某客户使用我司交换机S5120结合NPS服务器做802.1x认证,客户发现如果在NPS服务器上配置vlan下发,可以认证成功;取消vlan下发,则不能认证成功。
收集认证失败的debug信息
Debug dot1x all
Debug sc all
Debug radius packet
分析认证报文交互过程
*Sep 1 05:33:12:177 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Receive:IP=[10.1.5.248],Code=[2],Length=[368]
*Sep 1 05:33:12:179 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[8 Framed-Address ] [6 ] [255.255.255.255]
[7 Framed-Protocol ] [6 ] [1]
[6 Service-Type ] [6 ] [2]
[65 Tunnel-Medium-Type ] [6 ] [6]
[64 Tunnel-Type ] [6 ] [13]
[79 EAP-Message ] [6 ] [030C0004]
*Sep 1 05:33:12:180 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[25 Class ] [46] [691306FD00000137000102000A0105F800000000000000000000000001CFC2F350F8FEBF000000000000002F]
[MS-26 MS-CHAP2-Success ] [45] [01533D32393933464535314235453744344139314432363539464143433641363039414636364631444142]
[MS-17 MS-MPPE-Recv-Key ] [52] [8008D75718C4F3EC4A03C74E2663928FFCF26C04AB299384AC5255C60D88CBF39F1EFAEE97D12AF784ADAD0CD3BFB084F407]
[80 Message-Autheticator ] [18] [431E003DC6A4239F561D6FB5E9F80669]
*Sep 1 05:33:12:182 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Info: RD received MS-CHAP2-Success
*Sep 1 05:33:12:183 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Info: RD received radius key, Decrypt user Authenticator is:
*Sep 1 05:33:12:184 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
2a 19 00 00 59 00 00 00 5a 75 00 00 58 15 00 00
*Sep 1 05:33:12:185 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Info: Decrypt MS-MPPE-Recv-Key with radius authen authenticator is:
*Sep 1 05:33:12:187 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
20 75 0e c6 84 dc ee 79 20 40 d0 6d 0b 7b 70 e3
03 7d 7e 2b 3c 83 03 f9 34 19 46 8e 32 da 9b 54
1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*Sep 1 05:33:12:188 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Reject, Message=[Vlan value that the server assigns is invalid!]
*Sep 1 05:33:12:189 2014 H3C5120-G5/5F-A1 8021X/7/EVENT:Auth:481,Msg: Auth request ack for failure, ACM->1X.
*Sep 1 05:33:12:190 2014 H3C5120-G5/5F-A1 8021X/7/EVENT:Port:GigabitEthernet1/0/26,Auth:481,Received Msg:261, Current state:14
*Sep 1 05:33:12:192 2014 H3C5120-G5/5F-A1 8021X/7/EVENT:Auth:481,Processing node FAILURE...
从以上radius报文交互过程可以看到设备从NPS服务器侧收到认证响应报文,设备拒绝该报文,因为服务器分配的vlan id无效。怀疑是服务器和设备的配合问题。对比取消下发vlan和下发vlan服务器的响应报文:
取消vlan下发:
*Sep 1 05:33:12:177 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:Receive:IP=[10.1.5.248],Code=[2],Length=[368]
*Sep 1 05:33:12:179 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[8 Framed-Address ] [6 ] [255.255.255.255]
[7 Framed-Protocol ] [6 ] [1]
[6 Service-Type ] [6 ] [2]
[65 Tunnel-Medium-Type ] [6 ] [6]
[64 Tunnel-Type ] [6 ] [13]
[79 EAP-Message ] [6 ] [030C0004]
*Sep 1 05:33:12:180 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[25 Class ] [46] [691306FD00000137000102000A0105F800000000000000000000000001CFC2F350F8FEBF000000000000002F]
[MS-26 MS-CHAP2-Success ] [45] [01533D32393933464535314235453744344139314432363539464143433641363039414636364631444142]
[MS-17 MS-MPPE-Recv-Key ] [52] [8008D75718C4F3EC4A03C74E2663928FFCF26C04AB299384AC5255C60D88CBF39F1EFAEE97D12AF784ADAD0CD3BFB084F407]
[80 Message-Autheticator ] [18] [431E003DC6A4239F561D6FB5E9F80669]
Vlan下发:
*Sep 1 05:37:53:635 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[64 Tunnel-Type ] [6 ] [13]
[65 Tunnel-Medium-Type ] [6 ] [6]
[81 Tunnel_Private_Group_ID ] [4 ] [3135]
[1 User-name ] [46] [host/***.***]
[32 NAS-Identifier ] [18] [H3C5120-G5/5F-A1]
[5 NAS-Port ] [6 ] [16883727]
*Sep 1 05:37:53:636 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[61 NAS-Port-Type ] [6 ] [15]
[31 Caller-ID ] [16] [373834352D633463352D30366462]
[40 Acct-Status-Type ] [6 ] [1]
[45 Acct-Authentic ] [6 ] [1]
[44 Acct-Session-Id ] [15] [1140801053720]
[4 NAS-IP-Address ] [6 ] [10.1.5.131]
*Sep 1 05:37:53:637 2014 H3C5120-G5/5F-A1 RDS/7/DEBUG:
[55 Event-Timestamp ] [6 ] [1409549873]
[25 Class ] [46] [693B072500000137000102000A0105F800000000000000000000000001CFC2F350F8FEBF0000000000000057]
查看服务器应答报文携带的属性发现虽然取消了vlan数值下发(81号属性),但在设备侧还是收到vlan下发属性(64、65号属性),但是这个值为空,导致设备无法识别。报Vlan value that the server assigns is invalid!
不下发vlan的情况下可以在服务器侧取消64、65、81属性下发。
[65 Tunnel-Medium-Type] [6 ] [6]
[81 Tunnel_Private_Group_ID ] [4 ] [3135]
[64 Tunnel-Type ] [6 ] [13]
取消64、65、81号属性下发。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作