工具栏的配置文件管理器

  3. 单击添加创建新配置文件。

  4. 输入在文本框的配置文件名称,然后点击OK键。

  5. 输入在SSID1文本框的适当的服务集标识(SSID)。

  6. 点击网络安全

  7. 选择从网络安全类型下拉菜单的LEAP

  8. 单击 Configure

  9. 配置密码设置当必要时。

  10. 单击 Ok

  11. 点击OK键在Network Security屏幕的。

从 Cisco AR 跟踪

发出trace /r 5得到在思科AR的trace输出。如果需要AP调试,您能连接到AP通过Telnet和发出eap_diag1_oneap_diag2_on命令。

06/28/2004 16:31:49: P1121: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1121: Checking Message-Authenticator
06/28/2004 16:31:49: P1121: Trace of Access-Request packet
06/28/2004 16:31:49: P1121: identifier = 5
06/28/2004 16:31:49: P1121: length = 146
06/28/2004 16:31:49: P1121: 
   reqauth = e5:4f:91:27:0a:91:82:6b:a4:81:c1:cc:c8:11:86:0b
06/28/2004 16:31:49: P1121: User-Name = user1
06/28/2004 16:31:49: P1121: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1121: NAS-Port = 37
06/28/2004 16:31:49: P1121: Service-Type = Login
06/28/2004 16:31:49: P1121: Framed-MTU = 1400
06/28/2004 16:31:49: P1121: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1121: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1121: NAS-Identifier = frinket
06/28/2004 16:31:49: P1121: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1121: EAP-Message = 02:02:00:0a:01:75:73:65:72:31
06/28/2004 16:31:49: P1121: 
   Message-Authenticator = f8:44:b9:3b:0f:33:34:a6:ed:7f:46:2d:83:62:40:30
06/28/2004 16:31:49: P1121: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1121: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1121: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1121: Authenticating and Authorizing with 
   Service ap-localservice
06/28/2004 16:31:49: P1121: Response Type is Access-Challenge, 
   skipping Remote Session Management.
06/28/2004 16:31:49: P1121: Response Type is Access-Challenge, 
   skipping Local Session Management.
06/28/2004 16:31:49: P1121: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1121: Trace of Access-Challenge packet
06/28/2004 16:31:49: P1121: identifier = 5
06/28/2004 16:31:49: P1121: length = 61
06/28/2004 16:31:49: P1121: 
   reqauth = 60:ae:19:8d:41:5e:a8:dc:4c:25:1b:8d:49:a3:47:c4
06/28/2004 16:31:49: P1121: EAP-Message = 
   01:02:00:15:11:01:00:08:66:27:c3:47:d6:be:b3:67:75:73:65:72:31
06/28/2004 16:31:49: P1121: Message-Authenticator = 
   59:d2:bc:ec:8d:85:36:0b:3a:98:b4:90:cc:af:16:2f
06/28/2004 16:31:49: P1121: Sending response to 10.48.86.230
06/28/2004 16:31:49: P1123: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1123: Checking Message-Authenticator
06/28/2004 16:31:49: P1123: Trace of Access-Request packet
06/28/2004 16:31:49: P1123: identifier = 6
06/28/2004 16:31:49: P1123: length = 173
06/28/2004 16:31:49: P1123: 
   reqauth = ab:f1:0f:2d:ab:6e:b7:49:9e:9e:99:00:28:0f:08:80
06/28/2004 16:31:49: P1123: User-Name = user1
06/28/2004 16:31:49: P1123: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1123: NAS-Port = 37
06/28/2004 16:31:49: P1123: Service-Type = Login
06/28/2004 16:31:49: P1123: Framed-MTU = 1400
06/28/2004 16:31:49: P1123: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1123: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1123: NAS-Identifier = frinket
06/28/2004 16:31:49: P1123: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1123: EAP-Message = 
   02:02:00:25:11:01:00:18:5e:26:d6:ab:3f:56:f7:db:21:96:f3:b0:fb:ec:6b:
   a7:58:6f:af:2c:60:f1:e3:3c:75:73:65:72:31
06/28/2004 16:31:49: P1123: Message-Authenticator = 
   21:da:35:89:30:1e:e1:d6:18:0a:4f:3b:96:f4:f8:eb
06/28/2004 16:31:49: P1123: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1123: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1123: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1123: Authenticating and Authorizing 
   with Service ap-localservice
06/28/2004 16:31:49: P1123: Calling external service ap-userservice 
   for authentication and authorization
06/28/2004 16:31:49: P1123: Getting User user1's UserRecord
   from UserList ap-users
06/28/2004 16:31:49: P1123: User user1's MS-CHAP password matches
06/28/2004 16:31:49: P1123: Processing UserGroup ap-group's check items
06/28/2004 16:31:49: P1123: User user1 is part of UserGroup ap-group
06/28/2004 16:31:49: P1123: Merging UserGroup ap-group's BaseProfiles
   into response dictionary
06/28/2004 16:31:49: P1123: Merging BaseProfile ap-profile
   into response dictionary
06/28/2004 16:31:49: P1123: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1123: Adding attribute Session-Timeout, value = 600
06/28/2004 16:31:49: P1123: Merging UserGroup ap-group's Attributes 
   into response Dictionary
06/28/2004 16:31:49: P1123: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1123: Removing all attributes except for 
   EAP-Message from response - they will be sent back in the Access-Accept
06/28/2004 16:31:49: P1123: Response Type is Access-Challenge, 
   skipping Remote Session Management.
06/28/2004 16:31:49: P1123: Response Type is Access-Challenge, 
   skipping Local Session Management.
06/28/2004 16:31:49: P1123: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1123: Trace of Access-Challenge packet
06/28/2004 16:31:49: P1123: identifier = 6
06/28/2004 16:31:49: P1123: length = 44
06/28/2004 16:31:49: P1123: 
   reqauth = 28:2e:a3:27:c6:44:9e:13:8d:b3:60:01:7f:da:8b:62
06/28/2004 16:31:49: P1123: EAP-Message = 03:02:00:04
06/28/2004 16:31:49: P1123: Message-Authenticator = 
   2d:63:6a:12:fd:91:9e:7d:71:9d:8b:40:04:56:2e:90
06/28/2004 16:31:49: P1123: Sending response to 10.48.86.230
06/28/2004 16:31:49: P1125: Packet received from 10.48.86.230
06/28/2004 16:31:49: P1125: Checking Message-Authenticator
06/28/2004 16:31:49: P1125: Trace of Access-Request packet
06/28/2004 16:31:49: P1125: identifier = 7
06/28/2004 16:31:49: P1125: length = 157
06/28/2004 16:31:49: P1125: 
   reqauth = 72:94:8c:34:4c:4a:ed:27:98:ba:71:33:88:0d:8a:f4
06/28/2004 16:31:49: P1125: User-Name = user1
06/28/2004 16:31:49: P1125: NAS-IP-Address = 10.48.86.230
06/28/2004 16:31:49: P1125: NAS-Port = 37
06/28/2004 16:31:49: P1125: Service-Type = Login
06/28/2004 16:31:49: P1125: Framed-MTU = 1400
06/28/2004 16:31:49: P1125: Called-Station-Id = 000d29e160f2
06/28/2004 16:31:49: P1125: Calling-Station-Id = 00028adc8f2e
06/28/2004 16:31:49: P1125: NAS-Identifier = frinket
06/28/2004 16:31:49: P1125: NAS-Port-Type = Wireless - IEEE 802.11
06/28/2004 16:31:49: P1125: EAP-Message = 
   01:02:00:15:11:01:00:08:3e:b9:91:18:a8:dd:98:ee:75:73:65:72:31
06/28/2004 16:31:49: P1125: Message-Authenticator = 
   8e:73:2b:a6:54:c6:f5:d9:ed:6d:f0:ce:bd:4f:f1:d6
06/28/2004 16:31:49: P1125: Cisco-AVPair = ssid=blackbird
06/28/2004 16:31:49: P1125: Using Client: ap1200-1 (10.48.86.230)
06/28/2004 16:31:49: P1125: Using Client ap1200-1 (10.48.86.230) as the NAS
06/28/2004 16:31:49: P1125: Authenticating and Authorizing 
   with Service ap-localservice
06/28/2004 16:31:49: P1125: Merging attributes into the Response Dictionary:
06/28/2004 16:31:49: P1125: Adding attribute Session-Timeout, value = 600
06/28/2004 16:31:49: P1125: Restoring all attributes to response 
   that were removed in the last Access-Challenge
06/28/2004 16:31:49: P1125: No default Remote Session Service defined.
06/28/2004 16:31:49: P1125: Adding Message-Authenticator to response
06/28/2004 16:31:49: P1125: Trace of Access-Accept packet
06/28/2004 16:31:49: P1125: identifier = 7
06/28/2004 16:31:49: P1125: length = 142
06/28/2004 16:31:49: P1125: 
   reqauth = 71:f1:ef:b4:e6:e0:c2:4b:0a:d0:95:47:35:3d:a5:84
06/28/2004 16:31:49: P1125: Session-Timeout = 600
06/28/2004 16:31:49: P1125: EAP-Message = 
02:02:00:25:11:01:00:18:86:5c:78:3d:82:f7:69:c7:96:70:35:31:bb:51:a7:ba:f8:48:8c:
45:66:00:e8:3c:75:73:65:72:31
06/28/2004 16:31:49: P1125: Message-Authenticator = 7b:48:c3:17:53:67:44:f3:af:5e:17:27:3d:3d:23:5f
06/28/2004 16:31:49: P1125: Cisco-AVPair = 6c:65:61:70:3a:73:65:73:73:69:6f:6e:2d:6b:65:79:3d:04:f2:c5:2a:de:fb:4e:1e:8a:8d
:b8:1b:e9:2c:f9:9a:3e:83:55:ff:ae:54:57:4b:60:e1:03:05:fd:22:95:4c:b4:62
06/28/2004 16:31:49: P1125: Sending response to 10.48.86.230

相关信息

此文档是否有帮助?

Feedback反馈

联系我们