在交换机端口1开启了802.1X,但是在端口2开启802.1x后,就是无法ping通服务器地址,也ping不通其它vlan内的主机
domain default enable jmc
#
dot1x
dot1x authentication-method eap
#
password-recovery enable
#
vlan 1
#
vlan 100
#
vlan 200
#
vlan 300
#
vlan 400
#
vlan 500
#
radius scheme radius1
primary authentication 192.168.0.151
key authentication cipher $c$3$7t2Q3HU+yE4gpky12do6LZ6V0psTFgDU/Q==
radius scheme radius2
primary authentication 192.168.0.151 key cipher $c$3$fQmETcxv5S0MhvDEpv52VnufIvAli5KBew==
user-name-format without-domain
#
domain jmc
authentication lan-access radius-scheme radius1
authorization lan-access radius-scheme radius1
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
domain test
authentication lan-access radius-scheme radius2
authorization lan-access radius-scheme radius2
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$0R70jtd5wlM/Ges4bcL/+q+zN+VsodjZ
authorization-attribute level 3
service-type web
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.4.1 255.255.255.0
#
interface Vlan-interface200
ip address 192.168.3.1 255.255.255.0
#
interface Vlan-interface300
ip address 192.168.5.1 255.255.255.0
#
interface Vlan-interface400
ip address 192.168.9.1 255.255.255.0
#
interface Vlan-interface500
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port access vlan 100
dot1x guest-vlan 400
dot1x auth-fail vlan 400
dot1x critical vlan 400
undo dot1x handshake
dot1x mandatory-domain jmc
undo dot1x multicast-trigger
dot1x port-method portbased
dot1x
#
interface GigabitEthernet1/0/2
port access vlan 200
undo dot1x handshake
dot1x mandatory-domain test
undo dot1x multicast-trigger
dot1x port-method portbased
dot1x
(0)
最佳答案
您好,请知:
给多个端口开启802.1X,以下是参考命令:
int range gi 1/0/1 to gi 1/0/10
dotlx
quit
另外802.1X认证失败,以下是排查要点,请参考:
1、检查交换机是否路由可达到radius服务器。
2、检查交换机内是否已正确配置了radius方案对于radius服务器的指向和秘钥。
3、检查domain内是否调用了radius的方案。
4、检查domain域是否作为默认域。
(0)
可以认证成功,就是认证后电脑主机无法ping端口的VLAN
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
可已认证成功,就是认证后电脑主机无法ping端口的VLAN
那就按直连不通处理,先检查电脑上网关是否配置,再看设备上有没有学到PC的arp,如果学到了ARP就抓包或者流统ping报文,如果没学到,流统arp报文
用dis arp看没有看到我的链接的那台电脑,把802.1x关掉就可查到,这种事什么情况啊