H3C V7 SSL*** LDAP 認證明例

   一波三折，通過一翻折騰總算把***架了起來正常使用了，在此記錄一下，感謝h3c技術支持，感謝3290工程師的耐心幫助……

相關組網圖：

F1020相關配置：

#

 version 7.1.064, Release 9313P12

#

 sysname FW01

#

context Admin id 1

#

ip ***-instance management

 route-distinguisher 1000000000:1

 ***-target 1000000000:1 import-extcommunity

 ***-target 1000000000:1 export-extcommunity

#

 telnet server enable

#

 irfmac-address persistent timer

 irfauto-update enable

 undoirf link-delay

 irfmember 1 priority 1

#

 password-recovery enable

#

vlan 1

#

interface NULL0

#

interface GigabitEthernet1/0/0   -----配置鏈接路由接口IP

 port link-mode route

 description link toroute MSR3620

 ip address192.168.201.254 255.255.255.0

#

interface GigabitEthernet1/0/1 -----配置鏈接內網接口IP

 port link-mode route

 description link toSW5800

 ip address192.168.202.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 portlink-mode route

#

interface GigabitEthernet1/0/3

 portlink-mode route

#

interface GigabitEthernet1/0/4

 portlink-mode route

#

interface GigabitEthernet1/0/5

 portlink-mode route

#             

interface GigabitEthernet1/0/6

 portlink-mode route

#

interface GigabitEthernet1/0/7

 portlink-mode route

#

interface GigabitEthernet1/0/8

 portlink-mode route

#

interface GigabitEthernet1/0/9

 portlink-mode route

#

interface GigabitEthernet1/0/10

 portlink-mode route

#

interface GigabitEthernet1/0/11

 portlink-mode route

#

interface GigabitEthernet1/0/12

 portlink-mode route

#

interface GigabitEthernet1/0/13

 portlink-mode route

#

interface GigabitEthernet1/0/14

 portlink-mode route

#

interface GigabitEthernet1/0/15

 portlink-mode route

#

interface GigabitEthernet1/0/16

 portlink-mode route

#

interface GigabitEthernet1/0/17

 portlink-mode route

#

interface GigabitEthernet1/0/18

 portlink-mode route

#

interface GigabitEthernet1/0/19

 portlink-mode route

#

interface GigabitEthernet1/0/20

 portlink-mode route

#

interface GigabitEthernet1/0/21

 portlink-mode route

#

interface GigabitEthernet1/0/22

 portlink-mode route

#

interface GigabitEthernet1/0/23

 portlink-mode route

#

interface SSL×××-AC1  ---------建立SSL ××× AC接口1，配置接口的IP地址

ip address 2.2.2.1 255.255.255.0

#

security-zone name Local

#

security-zone name Trust  ----把上述兩接口加入到Trust ，不然不能互通

 import interfaceGigabitEthernet1/0/0

 import interfaceGigabitEthernet1/0/1

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name Management

#             

security-zone nameSSL×××  ----SSL×××-AC1加入SSL×××區域，並放通策略

 import interface SSL×××-AC1

#

zone-pair securitysource Local destination Trust  ------其它安全放通策略，下同

 packet-filter 3000

#

zone-pair securitysource SSL××× destination Trust

 packet-filter 3010

#

zone-pair securitysource Trust destination Local

 packet-filter 3000

#

zone-pair securitysource Trust destination SSL×××

 packet-filter 3010

#

zone-pair securitysource Trust destination Trust

 packet-filter 3000

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#             

line class console

 user-role network-admin

#

line class vty

 user-rolenetwork-operator

#

line aux 0

 user-role network-admin

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line vty 0 63

 authentication-mode scheme

 user-role network-admin

#

 ip route-static 0.0.0.0 0 192.168.201.1   -----下一跳路由

 ip route-static 192.168.0.0 16 192.168.202.254  ------回程路由

#

 sshserver enable

#

acl advanced 3000   -----------對應安全ACL

 rule 199 permit ip

#

acl advanced 3010     -----------對應安全ACL

 rule 0 permit ip source 2.2.2.0 0.0.0.255destination 192.168.0.0 0.0.255.255

 rule 1 permit ip source 192.168.0.00.0.255.255 destination 2.2.2.0 0.0.0.255

#

ldap server ldap1  -----------------AD認證相關配置

 login-dn cn=administrator,cn=users,dc=bbb,dc=com     ----域管理員認證

 search-base-dn dc=bbb,dc=com   ------配置查詢用戶的起始目錄爲

 ip 192.168.10.1     -----域IP地址

 login-password cipher$c$3$RXm3/H61vuYoaD1e4JCGI8L4oXNvuxpk8xx/0QqI3iU=   ---登陸域管理員對應密碼

 user-parameters user-name-attributeuserprincipalname

 user-parameters user-name-formatwith-domain

#

ldap scheme shm1 ------ 建立LDAP方案shml

 authentication-server ldap1  -----配置LDAP認證服務器和受權服務器均爲ldap1。

 authorization-server ldap1

 attribute-map test1

#

ldap attribute-map test1  -----建立LDAP屬性映射表test1

 map ldap-attribute memberofprefix cn= delimiter , aaa-attribute user-group

#---配置將LDAP服務器屬性memberof按照前綴爲cn=、分隔符爲逗號（,）的格式提取出的內容映射成AAA屬性User group

domain bbb.com  ------建立ISP域bbb.com，爲SSL ×××用戶配置AAA認證方法爲LDAP認證、LDAP受權、不計費。

 authentication ssl***ldap-scheme shm1

 authorization ssl*** ldap-schemeshm1

 accounting ssl*** none

#

domain system

#

 aaasession-limit ftp 16

 aaasession-limit telnet 16

 aaasession-limit ssh 16

 domain default enable system

#

user-group system

#

user-group ***_users   ----建立本地用戶組***_users，指定受權SSL ×××策略組爲pgroup

 authorization-attributessl***-policy-group pgroup

#

AD上對應用戶組以下：

local-user admin class manage

 password hash$h$6$Jn5wsW9YxCZelW4q$iMkNxt5tS2in5AatDoVApxLAwLpSoIjOYCg2hsYp9fBexxHWtuXETwVdJ5miG2lSbnofdq+qB/2PnG1KrVUriw==

 service-type ssh telnet terminal http https

 authorization-attributeuser-role level-3

 authorization-attribute user-rolenetwork-admin

 authorization-attribute user-rolenetwork-operator

#

local-user test class network

 password cipher$c$3$ehhvJ6iZ0EjbcvRio4reyPyuqQWmAjdrDiqE

 service-type ssl***

 authorization-attributeuser-role network-operator

 authorization-attribute ssl***-policy-grouppgroup

#

pki domain ssl***   --------------配置PKI域ssl***

 public-key rsageneral name ssl***

 undo crl check enable

#

ssl server-policy ssl -----------配置SSL服務器端策略ssl

 pki-domain ssl***

 ciphersuitersa_aes_128_cbc_sha

 client-verify enable

#

 session top-statistics enable

#

 iphttp enable

 iphttps enable

#

inspect block-source parameter-profileips_block_default_parameter

#----建立地址池ippool，指定IP地址範圍爲2.2.2.2～2.2.5.254

ssl*** ip address-poolippool 2.2.2.2 2.2.2.254

#              

ssl*** gateway gw  --------配置SSL ×××網關gw的IP地址爲192.168.201.254，端口號爲2000，並引用SSL服務器端策略ssl

 ip address 192.168.201.254 port 2000

 ssl server-policy ssl

 service enable

#

ssl*** context ctx   ------ 配置SSL ×××訪問實例ctx引用SSL ×××網關gw

 gateway gw

 ip-tunnel interface SSL×××-AC1

 ip-tunnel address-pool ippool mask255.255.255.0

 ip-route-list rtlist  ----建立路由列表rtlist，並添加路由表項192.168.0.0/24

  include 192.168.0.0 255.255.0.0

 policy-group pgroup --------建立SSL ×××策略組pgroup，引用路由列表rtlist和地址池ippool，而且經過acl限制，保證只有經過ACL檢查的報文才能夠訪問IP資源

  filter ip-tunnel 3000

  ip-tunnel access-route ip-route-list rtlist

 aaa domain bbb.com   ---使用bbb.com認證

 timeout idle 120

 service enable

#

ips policy default

#

anti-virus policy default

#

return        

注意事項：

一、配置前應準備相關證書，創建相關證書服務器（可參考網上相關案例：http://www.docin.com/p-1350607324.html）生成相關證書並導入CA證書ca.cer和服務器證書server.pfx
[F1020] pki import domain ssl*** der ca filename ca.cer
[F1020] pki import domain ssl*** p12 local filename server.pfx

二、AD服務器須要創建對應該的×××用戶組，如本例中***_users用戶組在AD中應該有相對應的用戶組，並把需使用ssl***認證的用戶加入到此用戶組中；

三、防火牆及路由的回程路由應該注意下一跳的地址；

四、MSR3620路由設備上映射SSL×××對外的地址及端口，此文檔中映射192.168.201.254+TCP 2000；

五、測試過程建議先關閉相關防病毒軟件。

參考：http://kms.h3c.com/case/info.aspx?id=41896