AC旁挂核心,核心下联接入,接入下联AP
现场使用2560X设备做dot1x认证,本地转发,dot1x中继方式,配置完成后发现认证失败,终端输入用户名密码后提示无法加入网络。
首先查看AC配置,模板配置正常,AC到radius服务器网络可达,nas-ip配置也没有问题
wlan service-template 110
ssid XXX
vlan 110
client forwarding-location ap vlan 110
akm mode dot1x
preshared-key pass-phrase cipher XXX
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
dot1x domain XXX
service-template enable
dot1x authentication-method eap
radius scheme XXX
primary authentication X.X.X.X
primary accounting X.X.X.X
key authentication cipher XXX
key accounting cipher XXX
user-name-format without-domain
nas-ip X.X.X.X
#
domain XXX
authorization-attribute idle-cut 15 1024
authentication lan-access radius-scheme XXX
authorization lan-access radius-scheme XXX
accounting lan-access radius-scheme XXX
查看配置没有发现问题,于是收集debugging dot1x all和debugging radius all,输出如下:
*Dec 17 20:22:32:314 2021 H3C RADIUS/7/PACKET:
User-Name="TEST_WF01"
Service-Type=Framed-User
Framed-Protocol=PPP
NAS-Identifier="H3C"
NAS-Port=16777326
NAS-Port-Type=Wireless-802.11
NAS-Port-
Calling-Station-
Called-Station-
H3c-Nas-Startup-Timestamp=1638624964
Acct-Session-
H3c-User-Vlan-Id=110
EAP-Message=0x0201000e01544553545f57463031
Message-Authenticator=0x00000000000000000000000000000000
Framed-MTU=1450
H3c-Ip-Host-Addr="0.0.0.0 da:7d:72:ef:b8:64"
NAS-IP-Address=X.X.X.X
H3c-Product-
在AC向服务器发送请求报文后紧接着服务器侧就回复了拒绝报文,所以建议现场联系服务器侧排查回复拒绝报文的原因,后续现场反馈使用备服务器后认证正常。
Decoded reply packet successfully.
*Dec 17 20:22:32:321 2021 H3C RADIUS/7/PACKET:
EAP-Message=0x04010004
Message-Authenticator=0x4d960095e1ca189a001dbf1240b18ad0
*Dec 17 20:22:32:321 2021 H3C RADIUS/7/PACKET:
03 65 00 2c 75 c0 bd cf 4b c5 a8 73 81 d6 5b 2d
b5 f2 72 61 4f 06 04 01 00 04 50 12 4d 96 00 95
e1 ca 18 9a 00 1d bf 12 40 b1 8a d0
服务器侧问题,排查服务器后正常。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作