《SNAC与Aruba无线网络安全的完美结合_NiuXiaohu.docx》由会员分享,可在线阅读,更多相关《SNAC与Aruba无线网络安全的完美结合_NiuXiaohu.docx(49页珍藏版)》请在三一办公上搜索。
1、SNAC与Aruba无线网络安全完美结合SNAC与Aruba无线网络安全的完美结合测试报告Symantec目 录1.测试目的与内容32.测试拓扑43.接入交换机配置54.Aruba无线控制器配置95.未安装Agent认证126.安装Agent认证137.移动终端认证208.已验证的Aruba无线AC列表219.Aruba配置21 1. 测试目的与内容 测试目的:p 验证无线802.1x准入控制具体实现;p 验证Symantec-SNAC产品与Aruba无线AP设备的兼容性; 测试内容:p 已安装Agent的无线接入终端,测试认证过程p 未安装Agent的无线接入终端,测试认证过程2. 测试拓扑
2、图 1 测试拓扑图 硬件环境描述p 1台终端管理服务器、1台DHCP服务器、1台Lan Enforce、1台Radius认证服务器、1台支持POE供电的4948交换机、1台Aruba无线AP、1台IPhone、1台IPDA2、1台HTC、1台笔记本。 软件环境描述p 服务器操作系统:Windows 2003 Enterprise;p 终端操作系统:Win7、IPhone系统、IPDA系统、安卓系统。3. 接入交换机配置 交换机只需配置相应VLAN信息,交换机与Aruba无线控制器启用TRUNK连接,Aruba无线控制器配置对应的VLAN-ID信息即可;p VLan10:Mgt 10.112.1
3、96.0/24p VLan20:Work 10.112.197.0/24p VLan30:Repair 10.112.198.0/24p VLan40:Guest 10.112.199.0/24 Lan Enforce配置:图 2 Lan Enforce上设置Radius图 3 Lan Enforce上指向Aruba控制器图 4 Lan Enforce上设置Vlan信息图 5 Lan Enforce上设置Vlan切换4. Aruba无线控制器配置图 6设置SSID对应Vlan信息sec-test图 7 设置Radius服务器10.112.198.170图 8 Aruba-认证设置图 9 Wor
4、k role图 10 Repair role图 11 Guest role5. 未安装Agent认证自动弹出认证对话框,需要输入身份认证信息:图 12 身份认证信息输入身份认证通过,接入网络成功:图 13 认证成功-接入Work区域6. 安装Agent认证场景一:身份认证成功和安全策略检查合规,进入Work区域图 14 身份认证和安全策略检查都正确图 15 客户端IP信息-Work区域图 16 Aruba控制器信息-Work Roles场景二:身份认证成功和安全策略检查不合规,进入Repair区域图 17 身份认证成功策略检查不合规图 18 客户端IP信息-Repairk区域图 19 Arub
5、a控制器信息-Repair Roles场景三:身份认证不成功和安全策略检查合规,等待二次认证图 20主机完整性检查通过图 21 输入错误信息-身份认证不成功图 22 再次弹出身份认证对话框图 23 Aruba控制器上没有认证信息场景四:安全检查合规变化为安全检查不合规,从Work区域自动跳入Repair区域图 24 身份认证成功和策略检查合规图 25 认证成功进入Work区域图 26 Aruba控制器-Work区域图 27策略检查不合规跳入Repair区域图 28 Aruba控制器-Repair区域7. 移动终端认证 结果: IPAD2、IPhone、安卓操作系统移动终端,支持802.1X协议
6、认证,根据用户名、密码认证,工作正常(根据用户名可以切换到不同的区域)。8. 已验证的Aruba无线AC列表型号版本用户Aruba2400Version 5.0.3.3CCTVAruba3400Version 5.0.2.0ABC9. Aruba配置(Aruba3400) #show running-config Building Configuration. version 5.0enable secret 8aad4a010166ca17983134f406de05e9503959a575ba2f84cahostname Aruba3400clock timezone CHT 8locat
7、ion Building1.floor1 mms config 0controller config 40ip access-list eth validuserethacl permit any !netservice svc-netbios-dgm udp 138netservice svc-snmp-trap udp 162netservice svc-syslog udp 514netservice svc-l2tp udp 1701netservice svc-ike udp 500netservice svc-https tcp 443netservice svc-smb-tcp
8、tcp 445netservice svc-dhcp udp 67 68netservice svc-pptp tcp 1723netservice svc-sec-papi udp 8209netservice svc-sccp tcp 2000netservice svc-http-accl tcp 88netservice svc-telnet tcp 23netservice svc-netbios-ssn tcp 139 netservice svc-sip-tcp tcp 5060netservice svc-kerberos udp 88netservice svc-tftp u
9、dp 69netservice svc-http-proxy3 tcp 8888netservice svc-noe udp 32512netservice svc-cfgm-tcp tcp 8211netservice svc-adp udp 8200netservice svc-pop3 tcp 110netservice svc-lpd-tcp tcp 631netservice svc-rtsp tcp 554netservice svc-msrpc-tcp tcp 135 139netservice svc-dns udp 53netservice svc-h323-udp udp
10、1718 1719netservice svc-h323-tcp tcp 1720netservice svc-vocera udp 5002netservice svc-http tcp 80netservice svc-http-proxy2 tcp 8080netservice svc-sip-udp udp 5060netservice svc-nterm tcp 1026 1028netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-natt udp 4500netservi
11、ce svc-ftp tcp 21netservice svc-microsoft-ds tcp 445 netservice svc-svp 119netservice svc-smtp tcp 25netservice svc-gre 47netservice svc-netbios-ns udp 137netservice svc-sips tcp 5061netservice svc-smb-udp udp 445netservice svc-cups tcp 515netservice svc-esp 50netservice svc-v6-dhcp udp 546 547netse
12、rvice svc-snmp udp 161netservice svc-bootp udp 67 69netservice svc-msrpc-udp udp 135 139netservice svc-ntp udp 123netservice svc-icmp 1netservice svc-ssh tcp 22netservice svc-lpd-udp udp 631netservice svc-v6-icmp 58netservice svc-http-proxy1 tcp 3128ip access-list session control user any udp 68 den
13、y any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit !ip access-list session allow-diskservices any any svc-netbios-dgm permit an
14、y any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit !ip access-list session validuser any any any permit !ip access-list session vocera-acl any any svc-vocera permit queue high !ip access-list session icmp-acl any any svc-icmp permit !ip access-list session cap
15、tiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 !ip access-list session allowall any any any permit !ip access-list
16、 session https-acl any any svc-https permit !ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high !ip access-list session dns-acl any any svc-dns permit !ip access-list session tftp-acl any any svc-tftp permit !ip access-list session skinny-acl a
17、ny any svc-sccp permit queue high ! ip access-list session srcnat user any any src-nat !ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit !ip access-list session logon-control user any udp 68 deny an
18、y any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit !ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit !ip access-list session cplogout user alias controller svc-https dst-nat 8081 !ip acc
19、ess-list session http-acl any any svc-http permit !ip access-list session dhcp-acl any any svc-dhcp permit !ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit !ip access-list session noe-acl any any svc-noe permit queue high !ip ac
20、cess-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit !ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-
21、tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit !ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high !ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit !ipv6 access-list sess
22、ion v6-https-acl any any svc-https permit !ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit !ipv6 access-list session v6-dns-acl any any svc-dns permit !ipv6 access-list session v6-allowall any any any permit !ipv6 access-list session v6-http-acl any any svc-http permit !ipv6 access-l
23、ist session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit !vpn-dialer default-dialer ike authentication PRE-SHARE changeme!user-role ap-role session-acl control session-acl ap-acl!user-role default-vpn-role session-acl allowall ipv
24、6 session-acl v6-allowall!user-role vip-role vlan 30 session-acl allowall!user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl!
25、user-role default-via-role session-acl allowall ipv6 session-acl v6-allowall!user-role guest-logon captive-portal default session-acl logon-control session-acl captiveportal!user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl ipv6
26、session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl!user-role stateful-dot1x!user-role authenticated session-acl allowall ipv6 session-acl v6-allowall!user-role logon session-acl logon-control session-acl captive
27、portal session-acl vpnlogon ipv6 session-acl v6-logon-control!ip radius source-interface vlan 192 !no spanning-treeinterface mgmt shutdown!dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777!dialer group gsm_us init-string AT+CGDCONT=1,IP,ISP.CINGULAR dial-string ATD*99#!dialer group vivo
28、_br init-string AT+CGDCONT=1,IP,.br dial-string ATD*99#! vlan 20 quarantine-vlan20 vlan 30 employee-vlan30 vlan 192 Server-vlan192 interface gigabitethernet 1/0 description GE1/0 trusted trusted vlan 1-4094!interface gigabitethernet 1/1 description GE1/1 trusted trusted vlan 1-4094!interface gigabit
29、ethernet 1/2 description GE1/2 trusted trusted vlan 1-4094 switchport access vlan 192! interface gigabitethernet 1/3 description GE1/3 trusted trusted vlan 1-4094 switchport access vlan 192!interface vlan 1 ip address 10.10.10.254 255.255.255.0!interface vlan 20 ip address 20.20.20.254 255.255.255.0
30、 operstate up!interface vlan 30 ip address 30.30.30.254 255.255.255.0 operstate up!interface vlan 192 ip address 192.168.0.254 255.255.255.0! ap mesh-recovery-profile cluster RecoverygmUKRL3MghP1K5I0 wpa-hexkey C9BA810ED99D44182ED2349A0778359D75C01C1B49B85FAAE1D44D7B9A4CF3F7wms general poll-interval
31、 60000 general poll-retries 3 general ap-ageout-interval 30 general sta-ageout-interval 30 general learn-ap disable general persistent-known-interfering enable general propagate-wired-macs enable general stat-update enable general collect-stats disable!crypto isakmp policy 20 encryption aes256!crypt
32、o ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes ! vpdn group l2tp!ip dhcp pool AP-pool default-router 10.10.10.254 network 10.10.10.0 255.255.255.0 authoritative!ip dhcp pool vlan20-pool default-rout
33、er 20.20.20.254 network 20.20.20.0 255.255.255.0 authoritative!ip dhcp pool vlan30-pool default-router 30.30.30.254 network 30.30.30.0 255.255.255.0 authoritative!service dhcpip dhcp default-pool private! vpdn group pptp!mux-address 0.0.0.0adp discovery disableadp igmp-join disableadp igmp-vlan 0voi
34、p prioritization disablevoip rtcp-inactivity disablevoip sip-midcall-req-timeout disablessh mgmt-auth username/password mgmt-user admin root 7e7c4a93013118206cf92729b708c9cf040324a2b47dd66cd2no database synchronizedatabase synchronize rf-plan-dataip mobile domain default! ip igmp!no firewall attack-
35、rate cp 1024!firewall cp!firewall cpno acceleration cifs cachingno acceleration cifs chattinessno acceleration cifs read-aheadno acceleration cifs write-behindno acceleration http authenticationno acceleration http cachingno acceleration http deduplicationno acceleration http postno acceleration htt
36、p sharepointno acceleration mapi aggregationno acceleration mapi cachingno acceleration mapi prefetching! packet-capture-defaults tcp disable udp disable sysmsg disable other disable!ip domain lookup!country CNaaa authentication mac default!aaa authentication dot1x ABC-dot1x-auth!aaa authentication
37、dot1x default!aaa authentication-server radius ABC-radius-server host 192.168.0.200 key admin!aaa server-group ABC-servergroup auth-server ABC-radius-server!aaa server-group default auth-server Internal set role condition role value-of!aaa authentication via connection-profile default!aaa authentica
38、tion via web-auth default!aaa authentication via global-config!aaa profile ABC-aaa authentication-dot1x ABC-dot1x-auth dot1x-server-group ABC-servergroup!aaa profile default!aaa authentication captive-portal default!aaa authentication wispr default!aaa authentication vpn default!aaa authentication v
39、pn default-rap!aaa authentication mgmt!aaa authentication stateful-ntlm default!aaa authentication stateful-kerberos default !aaa authentication stateful-dot1x!aaa authentication via auth-profile default!aaa authentication wired!web-server!papi-security!guest-access-email!control-plane-security!voic
40、e dialplan-profile default!voice sip!aaa password-policy mgmt!ap system-profile default!ap regulatory-domain-profile default country-code CN valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-
41、channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161!ap wired-ap-profile default!ap enet-link-profile default!ap mesh-ht-ssid-profile default!ap mesh-cluster-profile default!ap wired-port-profile default! ap mesh-radio-profile default!ids general-profile default!ids rate-thresholds-profile default!ids signature-profile default!ids impersonation-profile default