问

用户未能通过802.1X身份验证。

wlan安全

2020-07-10提问

0关注
1收藏，2240浏览

zhiliao_9A29A

zhiliao_9A29A 零段

粉丝：0人关注：1人

问题描述：

设置列表有序列表无序列表对齐方式靠左居中靠右无线控制器：H3C WX3010EAP：H3C 配置信息如下：[ac]display current-configuration # version 5.20, Release 3509P44 # sysname ac # domain default enable nuray # telnet server enable # port-security enable # dot1x quiet-period dot1x authentication-method eap # oap management-ip 192.168.0.101 slot 0 # wlan auto-ap enable wlan auto-persistent enable # password-recovery enable # vlan 1 # radius scheme nuray server-type extended primary authentication 192.168.1.250 primary accounting 192.168.1.250 key authentication cipher $c$3$34Iz7Od5njs2YAfX3Ys4MRv09U+KudeA key accounting cipher $c$3$TPeH3ijgIR+rov7oyrc4wTwy0rfDkBVg timer realtime-accounting 3 undo stop-accounting-buffer enable accounting-on enable # domain nuray authentication lan-access radius-scheme nuray authorization lan-access radius-scheme nuray accounting lan-access radius-scheme nuray access-limit disable state active idle-cut disable self-service-url disable domain system access-limit disable state active idle-cut disable self-service-url disable # user-group system group-attribute allow-guest # local-user admin password cipher $c$3$CDUDtVQDx/xBdnxs3VDYFbC7dAyyrCsK4WRuvq0= authorization-attribute level 3 service-type telnet service-type web # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 load-balance session 35 load-balance rssi-threshold 35 # wlan service-template 2 crypto ssid NURAYTECH bind WLAN-ESS 1 cipher-suite ccmp security-ie rsn service-template enable # wlan ap-group default_group ap 6100 ap 6207 ap 6401 ap 6408 ap 6100-out ap clean-room ap 3c8c-4043-94e0 # interface Bridge-Aggregation1 # interface NULL0 # interface Vlan-interface1 ip address 192.168.1.201 255.255.255.0 # interface GigabitEthernet1/0/1 port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-aggregation group 1 # interface WLAN-ESS0 port link-type hybrid port hybrid vlan 1 untagged # interface WLAN-ESS1 port-security port-mode userlogin-secure-ext port-security tx-key-type 11key undo dot1x handshake undo dot1x multicast-trigger # interface WLAN-ESS2 # wlan ap 3c8c-4043-94e0 model WA2610i-GN id 1 serial-id 219801A0CKC151000304 radio 1 # wlan ap 6100 model WA4320-ACN id 11 serial-id 210235A1GTC157000488 radio 1 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable radio 2 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable # wlan ap 6100-out model WA2620-AGN-C id 2 serial-id 219801A0KXM155000215 radio 1 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable radio 2 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable # wlan ap 6207 model WA2620-AGN-C id 3 serial-id 219801A0KXM153000313 radio 1 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable radio 2 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable # wlan ap 6401 model WA2620-AGN-C id 4 serial-id 219801A0KXM153000323 radio 1 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable radio 2 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable # wlan ap 6408 model WA4320-ACN id 6 serial-id 210235A1GTC177000526 radio 1 service-template 2 radio enable radio 2 service-template 2 radio enable # wlan ap clean-room model WA2620-AGN-C id 5 serial-id 219801A0KXM153000158 radio 1 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable radio 2 service-template 2 client-rate-limit direction outbound mode static cir 1300000 radio enable # wlan ids whitelist mac-address 0024-d6e6-a334 whitelist mac-address 1002-b524-ec17 whitelist mac-address 1002-b583-6e72 whitelist mac-address 1002-b583-af9f whitelist mac-address 1002-b583-b021 whitelist mac-address 1002-b598-da05 whitelist mac-address 2856-5a7b-dfd7 whitelist mac-address 2856-5a7b-e335 whitelist mac-address 3052-cb7d-59b7 whitelist mac-address 3052-cb7d-5d9b whitelist mac-address 3468-958c-e883 whitelist mac-address 3468-958c-e8d5 whitelist mac-address 3468-958c-f2af whitelist mac-address 34f3-9a7e-185f whitelist mac-address 34f3-9a7e-21a6 whitelist mac-address 4845-2089-7254 whitelist mac-address 5ce0-c5a5-74d1 whitelist mac-address 5ce0-c5a5-74e0 whitelist mac-address 5ce0-c5a5-74ef whitelist mac-address 5ce0-c5a5-7558 whitelist mac-address 5cea-1d68-833f whitelist mac-address 5eea-1d68-833f whitelist mac-address 68ef-43c1-4ffe whitelist mac-address 80ad-16dc-ae6c whitelist mac-address 9c2e-a1dc-0ceb whitelist mac-address 9cb6-d0d7-b8e1 whitelist mac-address a86b-ad0e-5b13 whitelist mac-address a86b-ad0e-5b99 whitelist mac-address a86b-ad33-ec99 whitelist mac-address a86b-ad33-eca1 whitelist mac-address ace0-100f-8475 whitelist mac-address acfd-ce90-920a whitelist mac-address b886-8752-dc2b whitelist mac-address b886-8753-4811 whitelist mac-address ba6b-ad0e-5b13 whitelist mac-address bc83-85d9-d67d whitelist mac-address c48e-8f29-e3a1 whitelist mac-address c48e-8f29-f54d whitelist mac-address c48e-8f29-f54f whitelist mac-address d80f-995d-a005 whitelist mac-address d80f-995e-04e1 whitelist mac-address d80f-996c-92a9 whitelist mac-address d80f-996c-92b1 whitelist mac-address e4a4-710c-aa1c whitelist mac-address e4a4-710c-aa21 whitelist mac-address e4a4-7127-ef7a whitelist mac-address e4a4-7127-ef84 whitelist mac-address e4a4-7127-fab0 whitelist mac-address e4a4-7146-7b34 whitelist mac-address e4a4-71dc-f4ec whitelist mac-address e4a7-a00f-290e whitelist mac-address e4a7-a07f-b674 whitelist mac-address f0d5-bfaa-5a87 whitelist mac-address f0d5-bfd6-d599 whitelist mac-address f0d5-bfd6-d63e whitelist mac-address f859-717c-3d78 # wlan ips malformed-detect-policy default signature deauth_flood signature-id 1 signature broadcast_deauth_flood signature-id 2 signature disassoc_flood signature-id 3 signature broadcast_disassoc_flood signature-id 4 signature eapol_logoff_flood signature-id 5 signature eap_success_flood signature-id 6 signature eap_failure_flood signature-id 7 signature pspoll_flood signature-id 8 signature cts_flood signature-id 9 signature rts_flood signature-id 10 signature addba_req_flood signature-id 11 signature-policy default countermeasure-policy default attack-detect-policy default virtual-security-domain default attack-detect-policy default malformed-detect-policy default signature-policy default countermeasure-policy default # ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 # info-center loghost 192.168.1.194/***.*** # user-interface con 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3之前做了一个Radius 认证。今天上午突然就访问无妨连接这个无线网络了。提示如下：[ac] %Jul 10 17:19:09:478 2020 ac WMAC/6/WMAC_CLIENT_JOIN_WLAN: Client e4a4-710c-aa1c successfully joins WLAN NURAYTECH, on APID 2 with BSSID 3c8c-40d1-02b0. %Jul 10 17:19:09:598 2020 ac 8021X/4/DOT1X_USER_ONLINE_FAIL: -UserName=NURAYTECH\lic-IPAddr=0.0.0.0-IfName=WLAN-DBSS1:3-VlanID=1-MACAddr=E4:A4:71:0C:AA:1C-SSID=NURAYTECH-APMAC=3C:8C:40:D1:02:A0-Type=0-NasId=-NasPortId=-Reason=Rejected by RADIUS server without any message ; User failed to get online. %Jul 10 17:19:42:617 2020 ac WMAC/6/WMAC_CLIENT_GOES_OFFLINE: Client e4a4-710c-aa1c disconnected from WLAN NURAYTECH. Reason code is 1. %Jul 10 17:20:09:498 2020 ac PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE: -IfName=WLAN-DBSS1:3-MACAddr=E4:A4:71:0C:AA:1C-VlanId=1-UserName=NURAYTECH\lic; The user failed the 802.1X authentication. %Jul 10 17:20:10:497 2020 ac PORTSEC/5/PORTSEC_VIOLATION: -IfName=WLAN-DBSS1:3-MACAddr=E4:A4:71:0C:AA:1C-VlanId=-1-IfStatus=Up; Intrusion detected.说是The user failed the 802.1X authentication和Rejected by RADIUS server without any message ; User failed to get online我该如何去解决啊？