SNAC与Aruba无线网络安全的完美结合_NiuXiaohu.docx

资源描述

SNAC与Aruba无线网络安全的完美结合测试报告 Symantec 目录 1. 测试目的与内容 3 2. 测试拓扑 4 3. 接入交换机配置 5 4. Aruba无线控制器配置 9 5. 未安装Agent认证 12 6. 安装Agent认证 13 7. 移动终端认证 20 8. 已验证的Aruba无线AC列表 21 9. Aruba配置 21 1. 测试目的与内容 Ø 测试目的： p 验证无线802.1x准入控制具体实现； p 验证Symantec-SNAC产品与Aruba无线AP设备的兼容性； Ø 测试内容： p 已安装Agent的无线接入终端，测试认证过程 p 未安装Agent的无线接入终端，测试认证过程 2. 测试拓扑图 1 测试拓扑图 Ø 硬件环境描述 p 1台终端管理服务器、1台DHCP服务器、1台Lan Enforce、1台Radius认证服务器、1台支持POE供电的4948交换机、1台Aruba无线AP、1台IPhone、1台IPDA2、1台HTC、1台笔记本。 Ø 软件环境描述 p 服务器操作系统：Windows 2003 Enterprise； p 终端操作系统：Win7、IPhone系统、IPDA系统、安卓系统。 3. 接入交换机配置 Ø 交换机只需配置相应VLAN信息，交换机与Aruba无线控制器启用TRUNK连接,Aruba无线控制器配置对应的VLAN-ID信息即可； p VLan10：Mgt 10.112.196.0/24 p VLan20：Work 10.112.197.0/24 p VLan30：Repair 10.112.198.0/24 p VLan40：Guest 10.112.199.0/24 Lan Enforce配置：图 2 Lan Enforce上设置Radius 图 3 Lan Enforce上指向Aruba控制器图 4 Lan Enforce上设置Vlan信息图 5 Lan Enforce上设置Vlan切换 4. Aruba无线控制器配置图 6设置SSID对应Vlan信息——sec-test 图 7 设置Radius服务器——10.112.198.170 图 8 Aruba-认证设置图 9 Work role 图 10 Repair role 图 11 Guest role 5. 未安装Agent认证自动弹出认证对话框，需要输入身份认证信息：图 12 身份认证信息输入身份认证通过，接入网络成功：图 13 认证成功-接入Work区域 6. 安装Agent认证场景一：身份认证成功和安全策略检查合规，进入Work区域图 14 身份认证和安全策略检查都正确图 15 客户端IP信息-Work区域图 16 Aruba控制器信息-Work Roles 场景二：身份认证成功和安全策略检查不合规，进入Repair区域图 17 身份认证成功策略检查不合规图 18 客户端IP信息-Repairk区域图 19 Aruba控制器信息-Repair Roles 场景三：身份认证不成功和安全策略检查合规，等待二次认证图 20主机完整性检查通过图 21 输入错误信息--身份认证不成功图 22 再次弹出身份认证对话框图 23 Aruba控制器上没有认证信息场景四：安全检查合规变化为安全检查不合规，从Work区域自动跳入Repair区域图 24 身份认证成功和策略检查合规图 25 认证成功进入Work区域图 26 Aruba控制器-Work区域图 27策略检查不合规跳入Repair区域图 28 Aruba控制器-Repair区域 7. 移动终端认证结果： Ø IPAD2、IPhone、安卓操作系统移动终端，支持802.1X协议认证，根据用户名、密码认证，工作正常（根据用户名可以切换到不同的区域）。 8. 已验证的Aruba无线AC列表型号版本用户 Aruba2400 Version 5.0.3.3 CCTV Aruba3400 Version 5.0.2.0 ABC 9. Aruba配置 (Aruba3400) #show running-config Building Configuration... version 5.0 enable secret "8aad4a010166ca17983134f406de05e9503959a575ba2f84ca" hostname "Aruba3400" clock timezone CHT 8 location "Building1.floor1" mms config 0 controller config 40 ip access-list eth validuserethacl permit any ! netservice svc-netbios-dgm udp 138 netservice svc-snmp-trap udp 162 netservice svc-syslog udp 514 netservice svc-l2tp udp 1701 netservice svc-ike udp 500 netservice svc-https tcp 443 netservice svc-smb-tcp tcp 445 netservice svc-dhcp udp 67 68 netservice svc-pptp tcp 1723 netservice svc-sec-papi udp 8209 netservice svc-sccp tcp 2000 netservice svc-http-accl tcp 88 netservice svc-telnet tcp 23 netservice svc-netbios-ssn tcp 139 netservice svc-sip-tcp tcp 5060 netservice svc-kerberos udp 88 netservice svc-tftp udp 69 netservice svc-http-proxy3 tcp 8888 netservice svc-noe udp 32512 netservice svc-cfgm-tcp tcp 8211 netservice svc-adp udp 8200 netservice svc-pop3 tcp 110 netservice svc-lpd-tcp tcp 631 netservice svc-rtsp tcp 554 netservice svc-msrpc-tcp tcp 135 139 netservice svc-dns udp 53 netservice svc-h323-udp udp 1718 1719 netservice svc-h323-tcp tcp 1720 netservice svc-vocera udp 5002 netservice svc-http tcp 80 netservice svc-http-proxy2 tcp 8080 netservice svc-sip-udp udp 5060 netservice svc-nterm tcp 1026 1028 netservice svc-noe-oxo udp 5000 alg noe netservice svc-papi udp 8211 netservice svc-natt udp 4500 netservice svc-ftp tcp 21 netservice svc-microsoft-ds tcp 445 netservice svc-svp 119 netservice svc-smtp tcp 25 netservice svc-gre 47 netservice svc-netbios-ns udp 137 netservice svc-sips tcp 5061 netservice svc-smb-udp udp 445 netservice svc-cups tcp 515 netservice svc-esp 50 netservice svc-v6-dhcp udp 546 547 netservice svc-snmp udp 161 netservice svc-bootp udp 67 69 netservice svc-msrpc-udp udp 135 139 netservice svc-ntp udp 123 netservice svc-icmp 1 netservice svc-ssh tcp 22 netservice svc-lpd-udp udp 631 netservice svc-v6-icmp 58 netservice svc-http-proxy1 tcp 3128 ip access-list session control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ! ip access-list session validuser any any any permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session allowall any any any permit ! ip access-list session https-acl any any svc-https permit ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session srcnat user any any src-nat ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ! ip access-list session cplogout user alias controller svc-https dst-nat 8081 ! ip access-list session http-acl any any svc-http permit ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit ! ipv6 access-list session v6-https-acl any any svc-https permit ! ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit ! ipv6 access-list session v6-dns-acl any any svc-dns permit ! ipv6 access-list session v6-allowall any any any permit ! ipv6 access-list session v6-http-acl any any svc-http permit ! ipv6 access-list session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit ! vpn-dialer default-dialer ike authentication PRE-SHARE changeme ! user-role ap-role session-acl control session-acl ap-acl ! user-role default-vpn-role session-acl allowall ipv6 session-acl v6-allowall ! user-role vip-role vlan 30 session-acl allowall ! user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl ! user-role default-via-role session-acl allowall ipv6 session-acl v6-allowall ! user-role guest-logon captive-portal "default" session-acl logon-control session-acl captiveportal ! user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl ipv6 session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl ! user-role stateful-dot1x ! user-role authenticated session-acl allowall ipv6 session-acl v6-allowall ! user-role logon session-acl logon-control session-acl captiveportal session-acl vpnlogon ipv6 session-acl v6-logon-control ! ip radius source-interface vlan 192 ! no spanning-tree interface mgmt shutdown ! dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777 ! dialer group gsm_us init-string AT+CGDCONT=1,"IP","ISP.CINGULAR" dial-string ATD*99# ! dialer group vivo_br init-string AT+CGDCONT=1,"IP",".br" dial-string ATD*99# ! vlan 20 "quarantine-vlan20" vlan 30 "employee-vlan30" vlan 192 "Server-vlan192" interface gigabitethernet 1/0 description "GE1/0" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/1 description "GE1/1" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/2 description "GE1/2" trusted trusted vlan 1-4094 switchport access vlan 192 ! interface gigabitethernet 1/3 description "GE1/3" trusted trusted vlan 1-4094 switchport access vlan 192 ! interface vlan 1 ip address 10.10.10.254 255.255.255.0 ! interface vlan 20 ip address 20.20.20.254 255.255.255.0 operstate up ! interface vlan 30 ip address 30.30.30.254 255.255.255.0 operstate up ! interface vlan 192 ip address 192.168.0.254 255.255.255.0 ! ap mesh-recovery-profile cluster RecoverygmUKRL3MghP1K5I0 wpa-hexkey C9BA810ED99D44182ED2349A0778359D75C01C1B49B85FAAE1D44D7B9A4CF3F7 wms general poll-interval 60000 general poll-retries 3 general ap-ageout-interval 30 general sta-ageout-interval 30 general learn-ap disable general persistent-known-interfering enable general propagate-wired-macs enable general stat-update enable general collect-stats disable ! crypto isakmp policy 20 encryption aes256 ! crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes ! vpdn group l2tp ! ip dhcp pool AP-pool default-router 10.10.10.254 network 10.10.10.0 255.255.255.0 authoritative ! ip dhcp pool vlan20-pool default-router 20.20.20.254 network 20.20.20.0 255.255.255.0 authoritative ! ip dhcp pool vlan30-pool default-router 30.30.30.254 network 30.30.30.0 255.255.255.0 authoritative ! service dhcp ip dhcp default-pool private ! vpdn group pptp ! mux-address 0.0.0.0 adp discovery disable adp igmp-join disable adp igmp-vlan 0 voip prioritization disable voip rtcp-inactivity disable voip sip-midcall-req-timeout disable ssh mgmt-auth username/password mgmt-user admin root 7e7c4a93013118206cf92729b708c9cf040324a2b47dd66cd2 no database synchronize database synchronize rf-plan-data ip mobile domain default ! ip igmp ! no firewall attack-rate cp 1024 ! firewall cp ! firewall cp no acceleration cifs caching no acceleration cifs chattiness no acceleration cifs read-ahead no acceleration cifs write-behind no acceleration http authentication no acceleration http caching no acceleration http deduplication no acceleration http post no acceleration http sharepoint no acceleration mapi aggregation no acceleration mapi caching no acceleration mapi prefetching ! packet-capture-defaults tcp disable udp disable sysmsg disable other disable ! ip domain lookup ! country CN aaa authentication mac "default" ! aaa authentication dot1x "ABC-dot1x-auth" ! aaa authentication dot1x "default" ! aaa authentication-server radius "ABC-radius-server" host 192.168.0.200 key "admin" ! aaa server-group "ABC-servergroup" auth-server ABC-radius-server ! aaa server-group "default" auth-server Internal set role condition role value-of ! aaa authentication via connection-profile "default" ! aaa authentication via web-auth "default" ! aaa authentication via global-config ! aaa profile "ABC-aaa" authentication-dot1x "ABC-dot1x-auth" dot1x-server-group "ABC-servergroup" ! aaa profile "default" ! aaa authentication captive-portal "default" ! aaa authentication wispr "default" ! aaa authentication vpn "default" ! aaa authentication vpn "default-rap" ! aaa authentication mgmt ! aaa authentication stateful-ntlm "default" ! aaa authentication stateful-kerberos "default" ! aaa authentication stateful-dot1x ! aaa authentication via auth-profile "default" ! aaa authentication wired ! web-server ! papi-security ! guest-access-email ! control-plane-security ! voice dialplan-profile "default" ! voice sip ! aaa password-policy mgmt ! ap system-profile "default" ! ap regulatory-domain-profile "default" country-code CN valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161 ! ap wired-ap-profile "default" ! ap enet-link-profile "default" ! ap mesh-ht-ssid-profile "default" ! ap mesh-cluster-profile "default" ! ap wired-port-profile "default" ! ap mesh-radio-profile "default" ! ids general-profile "default" ! ids rate-thresholds-profile "default" ! ids signature-profile "default" ! ids impersonation-profile "default" ! ids unauthorized-devic

展开阅读全文