H3C WX系列本地802.1X认证（EAP-PEAP方式）的典型配置举例

 本特性在WLAN NAS设备上支持本地对无线用户进行认证的功能。对于组网中不支持EAP认证的AAA Server，本特性通过实现EAP OffLoad功能，使NAS设备作为STA与AAA Server的桥梁，帮助二者顺畅的完成认证过程。

本特性提供了对WLAN接入用户的本地认证功能，支持MD5，EAP_TLS，EAP_MSCHAPv2，EAP_PEAP多种认证方式，使得用户可以自如的根据需要灵活配置各种安全限制，同时不需要布置AAA服务器，减小了网络拓扑图的复杂度。

一、组网图

二、使用版本和详细配置命令

请下载文档查阅：http://pan.baidu.com/s/1xhlYk

三、主要配置步骤

# 配置WLAN服务，在无线口配置端口安全模式为dot1x方式

[AC-wlan-st-1]display this
#
wlan service-template 1 crypto                                                  
 ssid eap                                                                       
 bind WLAN-ESS 1                                                                
 cipher-suite tkip                                                              
 security-ie wpa                                                                
 service-template enable 
#
return
[AC-wlan-st-1]
[AC]int wlan-ess 1
[AC-WLAN-ESS1]display this
#
interface WLAN-ESS1                                                             
 port-security port-mode userlogin-secure-ext                                   
 port-security tx-key-type 11key                                                
 undo dot1x handshake    
#
return
[AC-WLAN-ESS1]

＃配置dot1x认证为eap方式，并使能端口安全

[AC]dot1x authentication-method eap
[AC]port-security enable

＃配置PKI参数

#
pki entity auth
  common-name local-auth
  organization h3c-auth
#
pki domain local
  certificate request entity auth
  crl check disable
#

＃导入证书；
果之前已经导入过证书，需要先销毁公共密钥，才能再进行证书导入：

[AC]public-key local destroy rsa
Local key pair is in use by local certificate of domain "local" ,Do you want to 
delete local certificate first? [Y/N]:y

导入根证书：

[AC]pki import-certificate ca domain local der filename certnew.cer

The trusted CA's finger print is:                                              
    MD5  fingerprint:5710 DE77 4771 641F 5C38 8CF4 25DE 9CAA                   
    SHA1 fingerprint:02AB BAB7 F8CC 6D1E 3EF8 5EAB 5FBD B448 A8FE 24FA
Is the finger print correct?(Y/N):y
Import CA certificate successfully.
%Oct 17 17:02:33:554 2008 H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of t
he domain local is trusted.
[H3C]
%Oct 17 17:02:33:563 2008 H3C PKI/4/Update_CA_Cert:Update CA certificates of the
 Domain local successfully.                                                    
%Oct 17 17:02:33:572 2008 H3C PKI/4/Import_CA_Cert:Import CA certificates of the
 domain local successfully.

导入server ssl证书：

[AC] pki import-certificate local domain local p12 filename server_ssl.pfx

Please input challenge password:                                               
Import local certificate successfully.                                         
%Oct 17 17:06:26:777 2008 H3C PKI/4/Verify_Cert:Verify certificate CN=pt_web of
the domain local successfully.                                                 
Import key pair successfully.                                                  
%Oct 17 17:06:26:783 2008 H3C PKI/4/Import_Local_Cert:Import local certificate o
f the domain local successfully.                                               
[H3C]                                                                          
%Oct 17 17:06:26:838 2008 H3C PKI/4/Import_Local_Key:Import local private key of
 the domain local successfully.

# 配置SSL服务策略；

#
ssl server-policy 1
 pki-domain local
 ciphersuite rsa_rc4_128_sha
 handshake timeout 180
 close-mode wait
 session  cachesize 1000

# 配置本地认证方式为eap-peap，并使能本地认证服务；

[AC]eap-profile eap1
[AC-eap-prof-eap]method peap-mschapv2
[AC-eap-prof-eap]ssl-server-policy 1
[AC-eap-prof-eap]quit
[AC]local-server authentication eap-profile eap1

# 创建用户组

[AC]user-group eap

# 创建本地用户，服务类型为lan-access

local-user eap
 password simple eap
 group eap
 service-type lan-access

四、验证结果

验证结果请查看步骤二下载的文档