0企业产品培训上机指导模板v0

1、修订开发/优化者时间审核人开发类型（新开发/优化）/2012-03-16新开发课程编码适用产品产品版本课程版本 IEEE023105S7700V1R61.00S7700 交换机 AAA&NAC特性与配置上机指导目 录S7700交换机AAA&NAC特性与配置上机指导1实验环境介绍61关于本课程6组网介绍6设备参数描述7NET用户本地认证配置8实验目标8组网及业务描述8配置思路9配置步骤9创建本地用户9配置VTY用户的认证方式为AAA9结果验证92.5.1 在客户端 net SWA.2 查看VTY用户10配置参考102.6.1 SWA的配置

2、：10FAQ112.7.1 问题一11NET用户RADIUS认证配置12实验目标12组网及业务描述12配置思路13配置步骤13配置RADIUS服务器模板13配置域的相关参数13配置VTY用户的认证方式为AAA13结果验证143.5.1 验证Radius服务器模板配置142.62.73.43.5在客户端 net SWA.3 查看VTY用户15配置参考153.6.1 SWA的配置：15FAQ163.7.1 问题一16NET用户HWTACACS认证配置17实验目标17组网及业务描述17配置思路18配置步骤18配置HWTACACS服务器模板18配置域的相关参数1

3、83.63.7 配置VTY用户的认证方式为AAA19结果验证19查看HWTACACS服务器模板配置19在客户端电脑 net SWA194.5.3 在本地查看VTY用户19配置参考20SWA的配置20FAQ21问题一21802.1X认证配置225实验目标22组网及业务描述22配置思路23配置步骤23配置RADIUS服务器模板23配置认证方案authen3，认证方法为RADIUS23配置admin3域，绑定认证方式和RADIUS服务器模板235.4.4 配置802.1x认证24结果验证24检查配置结果24测试从客户端PC到RTA的连通性24开启客户端PC上的80

4、2.1X认证25再次测试客户端PC到RTA的连通性25MAC旁路认证验证255.5.6 802.1X认证失败情形26配置参考265.6.1 SWA的配置26FAQ275.7.1 问题一25.7MAC认证配置286实验目标28组网及业务描述28配置思路29配置步骤29配置RADIUS服务器模板29配置认证方案authen3，认证方法为RADIUS29配置admin3域，绑定认证方式和RADIUS服务器模板29配置MAC认证30结果验证30检查配置结果30在SWA上测试账号的正确性30测试客户端PC到RTA的连通性30配置参考316.6.1 SWA的配置31F

5、AQ3 问题一327WEB认证配置33实验目标33组网及业务描述33配置思路34配置步骤34配置RADIUS服务器模板34配置认证方案authen3，认证方法为RADIUS34配置admin3域，绑定认证方式和RADIUS服务器模板34配置Web认证35结果验证357.5.1 检查配置结果35配置参考357.6.1 SWA的配置35FAQ377.7.1 问题一37.7图表目录图图图图图图图1-12-13-14-1整体组网6net用户本地认证实验组网图8net用户RADIUS认证实验组网图12net用户H

6、WTACACS认证实验组网图175-1 802.1X认证实验组网图226-1 MAC认证实验组网图287-1 Web认证实验组网图331实验环境介绍1.1关于本课程AAA是认证（Authentication）、（Authorization）、计费（Accounting）的缩写，它是一个综合的安全架构，通常不单独使用，而是与其他技术配合提升网络和设备的安全性。NAC（Network AdmisControl）称为网络接入控制，是一种安全接入的框架，其理念是安全“端到端”的概念。NAC从用户终端考虑而不是从网络设备层面考虑安全。通过本课程实验，使学员能够掌握AAA和NAC的各种基本配置。的实验包括

7、：，本课程net用户本地认证配置net用户RAIDUS认证配置net用户HWTACACS认证配置802.1X认证配置802.1X认证与Guest VLAN配置802.1X认证与MAC旁路认证配置 MAC认证配置Web认证配置1.2组网介绍图 整体组网1.3 设备参数描述表 1-1 AAA & NAC 实验设备设备名设备型号版本信息备注SWAS7703V100R006C00SPC100RTAAR2220V200R001C00ServerWindows PCWindows XP 以上作为 AAA 服务器和Web 服务器PCWindows PCWindows XP 以上作为客户端2net 用户本地认

8、证配置2.1 实验目标掌握S7700交换机本地用户的配置方法。掌握查看S7700交换机VTY用户状态的方法。2.2 组网及业务描述2.3配置思路2.4配置步骤2.4.1 创建本地用户在aaa视图下创建本地用户，包括用户名和net。用户缺省的操作权限是level 0。，指定用户的服务类型为SWAaaaSWA-aaalocal-user SWA-aaalocal-user SWA-aaaquitu password simple u service-typepnet在系统视图下配置level 3的super为s。SWA supassword level 3 simples2.4.2 配置 VTY

9、用户的认证方式为 AAAVTY用户缺省的认证方式为password。进入VTY用户视图，修改认证方式为aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quitSWA2.5结果验证2.5.1 在客户端net SWA从Windows的CMD窗口 netSWA：C:net 验证配置结果配置VTY用户的认证方式为AAA创建本地用户Login authenticationUsername:uPassword:/password pInfo: The max number of VTY users i

10、s 5, and the number of current VTY userson line is 1.因为用户权限很低，所有可操作令很少。?User view clusterds:Run clusterddisplayDisplayhwtacacs-user HWTACACS userlocal-userAdd/Delete/Set user(s) functionquit supernet tracertExit from currentd viewPrivilege current user a specified priority level Establish anet conne

11、ctionTrace route function通过super命令操作权限。super Password:Now usrivilege is 3 level, and only those to or lessn this level can be used.ds whose level is equalPrivilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE2.5.2查看VTY 用户先查看用户所在的VTY。display users User-f DelayType Network AddressAuthenSus AuthorcmdFl

12、ag Username : Unspecified+ 0CON 000:00:00no34 VTY 000:00:56 paoUsername : u再查看该VTY用户的详细信息。SWAdisplay user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The p

13、rivilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use current UIs password.: The physical location of UIs.2.6 配置参考2.6.1 SWA 的配置：#+ 34VTY 0-03A-!Software Ver sysname SWA

14、#V100R006C00SPC800sup #assword level 3 simplesvlan batch 10 20 30#dhcp enable#undo http server enable#drop illegal-mac alarm#aaaauthentication-scheme default authorization-scheme default accounting-scheme defaultdefault default_adminlocal-user admin password simple admin local-user admin service-typ

15、e httplocal-user local-user #erface Vlanif1#u password simple u service-typepneterface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface MEth0/0/1#erface GigabitEthernet0/0/1port link-type acsport default vlan 30#. #erface GigabitEthernet0/0/11port link-type acsport de

16、fault vlan 10#erface GigabitEthernet0/0/12port link-type acsport default vlan 20#. #user- user-erface con 0erface vty 0 4authentication-mode aaa#return2.7 FAQ2.7.1 问题一问题：为什么本地认证不涉及域的配置？答：本实验比较特殊，采用了缺省的管理域：default_admin。该域缺省采用本地认证。用户也可以指定 net采用特定的域来认证。3net 用户 RADIUS 认证配置3.1 实验目标掌握S7700交换机本地用户的配置方法。掌握

17、查看S7700交换机VTY用户状态的方法。3.2 组网及业务描述3.3配置思路3.4配置步骤3.4.1 配置 RADIUS 服务器模板配置名为“testradius”的RADIUS服务器模板。服务器地址，认证端口1812，计费端口1813，共享密钥o。SWA radius-server template testradiusSWA-radius-testradius radius-server authentication 1812SWA-radius-testradius radius-server accounting 1813 SWA-radius-testradius radius-s

18、erver shared-key ciphero SWA-radius-testradius quit3.4.2 配置域的相关参数域的相关参数在aaa视图下配置。需要配置认证方案采用radius模式，计费方案采用radius模式，创建admin域，并在域下服务器模板。认证方案、计费方案和RadiusSWA aaaSWA-aaa authentication-scheme authen1 Info: Create a new authentication schemeSWA-aaa-authen-authen1 authentication-mode radius SWA-aaa-authen-

19、authen1 quitSWA-aaa accounting-scheme acc1 Info: Create a new accounting schemeSWA-aaa-accounting-acc1 accounting-mode radius SWA-aaa-accounting-acc1 quitSWA-aaaSWA-aaa-SWA-aaa-SWA-aaa-SWA-aaa-admin-admin authentication-scheme authen1-admin accounting-scheme acc1-admin radius-server testradius-admin

20、 quit3.4.3 配置 VTY 用户的认证方式为 AAA验证配置结果配置VTY用户的认证方式为AAA配置域的相关参数配置RADIUS服务器模板VTY用户缺省的认证方式为password。进入VTY用户视图，修改认证方式为aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quitSWA由于缺省情况下用户的操作权限是level 0，所以，仍然需要在SWA上配置super为，以便让用户有。权限的。在系统视图下配置level 3的superSWA supassword level 3 simpl

21、e3.5结果验证3.5.1 验证 Radius 服务器模板配置在SWA上查看Radius服务器模板的配置信息。SWAdis radius-server configurationServer-template-name Protocol-ver Traffic-unitShared-secret-key: testradius: standard: B:oTimeout- Prierval(in second): 5uthentication-server: :1812Lo:1813Lo:0Lo:0Loack:NULL ack:NULL ack:NULL ack:NULLPriccountin

22、g-server: Secondary-authentication-server : Secondary-accounting-server Retransmis-included: : 3: YES:Calling-sion-id MAC-formatTotal of radius template :1还可以直接在SWA上验证Radius服务器是否可用。这是一个很实用的功能，可以脱离客户端判断Radius服务器和交换机的配置是否正确。test-aaaadminradius-template testradiusInfo: Account test succeed!3.5.2 在客户端ne

23、t SWA从Windows的CMD窗口 netSWA：C:net Login authenticationUsername: Password:adminInfo: The max number of VTY users is 5, and the number of current VTY userson line is 1.因为用户权限很低，所有可操作令很少。?User view cluster displayds:Run cluster Displaydhwtacacs-user HWTACACS userlocal-userAdd/Delete/Set user(s)function

24、Exit from currentquit supernet tracertd viewPrivilege current user a specified priority levelEstablish anet connectionTrace route function通过super命令操作权限。super Password:Now usrivilege is 3 level, and only those to or lessn this level can be used.ds whose level is equalPrivilege note: 0-VISIT, 1-MONITO

25、R, 2-SYSTEM, 3-MANAGE3.5.3查看VTY 用户先查看用户所在的VTY。display users User-f DelayType Network AddressAuthenSus AuthorcmdFlag+ 0CON 000:00:00noUsername : Unspecified34 VTY 000:00:56 paoUsername :admin再查看该VTY用户的详细信息。SWAdisplay user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current

26、 UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The privilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use

27、 current UIs password.: The physical location of UIs.3.6 配置参考3.6.1 SWA 的配置：#!Software Ver sysname SWA#V100R006C00SPC800sup #assword level 3 simplesvlan batch 10 20 30#dhcp enable#+ 34VTY 0-03A-undo http server enable #drop illegal-mac alarm #radius-server template testradius radius-server shared-key

28、 simpleoradius-server authentication 1812radius-server accounting 1813#aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radius authorization-scheme default accounting-scheme default accounting-scheme acc1 accounting-mode radiusdefault default_admin adminauthenticati

29、on-scheme authen1 accounting-scheme acc1radius-server testradiuslocal-user admin password simple admin local-user admin service-type http#erface Vlanif1#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface MEth0/0/1#erface GigabitEthernet0/0/1port link-type acsport

30、 default vlan 30#. #erface GigabitEthernet0/0/11port link-type acsport default vlan 10#erface GigabitEthernet0/0/12port link-type acsport default vlan 20#. #user-erface con 0user-erface vty 0 4authentication-mode aaa#return3.7 FAQ3.7.1 问题一问题：是否可以让用户登录设备后直接拥有level 3权限？答：可以。这个功能是靠Radius厂商扩展属性实现的，要求Rad

31、ius服务器支持该功能。4net 用户 HWTACACS 认证配置4.1 实验目标掌握S7700交换机HWTACACS认证的配置方法。比较RADIUS认证域HWTACACS认证的差异。4.2 组网及业务描述4.3配置思路4.4配置步骤4.4.1 配置 HWTACACS 服务器模板配置名为“ht”的HWTACACS服务器模板。服务器地址，端49，共享密钥o。与RADIUS的认证与结合不同，HWTACACS的认证与是相互独立的模块，必须分别指定认证和服务器地址。SWA hwtacacs-server template htSWA-hwtacacs-ht hwtacacs-server authen

32、tication 49SWA-hwtacacs-ht hwtacacs-server authorization 49SWA-hwtacacs-ht hwtacacs-server accounting 49 SWA-hwtacacs-ht hwtacacs-server shared-key ciphero SWA-hwtacacs-ht quit4.4.2 配置域的相关参数域的相关参数在aaa视图下配置。如果采用HWTACACS认证，需要分别定义认证，计费三个方案，指定各方案都采用HWTACACS模式。与Radius认证类似，创建admin域，并在域下HWTACACS服务器模板。认证方案、

33、方案、计费方案和SWA aaaSWA-aaa authentication-scheme authen2SWA-aaa-authen-authen2 authentication-mode hwtacacs SWA-aaa-authen-authen2 quitSWA-aaa authorization-scheme author2SWA-aaa-author-author2 authorization-mode hwtacacs SWA-aaa-author-author2 quitSWA-aaa accounting-scheme acc2SWA-aaa-accounting-acc2 a

34、ccounting-mode hwtacacs SWAaaa-accounting-acc2 quitSWA-aaaSWA-aaa-SWA-aaa-SWA-aaa-admin2-admin2 authentication-scheme authen2-admin2 authorization-scheme author2-admin2 accounting-scheme acc2验证配置结果配置VTY用户的认证方式为AAA配置域的相关参数配置HWTACACS服务器模板SWA-aaa-SWA-aaa-admin hwtacacs-server ht-admin quit4.4.3 配置 VTY

35、用户的认证方式为 AAAVTY用户缺省的认证方式为password。进入VTY用户视图，修改认证方式为aaa。SWAuser-erface vty 0 4SWA-ui-vty0-4 authentication-mode aaa SWA-ui-vty0-4quit4.5结果验证4.5.1 查看 HWTACACS 服务器模板配置display hwtacacs-server template htHWTACACS-server template name: ht: :49:-: :49:-: :49:-Pri Pri Priuthentication-server uthorization-se

36、rver ccounting-serverSecondary-authentication-server : :0:-Secondary-authorization-server : :0:-Secondary-accounting-server Current-authentication-server Current-authorization-server Current-accounting-server Source-IP-address: :0:-: :0:-: :49:-: :49:-: Shared-key:o: 5Quiet-erval(min)Response-timeou

37、t-included Traffic-uniterval(sec) : 5: Yes: BSWA4.5.2net SWA在客户端电脑C:Usersl00180730net Login authenticationUsername:admin2 Password:Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.成功登录到SWA。4.5.3在本地查看VTY 用户display usersUser- AuthorcmdFlagfDelayTypeNetwork Addr

38、essAuthenSus+ 0CON 000:00:00noUsername : Unspecified34 VTY 000:00:23passnoUsername : admin2display user-erface vty 0Idx TypeTx/RxModem Privi ActualPrivi Auth+: Current UI i F: Current UI iive.ive and work in async mode.Idx : Absolute index of UIs.Type : Type and relative index of UIs. Privi: The pri

39、vilege of UIs.ActualPrivi: The actual privilege of user- Auth : The authentication mode of UIs.A: Authenticate use AAA.N: Current UI need not authentication.erface.P: Authenticate use current UIs password.: The physical location of UIs.4.6配置参考4.6.1SWA 的配置#hwtacacs-server template hthwtacacs-server a

40、uthentication hwtacacs-server authorization hwtacacs-server accounting hwtacacs-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF4ing with 32 bytes of data: Request timed out.Request timed out. Request timed out. Request timed out.sistics for :Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),此时由于客户端PC

41、还没有经过认证，所以无法连接到网络，因此也就无法通RTA。5.5.3 开启客户端 PC 上的 802.1X 认证打开客户端PC上的802.1X认证客户端，假设已经在RADIUS服务器上配置好用户名和，填写好用户名和分别为：，admin3/。PC右下角会出然后点击连接，如果配置正确，就能成功认证，现成功认证后的绿色闪烁的小图标。5.5.4 再次测试客户端 PC 到RTA 的连通性C:Usersing with 32 bytes of data:Reply from : bytes=32 time=11ms TTL=254 Reply from : bytes=32 time=1ms TTL=25

42、4 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254sistics for :Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip timesilli-seconds:Minimum = 1ms,um = 11ms, Average = 3ms此时可以成功通RTA了。5.5.5 MAC 旁路认证验证本实验中关闭客户端PC的802.1X认证服务，在RADIUS服务器上提前配置了客户端PC的MAC

43、地址账户（以客户端PC的网卡MAC命名和作为如：F0DEF1315EECadmin3/F0DEF1315EEC），如果成功认证，PC能成功通RTA。5.5.6 802.1X 认证失败情形如果认证失败，客户端PC就会被加入到Guest VLAN。SWAdisplay dot1xerface GigabitEthernet 1/0/12GigabitEthernet1/0/12 s Enabledmac-bypassPort control type is Autous: DOWN 802.1x protocol isAuthentication method is MAC-basedReauth

44、entication is disabled um users: 100Current users: 01 user(s) have joined to guest VLAN: 100. f0de-f131-5eecAuthentication Suc EAPOL Packets: TXs: 16: 69Failure: 5RX: 67SentEAPOL Request/Identity Packets : 22EAPOL Reqhallenge Packets : 16Multicast Triggackets: 0: 16: 15: 19: 16EAPOL Sucs PacketsEAPO

45、L Failure PacketsReceived EAPOL Start Packets EAPOL Logoff PacketsEAPOL Response/Identity Packets : 16 EAPOL Response/Challenge Packets: 16由以上输出可以看到，有一个用户加入到了guest VLAN 100，MAC地址是 f0de-f131-5eec。5.6 配置参考5.6.1 SWA 的配置#!Software Ver sysname SWA#V100R003C00SPC200sup #assword level 3 simplevlan batch 1

46、10 20 30#radius-server template testradiusradius-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF41! radius-server authentication 1812radius-server accounting 1813radius-server retransmit 2 #aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radiusauthentication-scheme auth

47、en2 authentication-mode hwtacacs authentication-scheme authen3 authentication-mode radius authorization-scheme default authorization-scheme author2 authorization-mode hwtacacs accounting-scheme default accounting-scheme acc1 accounting-mode radius accounting-scheme acc2 accounting-mode hwtacacsdefau

48、lt default_admin admin1authentication-scheme authen1 accounting-scheme acc1radius-server testradius admin2authentication-scheme authen2 accounting-scheme acc2 authorization-scheme author2 hwtacacs-server htadmin3authentication-scheme authen3 radius-server testradiuslocal-user admin password simple a

49、dmin local-user admin service-type http#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface Ethernet0/0/0#erface GigabitEthernet1/0/0 port link-type acsport default vlan 30 #erface GigabitEthernet1/0/11 port link-type acsport default vlan 10 dot1x enabledot1x max-

50、user 100 #erface GigabitEthernet1/0/12port link-type acsport default vlan 20#5.7 FAQ5.7.1 问题一问题：无6MAC 认证配置6.1 实验目标掌握S7700交换机MAC认证的配置方法。6.2 组网及业务描述6.3 配置思路SWA-aaaSWA-aaa-SWA-aaa-admin3-admin3 authentication-scheme authen3-admin3 radius-server testradius6.4.4 配置MAC 认证在全局和接口下使能MAC认证。SWA mac-authenSWAer

51、face gigabitethernet 1/0/0 SWA-GigabitEthernet1/0/0 mac-authen配置MAC认证用户所属的域。SWA mac-authenadmin36.5结果验证6.5.1 检查配置结果在SWA执行命令display mac-authenerface，可以看到MAC认证配置信息。SWAdisplay mac-authenerface GigabitEthernet 1/0/11GigabitEthernet1/0/11 s um users: 2048Current users: 0e: UP. MAC address authentication

52、is enabledCurrentis admin3Authentication Sucs: 0, Failure: 1 Guest VLAN is disabledSilent MAC info:f0de-f131-5eec1 silent mac address(es) found, 1 pred.6.5.2 在SWA 上测试账号的正确性假设已经在RADIUS服务器上配置了客户端PC的MAC地址账户（以客户端PC的网卡MAC命名和作为），如：F0DEF1315EECadmin3/F0DEF1315EECtest-aaa F0DEF1315EECadmin3 F0DEF1315EEC rad

53、ius-template testradiusInfo: Account test succeed!信息提示显示测试成功。6.5.3 测试客户端 PC 到RTA 的连通性如果MAC地址认证通过，则能PC能成功通RTA。C:Usersing with 32 bytes of data:Reply from : bytes=32 time=11ms TTL=254 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254 Reply from : bytes=32 time=1ms TTL=254si

54、stics for :Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip timesilli-seconds:Minimum = 1ms,um = 11ms, Average = 3ms可自行修改客户端网卡MAC地址，或换另一台客户端接至SWA的GE1/0/11接口测试，当MAC地址认证不成功的时候，用户则不能连通网络。6.6配置参考6.6.1SWA 的配置#!Software Ver sysname SWA#V100R003C00SPC200sup #assword level 3 simpl

55、evlan batch 1 10 20 30#radius-server template testradiusradius-server shared-key cipher 3MQ*TZ,O3KCQ=QMAF41! radius-server authentication 1812radius-server accounting 1813radius-server retransmit 2 #aaaauthentication-scheme default authentication-scheme authen1 authentication-mode radius authenticat

56、ion-scheme authen2 authentication-mode hwtacacs authentication-scheme authen3 authentication-mode radius authorization-scheme default authorization-scheme author2 authorization-mode hwtacacs accounting-scheme default accounting-scheme acc1 accounting-mode radius accounting-scheme acc2 accounting-mod

57、e hwtacacsdefault default_admin admin1authentication-scheme authen1 accounting-scheme acc1radius-server testradius admin2authentication-scheme authen2 accounting-scheme acc2 authorization-scheme author2 hwtacacs-server htadmin3authentication-scheme authen3 radius-server testradiuslocal-user admin pa

58、ssword simple admin local-user admin service-type http#erface Vlanif10ip address #erface Vlanif20ip address #erface Vlanif30ip address #erface Ethernet0/0/0#erface GigabitEthernet1/0/0port link-type acsport default vlan 30#erface GigabitEthernet1/0/11port link-type acsport default vlan 10 mac-authen

59、mac-authen #admin3erface GigabitEthernet1/0/12port link-type acs port default vlan 20 #6.7 FAQ6.7.1 问题一问题：无7Web 认证配置7.1 实验目标掌握S7700交换机WEB认证的配置方法。7.2 组网及业务描述7.3 配置思路SWA-aaaSWA-aaa-SWA-aaa-admin3-admin3 authentication-scheme authen3-admin3 radius-server testradius7.4.4 配置Web 认证配置Web认证服务器IP地址和URL。SWAweb-auth-server admin3 url htt在接口下绑定Web认证服务器。注意，这里是VLANif，而不是物理接口。SWAerface vlanif 10SWA-Vlanif10 web-auth-server admin3 SWA-Vlanif10 quit7.5结果验证7.5.1 检查配置结果在SWA上执行命令disp