今回は、Ciscoの自立型APの設定方法です。
設定内容は下記
・Ciscoの自立型APでIEEE802.1x認証 EAP-TLSを実施
・電波は5GHz帯も2.4GHz帯も有効
・端末はSSID:testにつなぐとDHCPでVLAN10のIPアドレスが払い出されます。また、そのためには、APと接続のスイッチのポート設定はTrunk vlan 1(native),10 にする必要があります。
GUIでも設定可能なので、下記を参考に。
Ciscoの自立型APのサンプルコンフィグです。
——————————————————————————-
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-test
!
!
logging rate-limit console 9
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server name server1
server name server2
!
aaa group server radius rad_mac
server name server1
server name server2
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default line
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0900 9 0
no ip source-route
no ip cef
ip domain name settsuad.local
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid test
vlan 10
authentication open eap eap_methods
authentication key-management wpa version 2
!
!
!
no ipv6 cef
!
!
dot1x system-auth-control
username admin privilege 15 password 7
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
ip helper-address 192.168.1.100
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid test
!
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1
no ip address
ip helper-address 192.168.1.100
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid test
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address
ip address 192.168.1.1 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip radius source-interface BVI1
!
!
radius-server attribute 32 include-in-access-req format %h
!
radius server server1
address ipv4 192.168.2.1 auth-port 1812 acct-port 1646
key 7
!
radius server server2
address ipv4 192.168.2.2 auth-port 1812 acct-port 1646
key 7
!
bridge 1 route ip
!
!
!
line con 0
password 7
line vty 0 4
password 7
transport input telnet ssh
line vty 5 15
password 7
transport input telnet ssh
!
sntp server 192.168.1.200
sntp broadcast client
end
——————————————————————————-
コメント