1、CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved俞世丹俞世丹 ARUBA無線網(wǎng)絡培訓無線網(wǎng)絡培訓People move. Networks must follow.CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線網(wǎng)絡的組網(wǎng)架構(gòu)無線網(wǎng)絡的組網(wǎng)架構(gòu)Email Server10/100 MbpsL2/3DHCP Server1.3.4.通訊過程：1.AP連接到現(xiàn)有網(wǎng)絡的交換機端口，加電起動后，獲得IP地址2.

2、AP通過各種方式獲得ARUBA控制器的Loop IP地址（靜態(tài)獲得、DHCP返回、DNS解析、組播、廣播）3.AP與控制器之間建立PAPI隧道（UDP 8211），通過FTP或TFTP到ARUBA控制器上比對并下載AP的image軟件和配置文檔，并根據(jù)配置信息建立AP與控制器之間的GRE隧道，同時向無線用戶提供無線接入服務4.無線用戶通過SSID連接無線網(wǎng)絡，所有的用戶流量都通過AP與ARUBA控制器之間的GRE隧道直接傳遞到ARUBA控制器上，進行相應的加解密、身份驗證、授權(quán)、策略和轉(zhuǎn)發(fā)2.CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. A

3、ll rights reserved配置配置ARUBA無線控制器無線控制器 管理員登陸(admin/saic_admin) Cli Web 管理帳號 網(wǎng)絡配置 Vlan IP address IP route IP dhcp 安全配置 Policy Role AAA 無線配置 SSID Virtual APCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無線控制器無線控制器管理員登陸管理員登陸CONFIDENTIAL Copyright 2007. Aruba Networks, Inc

4、. All rights reserved登陸登陸ARUBA無線控制器無線控制器 Command lineUser: adminPassword: *(Aruba800) enPassword:*(Aruba800) #configure tEnter Configuration commands, one per line. End with CNTL/Z Web UIhttps:/ Admin帳號管理#mgmt-user (Aruba800) (config) #mgmt-user admin root Password:*Re-Type password:*(Aruba800) (con

5、fig) #CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無線控制器無線控制器ARUBA無線控制器的初始設置無線控制器的初始設置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved初始化之前的準備工作初始化之前的準備工作 查看并保存控制器軟件許可(Aruba200) #show license verbose License Table-Key Installed Expires Flags Serv

6、ice Type- - - - -Xw2K4EGT-qWpz5YLM-Ouw7wpRt-kQPUrJMM-x8fB27hP-1Zg 2010-07-08 Never E Policy Enforcement Firewall 12:53:50 Wnm8I0AK-bhAPAsim-pd8gS573-oJ4YHCWG-5ghonB8G-x8w 2010-07-08 Never E Wireless Intrusion Protection 12:53:50 4gCv4bFb-JDfaSPiN-YNV/TLoP-1od3XEI3-wxj+0can-NFE 2010-07-08 Never E Rem

7、ote Access Points: 1 12:53:52 License Entries: 3Flags: A - auto-generated; E - enabled; R - reboot required to activateCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved恢復控制器出廠配置恢復控制器出廠配置 恢復控制器出廠配置(Aruba200) #write erase allSwitch will be factory defaulted. All the configuration a

8、nd databases will be deleted. Press y to proceed :Cannot delete the configuration, Already deleted 重啟控制器(Aruba200) #reloadDo you really want to reset the system(y/n): ySystem will now restart!Shutdown processing startedSyncing data.done.The system is going down NOW !Sending SIGTERM to all processes.

9、Sending SIGKILL to all processes.Please stand by while rebooting the system.Restarting system.CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved恢復控制器出廠配置恢復控制器出廠配置Enter System name Aruba200: Enter VLAN 1 interface IP address 54: 54Enter VLAN 1 interface subnet

10、 mask : Enter IP Default gateway none: Enter Switch Role, (master|local) master: Enter Country code (ISO-3166), for supported list: cnYou have chosen Country code CN for China (yes|no)?: yEnter Time Zone PST-8:0: cht+8:0Enter Time in UTC 06:58:59: 07:01:30Enter Date (MM/DD/

11、YYYY) 7/12/2010: Enter Password for admin login (up to 32 chars): *Re-type Password for admin login: *Enter Password for enable mode (up to 15 chars): *Re-type Password for enable mode: *Do you wish to shutdown all the ports (yes|no)? no: If you accept the changes the switch will restart!Type to go

12、back and change answer for any questionDo you wish to accept the changes (yes|no)yCreating configuration. Done.System will now restart!CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved添加控制器軟件許可添加控制器軟件許可(Aruba200) User: adminPassword: *(Aruba200) enPassword:*(Aruba200) #license ad

13、d Xw2K4EGT-qWpz5YLM-Ouw7wpRt-kQPUrJMM-x8fB27hP-1ZgPlease reload the switch for the new service key to take effect.(Aruba200) #license add Wnm8I0AK-bhAPAsim-pd8gS573-oJ4YHCWG-5ghonB8G-x8wPlease reload the switch for the new service key to take effect.(Aruba200) #reloadDo you really want to reset the

14、system(y/n): ySystem will now restart!CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedLab 1：完成控制器初始配置：完成控制器初始配置 任務：1. 清空控制器原有配置2. 對控制器進行初始設置3. 為控制器添加軟件許可 相關(guān)配置參數(shù)：組號組號第第1組組第第2組組第第X組組IP地址01020X子網(wǎng)掩碼網(wǎng)關(guān)地址172.16.10

15、.2545454CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無線控制器無線控制器ARUBA無線控制器的網(wǎng)絡配置無線控制器的網(wǎng)絡配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的網(wǎng)絡配置無線控制器的網(wǎng)絡配置 配置Vlan(Aruba800) (config) #vlan 200(Aruba800) (config) #interf

16、ace fastethernet 1/0接入模式：(Aruba800) (config-if)#switchport access vlan 200 (Aruba800) (config-if)#switchport mode access中繼模式：(Aruba800) (config-if)#switchport trunk allowed vlan all (Aruba800) (config-if)#switchport mode trunk (Aruba800) (config-if)#show vlanVLAN CONFIGURATION-VLAN Name Ports- - -1

17、Default FE1/1-7 100 VLAN0100 GE1/8 200 VLAN0200 FE1/0 配置IP address(Aruba800) (config) #interface vlan 200(Aruba800) (config-subif)#ip address 54 (vlan interface)(Aruba800) (config-subif)#ip helper-address (DHCP relay)CONFIDENTIAL Copyright 2007. Aruba Networks,

18、Inc. All rights reservedARUBA無線控制器的網(wǎng)絡配置無線控制器的網(wǎng)絡配置 配置IP route配置缺省路由: (Aruba800) (config) #ip default-gateway 配置靜態(tài)路由：(Aruba800) (config) #ip route (Aruba800) (config) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route u

19、sable, * - candidate defaultGateway of last resort is to network S* /0 1/0 via *S /24 1/0 via *C is directly connected, VLAN1C is directly connected, VLAN100C is directly connected, VLAN200 配置dhcp server(Ar

20、uba800) (config) #ip dhcp pool user_pool(Aruba800) (config-dhcp)#default-router 54(Aruba800) (config-dhcp)#dns-server (Aruba800) (config-dhcp)#network (Aruba800) (config-dhcp)#exit(Aruba800) (config) #service dhcpCONFIDENTIAL Copyright 2007. Aruba Networ

21、ks, Inc. All rights reservedLab 2：完成控制器網(wǎng)絡配置：完成控制器網(wǎng)絡配置 任務：1. 為控制器配置1個AP VLAN和2個用戶VLAN2. 為上述VLAN配置端口和IP地址3. 在控制器中配置3個DHCP Pool 相關(guān)配置參數(shù)：組號組號第第1組組第第2組組第第X組組AP VLANVLAN ID=1154/24VLAN ID=1254/24VLAN ID=1X172.16.1X.254/24用戶VLAN 101VLAN ID=10154/24VLAN ID=10254/

22、24VLAN ID=10X172.16.10X.254/24用戶VLAN 2VLAN ID=20154/24VLAN ID=20254/24VLAN ID=20X172.16.20X.254/24DHCP池404040404040172.16.1X.1172.16.1X.

23、240172.16.10X.1172.16.10X.240172.16.20X.1172.16.20X.240CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無線控制器無線控制器ARUBA無線控制器的安全配置無線控制器的安全配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA控制器的安全配置控制器的安全配置Rule 1Rule 2Rule 3Rule nRule 1Rule 2Rule 1

24、Rule 1Rule 2Rule 3Rule 4Rule 1Rule 2Rule 3Rule 4Policy 1Policy 2Policy 3Policy 4Policy 5Role 1 Policy 1 Policy 2Role 2 Policy 1 Policy 3 Policy 4Role 3 Policy 4 Policy 5Role 4 Policy 4User1 User2 User3 User4 User5 User6 UserNRole Derivation:1) Locally Derived2) Server Assigned3) Default RoleAssigns

25、usersto a roleMethods:PoliciesRolesDerivationCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved ARUBA控制器的安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range策略示例：ip access-list session Internet_Only user any udp 68 deny user any svc-dhcp permituser

26、 host svc-dns permituser host svc-dns permituser alias Internal-Network deny loguser any any permit 防火墻策略：一組按照特定次序排列的規(guī)則的集合別名的定義：1)網(wǎng)絡別名netdestination Internal-Network network network netdestination External-network network 172.1

27、6.0.0 network invert2)服務別名netservice svc-http tcp 80CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reserved ARUBA控制器的安全配置控制器的安全配置AddressesHTTPFTPDNSetcDenyPermitNatLogQueue802.1p assignmentTOSTime Range 防火墻策略：一組按照特定次序排列的規(guī)則的集合CONFIDENTIAL Copyright

28、 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置用戶角色（用戶角色（Role）決定了每個用戶的訪問權(quán)限）決定了每個用戶的訪問權(quán)限每一個role都必須與一個或多個policy綁定防火墻策略按次序執(zhí)行最后一個隱含的缺省策略是“deny all”可以設定role的帶寬限制和會話數(shù)限制用戶角色（用戶角色（Role）的分配可以通過多種方式實現(xiàn)）的分配可以通過多種方式實現(xiàn)基于接入認證方式的缺省角色 (i.e. 802.1x, VPN, WEP, etc.)由認證服務器導出的用戶角色(i.e. RADIUS/LD

29、AP屬性)本地導出規(guī)則ESSIDMACEncryption typeEtc.ARUBA控制器中的每一個用戶都會被分配一個控制器中的每一個用戶都會被分配一個Role!CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置(Aruba800) #show rights RoleTable-Name ACL Bandwidth ACL List Type- - - - -ap-role 4 Up: No Limit,Dn: No Limit control,ap-ac

30、l Systemauthenticated 39 Up: No Limit,Dn: No Limit allowall,v6-allowall Userdefault-vpn-role 37 Up: No Limit,Dn: No Limit allowall,v6-allowall Userguest 3 Up: No Limit,Dn: No Limit http-acl,https-acl,dhcp-acl,icmp-acl,dns-acl,v6-http-acl,v6-https-acl,v6-dhcp-acl,v6-icmp-acl,v6-dns-acl Userguest-logo

31、n 6 Up: No Limit,Dn: No Limit logon-control,captiveportal Userlogon 1 Up: No Limit,Dn: No Limit logon-control,captiveportal,vpnlogon,v6-logon-control Userstateful-dot1x 5 Up: No Limit,Dn: No Limit Systemvoice 38 Up: No Limit,Dn: No Limit sip-acl,noe-acl,svp-acl,vocera-acl,skinny-acl,h323-acl,dhcp-ac

32、l,tftp-acl,dns-acl,icmp-acl UserCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置(Aruba800) #show rights authenticatedDerived Role = authenticated Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthe

33、ntication: Disabled ACL Number = 39/0 Max Sessions = 65535access-list List-Position Name Location- - -1 allowall 2 v6-allowall allowall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan- - - - - - - - - - - - - -1 any any any permit Low v6-allo

34、wall-Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan- - - - - - - - - - - - - -1 any any any permit Low Expired Policies (due to time constraints) = 0CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全

35、配置定義用戶角色（role）(Aruba800) (config) #user-role visitors(Aruba800) (config-role) #access-list session internet-only(Aruba800) (config-role) #max-sessions 100(Aruba800) (config-role) #exit(Aruba800) (config) #CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置基

36、于接入認證方式的缺省角色（role）分配(Aruba800) (config) #show aaa profile defaultAAA Profile default-Parameter Value- -Initial role logonMAC Authentication Profile N/AMAC Authentication Default Role guestMAC Authentication Server Group default802.1X Authentication Profile N/A802.1X Authentication Default Role guest

37、802.1X Authentication Server Group N/ARADIUS Accounting Server Group N/AXML API server N/ARFC 3576 server N/AUser derivation rules N/AWired to Wireless Roaming EnabledSIP authentication role N/A(Aruba800) (config) #show aaa authentication captive-portal defaultCaptive Portal Authentication Profile d

38、efault-Parameter Value- -Default Role guestServer Group defaultRedirect Pause 10 secUser Login EnabledGuest Login DisabledLogout popup window EnabledUse HTTP for authentication DisabledLogon wait minimum wait 5 secLogon wait maximum wait 10 seclogon wait CPU utilization threshold 60 %Max Authenticat

39、ion failures 0Show FQDN DisabledUse CHAP (non-standard) DisabledSygate-on-demand-agent DisabledLogin page /auth/index.htmlWelcome page /auth/welcome.htmlShow Welcome Page YesAdding switch ip address in redirection URL DisabledCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA

40、無線控制器的安全配置無線控制器的安全配置基于接入認證方式的缺省角色（role）分配CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置基于服務期返回規(guī)則的角色（role）分配(Aruba800) (config) #aaa server-group test(Aruba800) (Server Group test) #set role condition memberOf contains student set-value student說明：從LDAP服

41、務器獲取用戶屬性，并以此為依據(jù)分配用戶角色時，只能通過CLI進行配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的安全配置無線控制器的安全配置基于用戶定義規(guī)則的角色（role）分配(Aruba800) (config) #aaa derivation-rules user test_rule(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-aes set-value authentic

42、ated position 1(Aruba800) (user-rule) #set role condition encryption-type equals dynamic-tkip set-value guest position 2CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedLab 3：定義用戶角色和相關(guān)策略：定義用戶角色和相關(guān)策略 任務：1. 定義角色1：沒有訪問權(quán)限，只能彈出Portal認證頁面2. 定義角色2：認證通過后的角色，訪問權(quán)限不受任何限制3. 定義角色3：認證通過后的角色，禁止

43、ICMP，其余不限 相關(guān)配置參數(shù)：組號組號第第1組組第第2組組第第X組組角色1T1-logon1）只允許dhcp和dns服務2）Http服務重定向到captiveportal3）Max Session = 504）captiveportal defaultT2-logon1）只允許dhcp和dns服務2）Http服務重定向到captiveportal3）Max Session = 504）captiveportal defaultTX-logon1）只允許dhcp和dns服務2）Http服務重定向到captiveportal3）Max Session = 504）captiveportal d

44、efault角色2T1-authenticated1）允許所有服務2）Max Session = 200T2-authenticated1）允許所有服務2）Max Session = 200TX-authenticated1）允許所有服務2）Max Session = 200角色3T1-notping1）不允許ICMP服務2）允許其它所有服務3）Max Session = 200T2-notping1）不允許ICMP服務2）允許其它所有服務3）Max Session = 200TX-notping1）不允許ICMP服務2）允許其它所有服務3）Max Session = 200CONFIDENT

45、IAL Copyright 2007. Aruba Networks, Inc. All rights reserved配置配置ARUBA無線控制器無線控制器ARUBA無線控制器的無線配置無線控制器的無線配置CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置AP GroupWireless LANRF ManagementAPQoSIDSVirtual APPropertiesSSIDAAAa/g RadioSettingsRFOptimizationsSy

46、stem ProfileEthernetRegulatorySNMPVoIPa/g ManagementVirtual APPropertiesSSIDAAAVLANVLANCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置 加密方法加密方法確保數(shù)據(jù)在空中傳輸時的私密性可以選擇不加密(open)、二層加密(WEP, TKIP, AES) 或者三層加密 (VPN) 認證方式認證方式確保接入無線網(wǎng)絡的用戶都是合法用戶認證方式可以選擇不認證，或者MAC、EAP、c

47、aptive portal、VPN等認證方式 訪問控制訪問控制對接入無線網(wǎng)絡的合法用戶流量進行有效控制，包括可以訪問的網(wǎng)絡資源、帶寬、時間等WLAN服務的配置要點服務的配置要點SSID ProfileAAA ProfileRoleCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置(Aruba800) #show wlan virtual-ap defaultVirtual AP profile default-Parameter Value- -Virtua

48、l AP enable EnabledAllowed band allSSID Profile defaultVLAN 100Forward mode tunnelDeny time range N/AMobile IP EnabledHA Discovery on-association DisabledDoS Prevention DisabledStation Blacklisting EnabledBlacklist Time 3600 secAuthentication Failure Blacklist Time3600 secFast Roaming DisabledStrict

49、 Compliance DisabledVLAN Mobility DisabledAAA Profile defaultRemote-AP Operation standardCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置SSID Profile的定義(Aruba800) (config) #wlan ssid-profile test(Aruba800) (SSID Profile “test”) #essid test（WLAN顯示的SSID名稱）

50、(Aruba800) (SSID Profile “test”) #opmode ? （WLAN可以選用的加密方式）dynamic-wep WEP with dynamic keysopensystem No encryptionstatic-wep WEP with static keyswpa-aes WPA with AES encryption and dynamic keys using 802.1Xwpa-psk-aes WPA with AES encryption using a pre-shared keywpa-psk-tkip WPA with TKIP encrypti

51、on using a pre-shared keywpa-tkip WPA with TKIP encryption and dynamic keys using 802.1Xwpa2-aes WPA2 with AES encryption and dynamic keys using 802.1Xwpa2-psk-aes WPA2 with AES encryption using a pre-shared keywpa2-psk-tkip WPA2 with TKIP encryption using a pre-shared keywpa2-tkip WPA2 with TKIP en

52、cryption and dynamic keys using 802.1XxSec xSec encryption(Aruba800) (SSID Profile “test”) #opmode opensystemCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置SSID Profile的定義CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線

53、配置無線控制器的無線配置AAA Profile的定義配置基于Open的AAA Profile(Aruba800) (config) #aaa profile test (Aruba800) (AAA Profile test) #clone default配置基于Portal認證的CaptivePortal Profile(Aruba800) (config) #aaa authentication captive-portal test(Aruba800) (Captive Portal Authentication Profile test) #clone default(Aruba800

54、) (Captive Portal Authentication Profile test) #default-role guest(Aruba800) (Captive Portal Authentication Profile test) #no enable-welcome-page(Aruba800) (Captive Portal Authentication Profile test) #server-group testCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無

55、線配置無線控制器的無線配置配置LDAP服務器(Aruba800) (config) #aaa authentication-server ldap test(Aruba800) (LDAP Server test) # host 0(Aruba800) (LDAP Server test) #admin-dn admin(Aruba800) (LDAP Server test) #admin-passwd admin(Aruba800) (LDAP Server test) #base-dn cn=users,dc=qa,dc=domain,dc=com(Aruba800)

56、 (LDAP Server test) #allow-cleartext (Aruba800) (LDAP Server test) #exit對LDAP服務器進行測試(Aruba800) #aaa query-user CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置配置Radius服務器(Aruba800) (config) #aaa authentication-server radius test(Aruba800) (RADIUS Server

57、test) #host 0(Aruba800) (RADIUS Server test) #key 123456(Aruba800) (RADIUS Server test) #exit對Radius服務器進行測試(Aruba800) #aaa test-server mschapv2 CONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedARUBA無線控制器的無線配置無線控制器的無線配置配置Server-Group(Aruba800) (config) #aaa server-group

58、test(Aruba800) (Server Group test) #auth-server test(Aruba800) (Server Group test) #set role condition memberOf contains guest set-value guest (Aruba800) (config) #show aaa server-group testFail Through:NoAuth Servers-Name Server-Type trim-FQDN Match-Type Match-Op Match-Str- - - - - -test Ldap No Ro

59、le/VLAN derivation rules -Priority Attribute Operation Operand Type Action Value Valid- - - - - - - -1 memberOf contains guest String set role guest NoCONFIDENTIAL Copyright 2007. Aruba Networks, Inc. All rights reservedLab 4：配置兩個：配置兩個Server-Group 步驟：1. 定義一個Radius Server并測試通過2. 定義一個Radius Server Gro

60、up3. 定義一個LDAP Server并測試通過4. 定義一個LDAP Server Group 相關(guān)配置參數(shù)：組號組號第第1組組第第2組組第第X組組Radius-ServerT1-radius-server1）host 002）key 123456T2-radius-server1）host 002）key 123456TX-radius-server1）host 002）key 123456Radius-Server-GroupT1-radius-servergroup1）auth-server T1-radius-ser