Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

配置基于凭据的 (EAP-TTLS) 身份验证

可扩展身份验证协议 – 隧道 TLS (EAP-TTLS) 在客户端使用用户名和密码,在服务器端使用服务器证书来提供安全访问。

以下任务说明如何为有线客户端配置 EAP-TTLS。这些身份验证方法使用存储在身份提供程序 (IdP) 中的凭据来验证用户名和密码。

先决条件

  • 您必须将身份提供商 (IdP) 与瞻博网络 Mist 门户集成并配置。请参见 为瞻博网络 Mist Access Assurance 添加身份提供程序

  • 您必须将客户端设备配置为请求方。对于此配置,您必须添加企业公钥基础架构 (PKI) 的根证书颁发机构 (CA) 证书,并在 IdP 中输入用户名和密码。

  • 您需要一个瞻博网络接入点来执行无线客户端身份验证(特定于无线客户端的任务)。

  • 您必须配置云 RADIUS 服务器将使用的公共或私有企业 TLS 服务器证书。

观看以下视频,了解如何使用 Azure IdP 集成配置基于凭据的 (EAP-TTLS ) 身份验证:

Now, what else could we do with an IDP? We've already established that if we are using certificates or tell us to authenticate, we could use IDP and an additional source of information or context about the user. So namely, group memberships. Now, what about the authenticating users themselves without certificates?

What about authenticating users using usernames and passwords? We could leverage the existing connector with Azure to do EAP-TTLS authentication. With EAP-TTLS, the clients are using usernames and passwords to authenticate, as opposed to client certificates. So we can create another rule. We could say we are matching on the wireless user that is using TTLS instead of TLS.

And let's also match on the employee group. Why not? So we'll call it credential authentication - no - show authentication employees. Now, we will assign them to corporate VLAN. We'll hit Save. One thing we need to make sure that on the Azure portal on the app that we've created previously, there's one requirement for password authentication to work, you'll need to enable public client flows. Just click yes right here under authentication. You'll hit save.

And now we can go and check our client device. Let's take a look at the Windows device, how we can configure a Windows device to use TTLS. So we'll connect to mist-secure-net SSID. We'll be immediately prompted by the system to provide our username and password. So I'm going to give my full username and password. The important piece is to provide the full domain name - microsoft.com.

This is how the access assurance will find out which identity provider to talk to based on the domain name after the user. So click OK. Ask us to connect. And we're not connected using username and password. Now, let's take a look at our client events.

Let's look at the client insights. What we're seeing here is a slightly different flow because we are using usernames and passwords, we are not dealing with client certificates here. But the client is still trust in the server certificate. That's mutual trust is still there.

Now, we are going immediately to the identity provider to do the authentication to validate the credentials of that specific user. Now, after this phase is successful, we'll go ahead and look up all the user groups, the user roles from Azure, and finally we are matching on a specific authentication policy rule which we've just created to match on our new condition when clients are using TTLS.

为有线网络配置基于凭据的 (EAP-TTLS ) 身份验证

要使用瞻博网络 Mist 门户为有线网络设置基于证书的身份验证,请执行以下操作:

  1. 导入受信任的根证书颁发机构 (CA)。瞻博网络 Mist 使用证书颁发机构 (CA) 生成的证书作为服务器证书。有关详细信息,请参阅使用数字证书
  2. 创建身份验证策略。
    1. 从瞻博网络 Mist 门户的左侧菜单中,选择组织>访问>身份验证策略
      创建新规则以允许访问具有有效证书的客户端。请参见 配置身份验证策略
      使用以下详细信息定义身份验证策略。从相应的下拉列表中为每个字段选择所需的选项。
      1. 名称 - 输入策略的名称。(例如:TLS 客户端)
      2. 匹配标准 — 选择 EAP-TTLS
      3. 策略 - 选择 允许
      4. 分配的策略 - 选择 允许的网络访问
  3. 配置交换机。
    1. 从瞻博网络 Mist 门户的左侧菜单中,选择组织>有线>交换机模板
      在切换模板页面,单击已有模板打开配置页面,或单击页面右上角的 创建模板 创建模板。
    2. 在身份验证服务器部分中,选择 Mist 身份验证作为身份验证服务器。
    3. 向下滚动到端口配置文件部分并配置以下设置:
      • 模式 - 访问
      • 启用使用 dot1x 身份验证选项。
    4. 将端口配置文件分配给连接的有线客户端需要网络访问的交换机的每个端口。

      端口配置 选项卡的选择 交换机配置 部分,单击添加端口范围以将端口配置文件与端口关联。

      图 1:将端口配置文件分配给交换机 Assign Port Profile to Port Ranges on a Switch上的端口范围
    5. 单击保存

现在,您的网络可以使用 EAP-TTLS 安全地对客户端进行身份验证。

身份验证策略允许具有有效用户名和密码的客户端访问网络。

瞻博网络 Mist 云根据存储在公共凭证提供程序中的凭证验证用户名和密码,并根据 标签配置授予访问权限和授权。

您可以在瞻博网络 Mist 门户上查看关联的客户端。

  • 选择 客户端>有线客户端 以查看客户端详细信息
  • 选择 “监视>服务级别>见解 ”以查看客户端事件。