书签分享收藏举报版权申诉 / 48

立即下载

当前位置：首页 > 管理文献 > 管理制度 > SNAC与Aruba无线网络安全的完美结合_NiuXiaohu精编版[48页].docx

SNAC与Aruba无线网络安全的完美结合_NiuXiaohu精编版[48页].docx

上传人：yan****nan

文档编号：68661369

上传时间：2022-12-29

格式：DOCX

页数：48

大小：2.53MB

( 4.5 )

《SNAC与Aruba无线网络安全的完美结合_NiuXiaohu精编版[48页].docx》由会员分享，可在线阅读，更多相关《SNAC与Aruba无线网络安全的完美结合_NiuXiaohu精编版[48页].docx（48页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、最新资料推荐SNAC与Aruba无线网络安全的完美结合测试报告Symantec目录1.测试目的与内容32.测试拓扑43.接入交换机配置54.Aruba无线控制器配置95.未安装Agent认证126.安装Agent认证137.移动终端认证208.已验证的Aruba无线AC列表219.Aruba配置21 1. 测试目的与内容测试目的：p 验证无线802.1x准入控制具体实现；p 验证Symantec-SNAC产品与Aruba无线AP设备的兼容性；测试内容：p 已安装Agent的无线接入终端，测试认证过程p 未安装Agent的无线接入终端，测试认证过程2. 测试拓扑图 1 测试拓扑图硬件环境

2、描述p 1台终端管理服务器、1台DHCP服务器、1台Lan Enforce、1台Radius认证服务器、1台支持POE供电的4948交换机、1台Aruba无线AP、1台IPhone、1台IPDA2、1台HTC、1台笔记本。软件环境描述p 服务器操作系统：Windows 2003 Enterprise；p 终端操作系统：Win7、IPhone系统、IPDA系统、安卓系统。3. 接入交换机配置交换机只需配置相应VLAN信息，交换机与Aruba无线控制器启用TRUNK连接,Aruba无线控制器配置对应的VLAN-ID信息即可；p VLan10：Mgt 10.112.196.0/24p VLan2

3、0：Work 10.112.197.0/24p VLan30：Repair 10.112.198.0/24p VLan40：Guest 10.112.199.0/24 Lan Enforce配置：图 2 Lan Enforce上设置Radius图 3 Lan Enforce上指向Aruba控制器图 4 Lan Enforce上设置Vlan信息图 5 Lan Enforce上设置Vlan切换4. Aruba无线控制器配置图 6设置SSID对应Vlan信息sec-test图 7 设置Radius服务器10.112.198.170图 8 Aruba-认证设置图 9 Work role图 10 Rep

4、air role图 11 Guest role5. 未安装Agent认证自动弹出认证对话框，需要输入身份认证信息：图 12 身份认证信息输入身份认证通过，接入网络成功：图 13 认证成功-接入Work区域6. 安装Agent认证场景一：身份认证成功和安全策略检查合规，进入Work区域图 14 身份认证和安全策略检查都正确图 15 客户端IP信息-Work区域图 16 Aruba控制器信息-Work Roles场景二：身份认证成功和安全策略检查不合规，进入Repair区域图 17 身份认证成功策略检查不合规图 18 客户端IP信息-Repairk区域图 19 Aruba控制器信息-Repair

5、Roles场景三：身份认证不成功和安全策略检查合规，等待二次认证图 20主机完整性检查通过图 21 输入错误信息-身份认证不成功图 22 再次弹出身份认证对话框图 23 Aruba控制器上没有认证信息场景四：安全检查合规变化为安全检查不合规，从Work区域自动跳入Repair区域图 24 身份认证成功和策略检查合规图 25 认证成功进入Work区域图 26 Aruba控制器-Work区域图 27策略检查不合规跳入Repair区域图 28 Aruba控制器-Repair区域7. 移动终端认证结果： IPAD2、IPhone、安卓操作系统移动终端，支持802.1X协议认证，根据用户名、密码认证，

6、工作正常（根据用户名可以切换到不同的区域）。8. 已验证的Aruba无线AC列表型号版本用户Aruba2400Version 5.0.3.3CCTVAruba3400Version 5.0.2.0ABC9. Aruba配置(Aruba3400) #show running-config Building Configuration. version 5.0enable secret 8aad4a010166ca17983134f406de05e9503959a575ba2f84cahostname Aruba3400clock timezone CHT 8location Building1.

7、floor1 mms config 0controller config 40ip access-list eth validuserethacl permit any !netservice svc-netbios-dgm udp 138netservice svc-snmp-trap udp 162netservice svc-syslog udp 514netservice svc-l2tp udp 1701netservice svc-ike udp 500netservice svc-https tcp 443netservice svc-smb-tcp tcp 445netserv

8、ice svc-dhcp udp 67 68netservice svc-pptp tcp 1723netservice svc-sec-papi udp 8209netservice svc-sccp tcp 2000netservice svc-http-accl tcp 88netservice svc-telnet tcp 23netservice svc-netbios-ssn tcp 139 netservice svc-sip-tcp tcp 5060netservice svc-kerberos udp 88netservice svc-tftp udp 69netservic

9、e svc-http-proxy3 tcp 8888netservice svc-noe udp 32512netservice svc-cfgm-tcp tcp 8211netservice svc-adp udp 8200netservice svc-pop3 tcp 110netservice svc-lpd-tcp tcp 631netservice svc-rtsp tcp 554netservice svc-msrpc-tcp tcp 135 139netservice svc-dns udp 53netservice svc-h323-udp udp 1718 1719netse

10、rvice svc-h323-tcp tcp 1720netservice svc-vocera udp 5002netservice svc-http tcp 80netservice svc-http-proxy2 tcp 8080netservice svc-sip-udp udp 5060netservice svc-nterm tcp 1026 1028netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-natt udp 4500netservice svc-ftp tcp

11、 21netservice svc-microsoft-ds tcp 445 netservice svc-svp 119netservice svc-smtp tcp 25netservice svc-gre 47netservice svc-netbios-ns udp 137netservice svc-sips tcp 5061netservice svc-smb-udp udp 445netservice svc-cups tcp 515netservice svc-esp 50netservice svc-v6-dhcp udp 546 547netservice svc-snmp

12、 udp 161netservice svc-bootp udp 67 69netservice svc-msrpc-udp udp 135 139netservice svc-ntp udp 123netservice svc-icmp 1netservice svc-ssh tcp 22netservice svc-lpd-udp udp 631netservice svc-v6-icmp 58netservice svc-http-proxy1 tcp 3128ip access-list session control user any udp 68 deny any any svc-

13、icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit !ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netb

14、ios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit !ip access-list session validuser any any any permit !ip access-list session vocera-acl any any svc-vocera permit queue high !ip access-list session icmp-acl any any svc-icmp permit !ip access-list session captiveportal use

15、r alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 !ip access-list session allowall any any any permit !ip access-list session https

16、-acl any any svc-https permit !ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high !ip access-list session dns-acl any any svc-dns permit !ip access-list session tftp-acl any any svc-tftp permit !ip access-list session skinny-acl any any svc-scc

17、p permit queue high ! ip access-list session srcnat user any any src-nat !ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit !ip access-list session logon-control user any udp 68 deny any any svc-icmp

18、 permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit !ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit !ip access-list session cplogout user alias controller svc-https dst-nat 8081 !ip access-list sessi

19、on http-acl any any svc-http permit !ip access-list session dhcp-acl any any svc-dhcp permit !ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit !ip access-list session noe-acl any any svc-noe permit queue high !ip access-list sess

20、ion svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit !ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit use

21、r any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit !ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high !ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit !ipv6 access-list session v6-https-a

22、cl any any svc-https permit !ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit !ipv6 access-list session v6-dns-acl any any svc-dns permit !ipv6 access-list session v6-allowall any any any permit !ipv6 access-list session v6-http-acl any any svc-http permit !ipv6 access-list session v6

23、-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit !vpn-dialer default-dialer ike authentication PRE-SHARE changeme!user-role ap-role session-acl control session-acl ap-acl!user-role default-vpn-role session-acl allowall ipv6 session-acl

24、v6-allowall!user-role vip-role vlan 30 session-acl allowall!user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl!user-role defa

25、ult-via-role session-acl allowall ipv6 session-acl v6-allowall!user-role guest-logon captive-portal default session-acl logon-control session-acl captiveportal!user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl ipv6 session-acl v6

26、-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl!user-role stateful-dot1x!user-role authenticated session-acl allowall ipv6 session-acl v6-allowall!user-role logon session-acl logon-control session-acl captiveportal session

27、-acl vpnlogon ipv6 session-acl v6-logon-control!ip radius source-interface vlan 192 !no spanning-treeinterface mgmt shutdown!dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777!dialer group gsm_us init-string AT+CGDCONT=1,IP,ISP.CINGULAR dial-string ATD*99#!dialer group vivo_br init-strin

28、g AT+CGDCONT=1,IP,.br dial-string ATD*99#! vlan 20 quarantine-vlan20 vlan 30 employee-vlan30 vlan 192 Server-vlan192 interface gigabitethernet 1/0 description GE1/0 trusted trusted vlan 1-4094!interface gigabitethernet 1/1 description GE1/1 trusted trusted vlan 1-4094!interface gigabitethernet 1/2 d

29、escription GE1/2 trusted trusted vlan 1-4094 switchport access vlan 192! interface gigabitethernet 1/3 description GE1/3 trusted trusted vlan 1-4094 switchport access vlan 192!interface vlan 1 ip address 10.10.10.254 255.255.255.0!interface vlan 20 ip address 20.20.20.254 255.255.255.0 operstate up!

30、interface vlan 30 ip address 30.30.30.254 255.255.255.0 operstate up!interface vlan 192 ip address 192.168.0.254 255.255.255.0! ap mesh-recovery-profile cluster RecoverygmUKRL3MghP1K5I0 wpa-hexkey C9BA810ED99D44182ED2349A0778359D75C01C1B49B85FAAE1D44D7B9A4CF3F7wms general poll-interval 60000 general

31、 poll-retries 3 general ap-ageout-interval 30 general sta-ageout-interval 30 general learn-ap disable general persistent-known-interfering enable general propagate-wired-macs enable general stat-update enable general collect-stats disable!crypto isakmp policy 20 encryption aes256!crypto ipsec transf

32、orm-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes ! vpdn group l2tp!ip dhcp pool AP-pool default-router 10.10.10.254 network 10.10.10.0 255.255.255.0 authoritative!ip dhcp pool vlan20-pool default-router 20.20.20.25

33、4 network 20.20.20.0 255.255.255.0 authoritative!ip dhcp pool vlan30-pool default-router 30.30.30.254 network 30.30.30.0 255.255.255.0 authoritative!service dhcpip dhcp default-pool private! vpdn group pptp!mux-address 0.0.0.0adp discovery disableadp igmp-join disableadp igmp-vlan 0voip prioritizati

34、on disablevoip rtcp-inactivity disablevoip sip-midcall-req-timeout disablessh mgmt-auth username/password mgmt-user admin root 7e7c4a93013118206cf92729b708c9cf040324a2b47dd66cd2no database synchronizedatabase synchronize rf-plan-dataip mobile domain default! ip igmp!no firewall attack-rate cp 1024!f

35、irewall cp!firewall cpno acceleration cifs cachingno acceleration cifs chattinessno acceleration cifs read-aheadno acceleration cifs write-behindno acceleration http authenticationno acceleration http cachingno acceleration http deduplicationno acceleration http postno acceleration http sharepointno

36、 acceleration mapi aggregationno acceleration mapi cachingno acceleration mapi prefetching! packet-capture-defaults tcp disable udp disable sysmsg disable other disable!ip domain lookup!country CNaaa authentication mac default!aaa authentication dot1x ABC-dot1x-auth!aaa authentication dot1x default!

37、aaa authentication-server radius ABC-radius-server host 192.168.0.200 key admin!aaa server-group ABC-servergroup auth-server ABC-radius-server!aaa server-group default auth-server Internal set role condition role value-of!aaa authentication via connection-profile default!aaa authentication via web-a

38、uth default!aaa authentication via global-config!aaa profile ABC-aaa authentication-dot1x ABC-dot1x-auth dot1x-server-group ABC-servergroup!aaa profile default!aaa authentication captive-portal default!aaa authentication wispr default!aaa authentication vpn default!aaa authentication vpn default-rap

39、!aaa authentication mgmt!aaa authentication stateful-ntlm default!aaa authentication stateful-kerberos default !aaa authentication stateful-dot1x!aaa authentication via auth-profile default!aaa authentication wired!web-server!papi-security!guest-access-email!control-plane-security!voice dialplan-pro

40、file default!voice sip!aaa password-policy mgmt!ap system-profile default!ap regulatory-domain-profile default country-code CN valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 va

41、lid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161!ap wired-ap-profile default!ap enet-link-profile default!ap mesh-ht-ssid-profile default!ap mesh-cluster-profile default!ap wired-port-profile default! ap mesh-radio-profile default!ids general-profile default!ids rate-thresholds-profile default!ids signature-profile default!ids impers

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

19 金币

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: 48页 SNAC Aruba 无线网络安全完美结合 _NiuXiaohu 精编 48

淘文阁 - 分享文档赚钱的网站所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

限制150内

关于本文

本文标题：SNAC与Aruba无线网络安全的完美结合_NiuXiaohu精编版[48页].docx
链接地址：https://www.taowenge.com/p-68661369.html