交换机802.1X认证失败。做认证的接口无法正常获取地址。
设置列表
对齐方式
Radius服务器是一台深信服的AC设备,下面是核心交换机,核心下来是接入层交换机,802.1X在交换机上配置了。但是还是认证失败了。dhcp采用的单独的设备做的,网关在接入层交换机上dhcp采用的中继方式获取的。
802.1X配置如下:
#
radius scheme rad
primary authentication 10.10.10.3
primary accounting 10.10.10.3
secondary authentication 10.10.10.4
secondary accounting 10.10.10.4
key authentication cipher ******
key accounting cipher *******
nas-ip 10.10.10.14
#
domain ***.***
authentication lan-access radius-scheme rad
authorization lan-access radius-scheme rad
accounting lan-access radius-scheme rad
#
dot1x
dot1x authentication-method eap
dot1x retry 5
#
接口下是正常引用的dot.1x配置。
(0)
最佳答案
认证有报错提示吗?
(0)
据客户反应只有显示认证失败。
那您可以DEBUG看看,发您一个完整DEBUG过程,您看认证到哪一步了 *Jan 12 07:17:57:326 2013 XXK DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:17:57:329 2013 XXK DOT1X/7/EVENT: Sent accounting-stop request: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:17:57:330 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped. *Jan 12 07:17:57:330 2013 XXK RADIUS/7/EVENT: Processing AAA request data. *Jan 12 07:17:57:330 2013 XXK RADIUS/7/EVENT: Got request data successfully, primitive: accounting-stop. *Jan 12 07:17:57:331 2013 XXK RADIUS/7/EVENT: Getting RADIUS server info. *Jan 12 07:17:57:331 2013 XXK RADIUS/7/EVENT: Got RADIUS server info successfully. *Jan 12 07:17:57:331 2013 XXK RADIUS/7/EVENT: Created request context successfully. *Jan 12 07:17:57:331 2013 XXK RADIUS/7/EVENT: Created request packet successfully, dstIP: 192.192.5.100, dstPort: 1813, VPN instance: --(public), socketFd: 81, pktID: 10. *Jan 12 07:17:57:331 2013 XXK RADIUS/7/EVENT: Added packet socketfd to epoll successfully, socketFd: 81. *Jan 12 07:17:57:332 2013 XXK RADIUS/7/EVENT: Mapped PAM item to RADIUS attribute successfully. *Jan 12 07:17:57:332 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Sent accounting-stop request successfully. 交换机成功收到服务器的计费停止的响应报文: Reply SocketFd recieved EPOLLIN event. *Jan 12 07:17:57:345 2013 XXK RADIUS/7/EVENT: Received reply packet succuessfully. *Jan 12 07:17:57:346 2013 XXK RADIUS/7/EVENT: Found request context, dstIP: 192.192.5.100, dstPort: 1813, VPN instance: --(public), socketFd: 81, pktID: 10. *Jan 12 07:17:57:346 2013 XXK RADIUS/7/EVENT: The reply packet is valid. *Jan 12 07:17:57:347 2013 XXK RADIUS/7/EVENT: Decoded reply packet successfully. *Jan 12 07:17:57:347 2013 XXK RADIUS/7/PACKET: 05 0a 00 14 91 e9 e2 4e 97 39 4c df 8d 05 19 f5 37 ef ca 83 *Jan 12 07:17:57:347 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped. *Jan 12 07:17:57:348 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-stop reply-data successfully, resultCode: 0 *Jan 12 07:17:57:348 2013 XXK DOT1X/7/EVENT: Received accounting-stop response with code 0: UserMAC=6045-cb6f-d853, Interface=GigabitEthernet1/0/23. 从以上交互来看,交换机和服务器之间是没啥问题的,下线的报文服务器也是正常响应。 开始认证: Mapped PAM item to RADIUS attribute successfully. *Jan 12 07:18:03:208 2013 XXK RADIUS/7/EVENT: Got RADIUS username format successfully, format: 2. *Jan 12 07:18:03:208 2013 XXK RADIUS/7/EVENT: Added attribute user-name successfully, user-name: 60-45-cb-6f-d8-53. 认证报文如下,这个是mac认证: Created response timeout timer successfully. *Jan 12 07:18:03:210 2013 XXK RADIUS/7/PACKET: User-Name="60-45-cb-6f-d8-53" NAS-Identifier="XXK" Framed-Protocol=PPP Called-Station- H3c-Ip-Host-Addr="0.0.0.0 60:45:cb:6f:d8:53" Calling-Station- NAS-Port-Type=Ethernet H3C-NAS-Port-Name="GigabitEthernet1/0/23" NAS-Port=16871434 NAS-Port- H3c-AVPair="nas:ifindex=23" Acct-Session- User-Password=****** Service-Type=Call-Check NAS-IP-Address=192.192.40.10 H3c-Product- H3c-Nas-Startup-Timestamp=1356998378 *Jan 12 07:18:03:211 2013 XXK RADIUS/7/EVENT: *Jan 12 07:18:03:211 2013 XXK RADIUS/7/EVENT: Sent request packet successfully. 认证成功,从认证转为认证成功状态: *Jan 12 07:18:03:234 2013 XXK RADIUS/7/EVENT: Sent reply message successfully. *Jan 12 07:18:03:235 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authentication. *Jan 12 07:18:03:235 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0 *Jan 12 07:18:03:235 2013 XXK MACA/7/EVENT: Received authentication response with code 0: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:03:236 2013 XXK MACA/7/EVENT: State changed from Authenticating to Authenticated: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:03:237 2013 XXK MACA/7/EVENT: Deleted server timeout timer: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:03:237 2013 XXK RADIUS/7/EVENT: 授权成功: PAM_RADIUS: Processing RADIUS authorization. *Jan 12 07:18:03:238 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully. *Jan 12 07:18:03:238 2013 XXK MACA/7/EVENT: AAA processed authorization request: Result= Success, UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. 开始发计费报文: *Jan 12 07:18:03:259 2013 XXK RADIUS/7/EVENT: Sent request packet successfully. *Jan 12 07:18:03:260 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Sent accounting-start request successfully. 收到服务器的计费响应报文,720S一次,符合设置: PAM_RADIUS: RADIUS accounting started. *Jan 12 07:18:03:266 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 0 *Jan 12 07:18:03:276 2013 XXK RADIUS/7/EVENT: Sent reply message successfully. *Jan 12 07:18:03:280 2013 XXK MACA/7/EVENT: Started accounting-update timer: Length=720(s),UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. 然后客户端又发起1X认证,报文如下,用户名改了: *Jan 12 07:18:06:206 2013 XXK RADIUS/7/PACKET: User-Name="SANGFORCLIENTrmyy" NAS-Identifier="XXK" EAP-Message=0x020100160153414e47464f52434c49454e54726d7979 Message-Authenticator=0x00000000000000000000000000000000 Framed-MTU=1450 Framed-Protocol=PPP Called-Station- NAS-Port-Type=Ethernet H3c-Ip-Host-Addr="0.0.0.0 60:45:cb:6f:d8:53" Calling-Station- H3C-NAS-Port-Name="GigabitEthernet1/0/23" NAS-Port=16871434 NAS-Port- H3c-AVPair="nas:ifindex=23" Acct-Session- Service-Type=Framed-User NAS-IP-Address=192.192.40.10 H3c-Product- H3c-Nas-Startup-Timestamp=1356998378 服务器返回认证失败,继续认证: *Jan 12 07:18:06:213 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authentication. *Jan 12 07:18:06:213 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 2 *Jan 12 07:18:06:214 2013 XXK DOT1X/7/EVENT: Received authentication response with code 32: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. 后续多次尝试继续认证后,才认证成功: PAM_RADIUS: Processing RADIUS authentication. *Jan 12 07:18:07:241 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0 *Jan 12 07:18:07:241 2013 XXK DOT1X/7/EVENT: Received authentication response with code 0: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. Radius的认证和授权报文是一体的,认证成功后,授权也成功: *Jan 12 07:18:07:245 2013 XXK DOT1X/7/EVENT: Sent authorization request: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:246 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authorization. *Jan 12 07:18:07:246 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully. *Jan 12 07:18:07:246 2013 XXK DOT1X/7/EVENT: AAA processed authorization request: Result= Success, UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. 1X上线后,然后mac认证下线,这是正常的: Composed request packet successfully. *Jan 12 07:18:07:273 2013 XXK MACA/7/EVENT: Processing unauthorization event: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:274 2013 XXK MACA/7/EVENT: State changed from Authenticated to Disconnect: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:274 2013 XXK MACA/7/EVENT: Deleted server timeout timer: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:274 2013 XXK MACA/7/EVENT: Deleted accounting-update timer: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:274 2013 XXK MACA/7/EVENT: Deleted offline-detect timer: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:275 2013 XXK RADIUS/7/EVENT: Created response timeout timer successfully. *Jan 12 07:18:07:277 2013 XXK DOT1X/7/EVENT: Interface GigabitEthernet1/0/23 received Set the port authorization status to authorized event. *Jan 12 07:18:07:279 2013 XXK MACA/7/EVENT: Sent an accounting-stop request: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. *Jan 12 07:18:07:279 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped. *Jan 12 07:18:07:279 2013 XXK RADIUS/7/EVENT: 然后1X成功开始计费: *Jan 12 07:18:07:324 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting started. *Jan 12 07:18:07:324 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-start reply-data successfully, resultCode: 0 *Jan 12 07:18:07:325 2013 XXK DOT1X/7/EVENT: Received accounting-start response with code 0: UserMAC=6045-cb6f-d853, VLANID=10, Interface=GigabitEthernet1/0/23. 然后mac认证计费停止,这个也是正常的: *Jan 12 07:18:07:335 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped. *Jan 12 07:18:07:336 2013 XXK RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-stop reply-data successfully, resultCode: 0 *Jan 12 07:18:07:337 2013 XXK MACA/7/EVENT: Received accounting-stop response with code 0: UserMAC=6045-cb6f-d853, Interface=GigabitEthernet1/0/23.
好的,谢谢
看下接口认证状态,认证通过才会分配地址的
(0)
像这种网络环境会可能涉及802.1x中继吗?我需不需要在核心上做点什么。
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
好的,谢谢