H3C V7 SSL*** LDAP 认证明例

时间  2020-01-13 标签 h3c v7 ssl ldap 认证

   一波三折,通过一翻折腾总算把***架了起来正常使用了,在此记录一下,感谢h3c技术支持,感谢3290工程师的耐心帮助……html

相关组网图:安全

wKiom1jtmZjD6Ng4AAEc_8g7lpg142.png-wh_50

F1020相关配置:服务器

#session

 version 7.1.064, Release 9313P12dom

#ssh

 sysname FW01ide

#测试

context Admin id 1ui

#spa

ip ***-instance management

 route-distinguisher 1000000000:1

 ***-target 1000000000:1 import-extcommunity

 ***-target 1000000000:1 export-extcommunity

#

 telnet server enable

#

 irfmac-address persistent timer

 irfauto-update enable

 undoirf link-delay

 irfmember 1 priority 1

#

 password-recovery enable

#

vlan 1

#

interface NULL0

#

interface GigabitEthernet1/0/0   -----配置链接路由接口IP

 port link-mode route

 description link toroute MSR3620

 ip address192.168.201.254 255.255.255.0

#

interface GigabitEthernet1/0/1 -----配置链接内网接口IP

 port link-mode route

 description link toSW5800

 ip address192.168.202.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 portlink-mode route

#

interface GigabitEthernet1/0/3

 portlink-mode route

#

interface GigabitEthernet1/0/4

 portlink-mode route

#

interface GigabitEthernet1/0/5

 portlink-mode route

#             

interface GigabitEthernet1/0/6

 portlink-mode route

#

interface GigabitEthernet1/0/7

 portlink-mode route

#

interface GigabitEthernet1/0/8

 portlink-mode route

#

interface GigabitEthernet1/0/9

 portlink-mode route

#

interface GigabitEthernet1/0/10

 portlink-mode route

#

interface GigabitEthernet1/0/11

 portlink-mode route

#

interface GigabitEthernet1/0/12

 portlink-mode route

#

interface GigabitEthernet1/0/13

 portlink-mode route

#

interface GigabitEthernet1/0/14

 portlink-mode route

#

interface GigabitEthernet1/0/15

 portlink-mode route

#

interface GigabitEthernet1/0/16

 portlink-mode route

#

interface GigabitEthernet1/0/17

 portlink-mode route

#

interface GigabitEthernet1/0/18

 portlink-mode route

#

interface GigabitEthernet1/0/19

 portlink-mode route

#

interface GigabitEthernet1/0/20

 portlink-mode route

#

interface GigabitEthernet1/0/21

 portlink-mode route

#

interface GigabitEthernet1/0/22

 portlink-mode route

#

interface GigabitEthernet1/0/23

 portlink-mode route

#

interface SSL×××-AC1  ---------建立SSL ××× AC接口1,配置接口的IP地址

ip address 2.2.2.1 255.255.255.0

#

security-zone name Local

#

security-zone name Trust  ----把上述两接口加入到Trust ,不然不能互通

 import interfaceGigabitEthernet1/0/0

 import interfaceGigabitEthernet1/0/1

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name Management

#             

security-zone nameSSL×××  ----SSL×××-AC1加入SSL×××区域,并放通策略

 import interface SSL×××-AC1

#

zone-pair securitysource Local destination Trust  ------其它安全放通策略,下同

 packet-filter 3000

#

zone-pair securitysource SSL××× destination Trust

 packet-filter 3010

#

zone-pair securitysource Trust destination Local

 packet-filter 3000

#

zone-pair securitysource Trust destination SSL×××

 packet-filter 3010

#

zone-pair securitysource Trust destination Trust

 packet-filter 3000

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#             

line class console

 user-role network-admin

#

line class vty

 user-rolenetwork-operator

#

line aux 0

 user-role network-admin

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line vty 0 63

 authentication-mode scheme

 user-role network-admin

#

 ip route-static 0.0.0.0 0 192.168.201.1   -----下一跳路由

 ip route-static 192.168.0.0 16 192.168.202.254  ------回程路由

#

 sshserver enable

#

acl advanced 3000   -----------对应安全ACL

 rule 199 permit ip

#

acl advanced 3010     -----------对应安全ACL

 rule 0 permit ip source 2.2.2.0 0.0.0.255destination 192.168.0.0 0.0.255.255

 rule 1 permit ip source 192.168.0.00.0.255.255 destination 2.2.2.0 0.0.0.255

#

ldap server ldap1  -----------------AD认证相关配置

 login-dn cn=administrator,cn=users,dc=bbb,dc=com     ----域管理员认证

 search-base-dn dc=bbb,dc=com   ------配置查询用户的起始目录为

 ip 192.168.10.1     -----IP地址

 login-password cipher$c$3$RXm3/H61vuYoaD1e4JCGI8L4oXNvuxpk8xx/0QqI3iU=   ---登陆域管理员对应密码

 user-parameters user-name-attributeuserprincipalname

 user-parameters user-name-formatwith-domain

#

ldap scheme shm1 ------ 建立LDAP方案shml

 authentication-server ldap1  -----配置LDAP认证服务器和受权服务器均为ldap1

 authorization-server ldap1

 attribute-map test1

#

ldap attribute-map test1  -----建立LDAP属性映射表test1

 map ldap-attribute memberofprefix cn= delimiter , aaa-attribute user-group

#---配置将LDAP服务器属性memberof按照前缀为cn=、分隔符为逗号(,)的格式提取出的内容映射成AAA属性User group

domain bbb.com  ------建立ISPbbb.com,为SSL ×××用户配置AAA认证方法为LDAP认证、LDAP受权、不计费。

 authentication ssl***ldap-scheme shm1

 authorization ssl*** ldap-schemeshm1

 accounting ssl*** none

#

domain system

#

 aaasession-limit ftp 16

 aaasession-limit telnet 16

 aaasession-limit ssh 16

 domain default enable system

#

user-group system

#

user-group ***_users   ----建立本地用户组***_users,指定受权SSL ×××策略组为pgroup

 authorization-attributessl***-policy-group pgroup

#

AD上对应用户组以下:

wKioL1jtngbRXfv-AAA2C0RnMis212.png-wh_50


local-user admin class manage

 password hash$h$6$Jn5wsW9YxCZelW4q$iMkNxt5tS2in5AatDoVApxLAwLpSoIjOYCg2hsYp9fBexxHWtuXETwVdJ5miG2lSbnofdq+qB/2PnG1KrVUriw==

 service-type ssh telnet terminal http https

 authorization-attributeuser-role level-3

 authorization-attribute user-rolenetwork-admin

 authorization-attribute user-rolenetwork-operator

#

local-user test class network

 password cipher$c$3$ehhvJ6iZ0EjbcvRio4reyPyuqQWmAjdrDiqE

 service-type ssl***

 authorization-attributeuser-role network-operator

 authorization-attribute ssl***-policy-grouppgroup

#

pki domain ssl***   --------------配置PKIssl***

 public-key rsageneral name ssl***

 undo crl check enable

#

ssl server-policy ssl -----------配置SSL服务器端策略ssl

 pki-domain ssl***

 ciphersuitersa_aes_128_cbc_sha

 client-verify enable

#

 session top-statistics enable

#

 iphttp enable

 iphttps enable

#

inspect block-source parameter-profileips_block_default_parameter

#----建立地址池ippool,指定IP地址范围为2.2.2.22.2.5.254

ssl*** ip address-poolippool 2.2.2.2 2.2.2.254

#              

ssl*** gateway gw  --------配置SSL ×××网关gwIP地址为192.168.201.254,端口号为2000,并引用SSL服务器端策略ssl

 ip address 192.168.201.254 port 2000

 ssl server-policy ssl

 service enable

#

ssl*** context ctx   ------ 配置SSL ×××访问实例ctx引用SSL ×××网关gw

 gateway gw

 ip-tunnel interface SSL×××-AC1

 ip-tunnel address-pool ippool mask255.255.255.0

 ip-route-list rtlist  ----建立路由列表rtlist,并添加路由表项192.168.0.0/24

  include 192.168.0.0 255.255.0.0

 policy-group pgroup --------建立SSL ×××策略组pgroup,引用路由列表rtlist和地址池ippool,而且经过acl限制,保证只有经过ACL检查的报文才能够访问IP资源

  filter ip-tunnel 3000

  ip-tunnel access-route ip-route-list rtlist

 aaa domain bbb.com   ---使用bbb.com认证

 timeout idle 120

 service enable

#

ips policy default

#

anti-virus policy default

#

return        


注意事项:

一、配置前应准备相关证书,创建相关证书服务器(可参考网上相关案例:http://www.docin.com/p-1350607324.html)生成相关证书并导入CA证书ca.cer和服务器证书server.pfx
[F1020] pki import domain ssl*** der ca filename ca.cer
[F1020] pki import domain ssl*** p12 local filename server.pfx

二、AD服务器须要创建对应该的×××用户组,如本例中***_users用户组在AD中应该有相对应的用户组,并把需使用ssl***认证的用户加入到此用户组中;

三、防火墙及路由的回程路由应该注意下一跳的地址;

四、MSR3620路由设备上映射SSL×××对外的地址及端口,此文档中映射192.168.201.254+TCP 2000;

五、测试过程建议先关闭相关防病毒软件。


参考:http://kms.h3c.com/case/info.aspx?id=41896

联系我们 沪ICP备13005482号-10