现需要对接入用户做MAC和802.1X认证,服务器为第三方准入控制平台,在第三方服务器上定义的MAC地址,允许对应的终端访问所有资源,第三方服务器上未定义的MAC,会下发ACL,指定对应终端访问gu定资源;
当S5130-52S-EI和S5110-52P分别接入多个终端时,能实现这个需求,S5130下行接TP-link,TP-link下行接入多个终端(其中包括需要访问所有资源的终端,只能访问固定资源的终端)也能实现此需求,而当S5110下行接TP-link,会出现不管终端是否在服务器上定义,都能访问所有的资源或者都只能访问指定资源的问题。
1.查看终端MAC认证状态是否成功,能看到对应终端已经通过认证
<CESHI>display mac-authentication connection user-mac xxxx-xxxx-xxx2
Total connections: 1
Slot ID: 1
User MAC address: xxxx-xxxx-xxx2
Access interface: GigabitEthernet1/0/3
Username: xxxxxxxxd100
User access state: Successful //认证成功
Authentication domain: leagsoft
IPv4 address: x.x.x.188
Initial VLAN: 12
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization ACL ID: 3500
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Termination action: Radius-request
Session timeout period: 60 s
Online from: 2013/01/01 00:11:33
Online duration: 0h 1m 51s
2.查看接入设备对终端的认证类型是否是MAC认证,可以看到认证方式是MAC认证:
GigabitEthernet1/0/3 is link-down
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is enabled
Handshake secure is disabled
802.1X unicast-trigger is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based //基于MAC的认证
802.1X Multicast-trigger is enabled
Mandatory authentication domain: leagsoft
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Critical VLAN: 12
Critical recovery-action: NOT configured
Max number of on-line users is 256
3.通过debug看终端的认证过程有没有报错或者下发vlan的异常信息(debugging mac-authentication event,debugging dot1x all,debug radius all),可以看到对于服务器下发的ACL策略,设备上没有调用。
*Apr 27 08:53:22:884 2000 904 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/3,Auth:196,Authoring authored ACL...
*Apr 27 08:53:23:014 2000 904 8021X/7/EVENT: Port:GigabitEthernet1/0/3,Auth:196,Entering DOT1XSOP_AssignUserACL.
*Apr 27 08:53:23:154 2000 904 8021X/7/EVENT: Port:GigabitEthernet1/0/3,Auth:196,DOT1XSOP:DOT1XSOP_DownloadUserACL return fail.
%Apr 27 07:46:11:825 2000 904 RDS/6/RDS_SUCC: -IfName=GigabitEthernet1/0/3-VlanId=12-MACAddr=xx:xx:xx:xx:xx:x1-IPAddr=N/A-IPv6Addr=N/A-UserName=xx-xx-xx-xx-xx-x1@leagsoft; User got online successfully.
%Apr 27 07:46:12:305 2000 904 RDS/6/RDS_SUCC: -IfName=GigabitEthernet1/0/3-VlanId=12-MACAddr=xx:xx:xx:xx:xx:x2 -IPAddr=N/A-IPv6Addr=N/A-UserName=xx-xx-xx-xx-xx-x2@leagsoft; User got online successfully.
%Apr 27 07:46:12:495 2000 904 8021X/5/DOT1X_SOP_ACL_FAILURE: -IfName=GigabitEthernet1/0/3-UserName=xx:xx:xx:xx:xx:x2 ; Failed to assign the specified ACL. //ACL下发失败
%Apr 27 08:52:53:255 2000 904 RDS/6/RDS_SUCC: -IfName=GigabitEthernet1/0/3-VlanId=12-MACAddr=xx:xx:xx:xx:xx:x1-IPAddr=N/A-IPv6Addr=N/A-UserName=xx-xx-xx-xx-xx-x1@leagsoft; User got online successfully.
%Apr 27 08:53:15:814 2000 904 RDS/6/RDS_SUCC: -IfName=GigabitEthernet1/0/3-VlanId=12-MACAddr=xx:xx:xx:xx:xx:x2-IPAddr=N/A-IPv6Addr=N/A-UserName=xx-xx-xx-xx-xx-x2 @leagsoft; User got online successfully.
%Apr 27 08:53:16:004 2000 904 8021X/5/DOT1X_SOP_ACL_FAILURE: -IfName=GigabitEthernet1/0/3-UserName=xx:xx:xx:xx:xx:x2 ; Failed to assign the specified ACL.
%Apr 27 08:53:16:254 2000 904 RDS/6/RDS_SUCC: -IfName=GigabitEthernet1/0/3-VlanId=12-MACAddr=xx:xx:xx:xx:xx:x2-IPAddr=N/A-IPv6Addr=N/A-UserName= xx-xx-xx-xx-xx-x2@leagsoft; User got online successfully.
%Apr 27 08:53:16:444 2000 904 8021X/5/DOT1X_SOP_ACL_FAILURE: -IfName=GigabitEthernet1/0/3-UserName=xx-xx-xx-xx-xx-x2 ; Failed to assign the specified ACL.
经过核实此设备芯片不支持在单一端口动态下发同一条ACL;所以直接返回了ERROR_ALREADY_EXIST,因此debug信息打印了DOT1XSOP:The error code is 6。如果客户需求单一端口对多个接入用户下发ACL,建议更换其他设备实现,此设备硬件规格不支持此需求。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作