WX系列AC MAC认证Guest Vlan配置指导
一、组网
本次配置AC为WX5004,AP为WX2620i-AGN,Radius服务器为IMC;AC作为DHCP服务器为AP分配IP地址(192.168.1.0),保证AP注册成功;用户接入无线服务MAC-auth,认证成功用户访问权限为vlan2(192.168.2.0),认证失败用户访问权限为vlan 100 (192.168.100.0)。
二、问题描述
客户需求是通过MAC+PSK认证来为不同用户下发访问权限,公司内部员工接入无线服务认证成功并接入vlan2;公司外来访客接入无线认证失败并接入vlan100。用户参考配置手册配置相关命令之后,公司内部员工认证成功之后可以进入vlan2,访客认证成功之后进入vlan2,更改配置之后访客无法接入网络。
三、问题分析
MAC地址认证是一种基于端口和MAC地址对用户的网络访问权限进行控制的认证方法,它不需要用户安装任何客户端软件。设备在启动了MAC地址认证的端口上首次检测到用户的MAC地址以后,即启动对该用户的认证操作。认证过程中,不需要用户手动输入用户名或者密码。若该用户认证成功,则允许其通过端口访问网络资源,否则该用户的MAC地址就被添加为静默MAC。在静默时间内(可通过静默定时器配置),来自此MAC地址的用户报文到达时,设备直接做丢弃处理,以防止非法MAC短时间内的重复认证。
在某些情况下,对于认证未通过的客户端,要求其仍然可以访问网络中的部分受限资源,例如病毒库升级服务器等,这时可以使用Guest VLAN功能来实现。
无线AC在MAC认证时,将关联终端上传的MAC地址作为用户名和密码,设备自动认证,不需要用户输入用户名和密码。AC的MAC认证基于MAC地址实现,接入无线网络的每个终端都会触发认证。
1、PSK+MAC认证, guest-vlan下发失败
#
interface WLAN-ESS1
port access vlan 2
port-security port-mode mac-and-psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase simple 12345678
mac-authentication guest-vlan 100
#
wlan service-template 1 crypto
ssid MAC-auth
bind WLAN-ESS 1
cipher-suite ccmp
security-ie rsn
service-template enable
#
<5004>display wlan client verbose //认证失败用户取得vlan2访问权限
Total Number of Clients : 1
Client Information
------------------------------------------------
MAC Address : 001e-654c-6708
User Name : 001e654c6708
AID : 1
AP Name : ap1
Radio Id : 2
SSID : MAC-auth
BSSID : 5866-ba6b-f2d0
Port : WLAN-DBSS1:0
VLAN : 2
State : Running
Power Save Mode : Active
Wireless Mode : 11gn
Channel Band-width : 20MHz
SM Power Save Enable : Disabled
Short GI for 20MHz : Supported
Short GI for 40MHz : Not Supported
Support MCS Set : 0,1,2,3,4,5,6,7,8,9,
10,11,12,13,14,15
QoS Mode : WMM
Listen Interval (Beacon Interval) : 10
RSSI : 62
Rx/Tx Rate : 1/0
Client Type : WPA2(RSN)
Authentication Method : Open System
AKM Method : PSK
4-Way Handshake State : PTKINITDONE
Group Key State : IDLE
Encryption Cipher : AES-CCMP
Roam Status : Normal
Roam Count : 0
Up Time (hh:mm:ss) : 00:00:18
经确认MAC认证下发guest-vlan时,无线必须使用明文,与用户商议更改为MAC认证。
2、更改为MAC认证
主要配置信息:
#
wlan service-template 1 clear
ssid MAC-auth
bind WLAN-ESS 1
service-template enable
#
interface WLAN-ESS1
port access vlan 2
port-security port-mode mac-authentication
mac-authentication guest-vlan 100
#
访客接入中在设备上查看详细信息:
<5004>display wlan client verbose
Info: Clients do not exist.
在AC上抓取debug信息分析:
Debug wlan mac all
Debug mac-authentication event
Debug port-security all
T m
T d
从debug wlan mac all信息分析,终端已经成功接入无线网络:
*Jun 12 16:14:49:397 2012 5004 WMAC/7/FSM : Station state : Authenticated
*Jun 12 16:14:49:408 2012 5004 WMAC/7/FRAME : Frame received from station... MAC address : 001e-654c-6708
*Jun 12 16:14:49:428 2012 5004 WMAC/7/FRAME : Frame type received : Association request
*Jun 12 16:14:49:438 2012 5004 WMAC/7/FSM : Station state : Authenticated
*Jun 12 16:14:49:448 2012 5004 WMAC/7/EVENT :
AC check clear in association request.
*Jun 12 16:14:49:458 2012 5004 WMAC/7/EVENT : Allocate AID (1) for STA 001e-654c-6708 successfully
*Jun 12 16:14:49:468 2012 5004 WMAC/7/EVENT : Add mobile (001e-654c-6708) sent
*Jun 12 16:14:49:479 2012 5004 WMAC/7/EVENT : Association response sent with status code 0
*Jun 12 16:14:49:489 2012 5004 WMAC/7/FRAME : Dot11 frame sent to AP
*Jun 12 16:14:49:499 2012 5004 WMAC/7/TIMER : Create STA IP updating timer (ID: 8026) in AP 1's radio 2.
*Jun 12 16:14:49:519 2012 5004 WMAC/7/TIMER : Idle timer created
*Jun 12 16:14:49:529 2012 5004 WMAC/7/TIMER : State timer refreshed
*Jun 12 16:14:49:539 2012 5004 WMAC/7/EVENT : Notifying Driver regarding station
*Jun 12 16:14:49:550 2012 5004 WMAC/7/EVENT : Successful association response sent
*Jun 12 16:14:49:560 2012 5004 WMAC/7/FSM : Station state : Running
*Jun 12 16:14:49:570 2012 5004 WMAC/7/EVENT : ACK received for association response
终端接入无线网络之后,端口安全触发MAC认证:
*Jun 12 16:14:49:630 2012 5004 PORTSEC/7/Event: Port:WLAN-DBSS1:1,PortSec received others authenticate request from WLAN.
*Jun 12 16:14:49:651 2012 5004 MACAUTH/7/EVENT: Port:WLAN-DBSS1:1,new mac address 001e-654c-6708
%Jun 12 16:14:49:661 2012 5004 WMAC/6/WMAC_CLIENT_JOIN_WLAN: Client 001e-654c-6708 successfully joins WLAN MAC-auth, on APID 1 with BSSID 5866-ba6b-f2d0.
%Jun 12 16:14:49:681 2012 5004 PORTSEC/6/PORTSEC_MACAUTH_LOGIN_FAILURE: -IfName=WLAN-DBSS1:1-MACAddr=00:1E:65:4C:67:08-VlanId=2-UserName=001e654c6708-UserNameFormat=MAC address; The user failed the MAC address authentication.
访客在认证失败之后,MAC认证模块开始创建Guest vlan,创建guest vlan过程中失败:
*Jun 12 16:14:49:894 2012 5004 MACAUTH/7/EVENT: Port:WLAN-DBSS1:1,Auth:4,Added an MACAUTH MGV entry for 001e-654c-6708: IfIndex=12517376, Guest-Vlan=100
*Jun 12 16:14:49:914 2012 5004 MACAUTH/7/Error:: Configuration checking failed. Cannot add MGV entries.
在guest vlan创建失败之后用户被动下线:
%Jun 12 16:14:50:400 2012 5004 WMAC/6/WMAC_CLIENT_GOES_OFFLINE: Client 001e-654c-6708 disconnected from WLAN MAC-auth. Reason code is 1.
找到问题原因之后开始查询手册以及询问相关同事,guest vlan创建过程中需要AC的ESS接口开启MAC-vlan enable,更改设备ESS接口配置更改为如下测试:
#
interface WLAN-ESS1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
mac-vlan enable
port-security port-mode mac-authentication
mac-authentication guest-vlan 100
#
查看终端详细信息,访客接入之后加入vlan 100:
[5004]dis wlan cl v
Total Number of Clients : 1
Client Information
-------------------------------------------------------
MAC Address : 001e-654c-6708
User Name : 001e654c6708
AID : 1
AP Name : ap1
Radio Id : 2
SSID : MAC-auth
BSSID : 5866-ba6b-f2d0
Port : WLAN-DBSS1:5
VLAN : 100
State : Running
Power Save Mode : Active
Wireless Mode : 11gn
Channel Band-width : 20MHz
SM Power Save Enable : Disabled
Short GI for 20MHz : Supported
Short GI for 40MHz : Not Supported
Support MCS Set : 0,1,2,3,4,5,6,7,8,9,
10,11,12,13,14,15
QoS Mode : WMM
Listen Interval (Beacon Interval) : 10
RSSI : 63
Rx/Tx Rate : 1/0
Client Type : PRE-RSNA
Authentication Method : Open System
AKM Method : None
4-Way Handshake State : -NA-
Group Key State : -NA-
Encryption Cipher : Clear
Roam Status : Normal
Roam Count : 0
Up Time (hh:mm:ss) : 00:00:15
四、解决方法
更改AC配置信息:
#
port-security enable
#
interface WLAN-ESS1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
mac-vlan enable
port-security port-mode mac-authentication
mac-authentication guest-vlan 100
#
wlan service-template 1 clear
ssid MAC-auth
bind WLAN-ESS 1
service-template enable
#
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作