radius server--3100v3交换机--user(测试电脑,连接3100v3的MAC认证端口),radius server上显示认证成功,抓包也显示access-accept,但是user无法ping通3100v3,在3100v3上串口登录,显示认证成功后2ms之后就logged off了,详请见下,查不到原因,请各位大佬不吝赐教,谢谢
%Jan 1 04:50:21:704 2013 H3C-3100v7 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthe rnet1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameForma t=MAC address; User passed MAC authentication and came online.
%Jan 1 04:50:21:706 2013 H3C-3100v7 MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet 1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameFormat=MA C address; MAC authentication user was logged off.
%Jan 1 04:51:23:396 2013 H3C-3100v7 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthe rnet1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameForma t=MAC address; User passed MAC authentication and came online.
%Jan 1 04:51:23:400 2013 H3C-3100v7 MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet 1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameFormat=MA C address; MAC authentication user was logged off.
3100v3:version 7.1.070, Release 6113
全局以及22口做了mac认证,连接user测试电脑
mac和密码默认用mac地址
全局设了domain、lan-access、radius scheme
全局以及23口开了802.1x,23口开了portbased,连接测试电脑时测试电脑能通过账号密码通过认证并通过ping进行了验证
24口连接radius server
以下是display mac-authentication的信息--
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xxxxxxxxxxxx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Reauth period : 3600 s
Authentication domain : Not configured, use default domain
Online MAC-auth wired users : 0
Silent MAC users:
MAC address VLAN ID From port Port index
GigabitEthernet1/0/22 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
Guest VSI : Not configured
Guest VSI auth-period : 30 s
Critical VSI : Not configured
Max online users : 4294967295
Authentication attempts : successful 75, failed 0
Current online users : 0
MAC address Auth state
(0)
*Jan 1 06:29:13:065 2013 H3C-3100v7 MACA/7/EVENT: Processing new mac event: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:065 2013 H3C-3100v7 MACA/7/EVENT: State changed from Initialize to Authenticating: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:066 2013 H3C-3100v7 MACA/7/EVENT: User is being authenticated with name 000000000012 and password ***: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:066 2013 H3C-3100v7 MACA/7/EVENT: Started server timeout timer:Length=100(s), UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:066 2013 H3C-3100v7 MACA/7/EVENT: MACA authentication begin set IP Address to PAM.
*Jan 1 06:29:13:068 2013 H3C-3100v7 MACA/7/EVENT: AAA processed authentication request: Result=Processing, UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:068 2013 H3C-3100v7 MACA/7/EVENT: Notified PortSec of new MAC processing result 1: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:075 2013 H3C-3100v7 MACA/7/EVENT: Received authentication response with code 0: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
%Jan 1 06:29:13:075 2013 H3C-3100v7 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthernet1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameFormat=MAC address; User passed MAC authentication and came online.
*Jan 1 06:29:13:075 2013 H3C-3100v7 MACA/7/EVENT: State changed from Authenticating to Authenticated: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:075 2013 H3C-3100v7 MACA/7/EVENT: Deleted server timeout timer:UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:077 2013 H3C-3100v7 MACA/7/EVENT: AAA processed authorization request: Result= Failure, UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
*Jan 1 06:29:13:077 2013 H3C-3100v7 MACA/7/EVENT: User logged off: Failing to change state.
%Jan 1 06:29:13:078 2013 H3C-3100v7 MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet1/0/22-MACAddr=0000-0000-0012-VLANID=999-Username=000000000012-UsernameFormat=MAC address; MAC authentication user was logged off.
*Jan 1 06:29:13:082 2013 H3C-3100v7 MACA/7/EVENT: A user was deleted: UserMAC=0000-0000-0012, VLANID=999, Interface=GigabitEthernet1/0/22.
(0)
已解决:虽然只使用了认证功能,但是需要在交换机上把授权和计费完全关闭或者完整配置(不要默认配置)。感觉设计逻辑不是很合理
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
你好,按建议开启了debugging,但我看不懂哪里有问题,显示的信息请见下,谢谢