3010E今天改了VLAN和地址,之前做的802.1x改了下radius服务器地址,其他配置没变,改完后,用户认证失败,但服务器端能收到数据包,日志提示“网络策略服务器已拒绝授予某个用户的访问”,服务器端配置已检查过,没有问题,另一品牌AC也对接的服务器,可以正常入网,环境基本信息如下:
3010E通过VLAN1与上级网络互连,地址172.19.1.92/24,同时也是NAS客户端地址,在radius上已经填写完毕并启用,radius服务器地址172.22.21.15,AC与服务器通信正常,以下是配置脚本:
System View: return to User View with Ctrl+Z.
[H3C]dis cur
#
version 5.20, Release 3507P22
#
sysname H3C
#
domain default enable ***.***
#
telnet server enable
#
dot1x
dot1x authentication-method eap
#
mac-authentication timer offline-detect 180
mac-authentication domain ***.***
#
wlan auto-ap enable
wlan auto-persistent enable
#
password-recovery enable
#
vlan 1
#
vlan 8
#
vlan 10
#
vlan 20
#
vlan 23 to 24
#
vlan 58
#
vlan 62
#
vlan 152
#
vlan 156
#
vlan 200 to 201
#
radius scheme system
server-type extended
primary authentication 172.22.21.15
primary accounting 172.22.21.15
key authentication cipher $c$3$+rDeKpMthm87IQariwjmbBCrDt3tH0hPDw==
key accounting cipher $c$3$EuQC0Cf2dT7eYq1R3TopALBCWifMHNl7Kw==
user-name-format without-domain
radius scheme syste,
radius scheme ***.***
radius scheme sys
#
domain ***.***
authentication lan-access local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain ***.***
authentication lan-access radius-scheme system
authorization lan-access radius-scheme system
accounting lan-access radius-scheme system
access-limit enable 2048
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 172.16.1.0 mask 255.255.255.0
gateway-list 172.16.1.1
dns-list 114.114.114.114
#
user-group system
group-attribute allow-guest
#
local-user 286c071a9a85
password cipher $c$3$Bb2g23aKxkSlLWHdQ9e318JUUwg0gh/+SjOTIgqyCA==
service-type lan-access
local-user 2b6c071a4c62
password cipher $c$3$MLRVpQwO2LSBt+ZhL0EUxrjDOElNqGwz8I7ix/fPWg==
service-type lan-access
local-user 38bc1a951d20
password cipher $c$3$AyhBIRy95D9p/Ax2uNJ4IZeghTuwjI4vZhYJQQzzgQ==
service-type lan-access
local-user 6814019bef09
password cipher $c$3$rTw/J2DJJi+Mo3tIJ2JWpiXgLBEsBgF1A91Resb7vg==
service-type lan-access
local-user c85b76720f10
password cipher $c$3$HRSO266Ad15TLGPYTHXQUjiHZ24TofO+arOIT4TPmQ==
service-type lan-access
local-user f0b429ba3d90
password cipher $c$3$AEneMuYyfCJ7puvtYd0Hh/xKZO6WWFK3OEq9wwHj7g==
service-type lan-access
local-user f0b429ba3eaa
password cipher $c$3$khD30UX/NUd9wILbpHDBYFQU5J7kUL4MXJ6owLUxag==
service-type lan-access
local-user guest
password cipher $c$3$IrlPgPyUcrh2xzGaxos/ev49BCsdsryO
authorization-attribute level 3
service-type telnet
service-type web
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 clear
#
wlan service-template 10 crypto
ssid mcczy
bind WLAN-ESS 0
cipher-suite tkip
cipher-suite ccmp
security-ie rsn
service-template enable
#
wlan service-template 100 clear
#
wlan service-template 2 clear
ssid mcczy-guest
bind WLAN-ESS 2
service-template enable
#
wlan service-template 3 crypto
ssid mcczy-admin
beacon ssid-hide
#
wlan service-template 4 clear
ssid mcczy-admin
beacon ssid-hide
bind WLAN-ESS 3
#
wlan ap-group default_group
ap 3c8c-40f2-2cc0
ap 3c8c-40f2-2e00
ap 3c8c-40f2-2ec0
ap 3c8c-40f6-a940
ap 3c8c-40f6-ae40
ap 3c8c-40f6-be60
ap 3c8c-40f6-bf40
ap 3c8c-40f6-bfc0
ap 3c8c-40f6-c020
ap 3c8c-40f6-c2c0
ap 3c8c-40f6-c3a0
ap 3c8c-40f6-c3c0
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
#
interface NULL0
#
interface Vlan-interface1
ip address 172.19.1.92 255.255.255.0
#
interface Vlan-interface8
ip address 192.168.8.112 255.255.255.0
#
interface Vlan-interface10
ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface24
ip address 192.168.24.3 255.255.255.0
#
interface Vlan-interface58
#
interface Vlan-interface62
#
interface Vlan-interface152
#
interface Vlan-interface156
#
interface Vlan-interface201
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface WLAN-ESS0
port access vlan 58
port-security port-mode userlogin-secure-ext
port-security tx-key-type 11key
undo dot1x handshake
dot1x mandatory-domain ***.***
undo dot1x multicast-trigger
#
interface WLAN-ESS1
#
interface WLAN-ESS2
port access vlan 62
#
interface WLAN-ESS3
port access vlan 201
port-security port-mode mac-authentication
#
interface WLAN-ESS4
#
interface WLAN-MESH1
#
interface WLAN-MESH8
#
wlan ap 3c8c-40f2-2cc0 model WA2620i-AGN id 10
serial-id 219801A0CMC159000001
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f2-2e00 model WA2620i-AGN id 2
serial-id 219801A0CMC159000011
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f2-2ec0 model WA2620i-AGN id 7
serial-id 219801A0CMC159000017
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-a940 model WA2620i-AGN id 11
serial-id 219801A0CMC159001336
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-ae40 model WA2620i-AGN id 4
serial-id 219801A0CMC159001376
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-be60 model WA2620i-AGN id 3
serial-id 219801A0CMC159001505
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-bf40 model WA2620i-AGN id 5
serial-id 219801A0CMC159001512
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-bfc0 model WA2620i-AGN id 9
serial-id 219801A0CMC159001516
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-c020 model WA2620i-AGN id 8
serial-id 219801A0CMC159001519
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-c2c0 model WA2620i-AGN id 6
serial-id 219801A0CMC159001541
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-c3a0 model WA2620i-AGN id 1
serial-id 219801A0CMC159001548
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ap 3c8c-40f6-c3c0 model WA2620i-AGN id 12
serial-id 219801A0CMC159001549
radio 1
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
radio 2
service-template 1
service-template 2
service-template 4
service-template 10
radio enable
#
wlan ips
malformed-detect-policy default
signature deauth_flood signature-id 1
signature broadcast_deauth_flood signature-id 2
signature disassoc_flood signature-id 3
signature broadcast_disassoc_flood signature-id 4
signature eapol_logoff_flood signature-id 5
signature eap_success_flood signature-id 6
signature eap_failure_flood signature-id 7
signature pspoll_flood signature-id 8
signature cts_flood signature-id 9
signature rts_flood signature-id 10
signature addba_req_flood signature-id 11
signature-policy default
countermeasure-policy default
attack-detect-policy default
virtual-security-domain default
attack-detect-policy default
malformed-detect-policy default
signature-policy default
countermeasure-policy default
#
ip route-static 0.0.0.0 0.0.0.0 172.19.1.80
ip route-static 172.0.0.0 255.0.0.0 172.19.1.80
ip route-static 192.168.0.0 255.255.0.0 192.168.8.254
#
undo info-center enable
#
dhcp server forbidden-ip 172.16.1.1 172.16.1.2
#
dhcp enable
#
arp-snooping enable
#
wlan ap-authentication enable
wlan ap-authentication method serial-id
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
服务器侧带域名,没有证书
user-name-format without-domain,AC侧配置的是不带域名,请两边配置保持一致。还有EAP认证的话服务器侧是需要证书的应该。