如图所示组网:
AC作为DHCP server为AP和Client分配IP地址,
Vlan 8为控制vlan,Vlan 9为业务vlan,集中转发
采用iMC作为RADIUS服务器对用户进行认证、授权和计费,对无线用户进行远程802.1X认证。认证方式为peap
AC为WX5540E Version 7.1.064, Release 5446P06
配置802.1x认证后pc终端无法认证成功,手机用户终端可以认证成功
认证失败在检查了设备测配置无误后使用了debug radius,debug portal来进行分析
The reply packet is valid.
*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:
Decoded reply packet successfully.
*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/PACKET:
EAP-Message=0x04020004
Reply-Message="E63510: Certificate not imported."
Message-Authenticator=0x02c3ca68fcd60808ab1bd9d973d0dc6a
*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/PACKET:
03 2a 00 4f 0d 64 25 c6 df 2d 6e ae f0 6b c0 f8
b5 c7 e6 ae 4f 06 04 02 00 04 12 23 45 36 33 35
31 30 3a 20 43 65 72 74 69 66 69 63 61 74 65 20
6e 6f 74 20 69 6d 70 6f 72 74 65 64 2e 50 12 02
c3 ca 68 fc d6 08 08 ab 1b d9 d9 73 d0 dc 6a
*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:
Sent reply message successfully.
*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authentication.
*Nov 6 00:02:20:696 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 1
%Nov 6 00:02:20:696 2021 WX5540E-V7 DOT1X/5/DOT1X_WLAN_LOGIN_FAILURE: -Username=123456-UserMAC=646e-e0fc-e847-BSSID=80f6-2e4d-1e91-SSID=eap-APName=89-RadioID=2-VLANID=9; A user failed 802.1X authentication.Reason:AAA processed authentication request and return 26.
通过debug radius看到code为03分析出表示此报文是AAA向BAS发送的认证拒绝响应报文,因此问题原因在服务器侧,在检查了imc侧配置无误后,通过查看日志进行进一步分析
选择“系统管理”页签,单击导航树[系统配置/日志配置]菜单项,下载进程名为uam的日志,日志级别为DEBUG
日志中:
% 2021-11-04 20:12:20.050 ; [LDBG] ; [33448] ; EAP ; EapTlsAuth.procHshakeData: no data for SSLread returned -1.
怀疑证书有问题
进入【用户】|【接入策略管理】|【业务参数配置】|【证书配置】界面中点击【服务器证书】查看证书已过期
因手机终端可以不选择证书认证,所以可以成功上线到AC
参考以下案例重新获取证书并安装
https://zhiliao.h3c.com/Theme/details/123542
证书重新获取安装后重新进行认证
The reply packet is valid.
*Nov 6 00:04:23:812 2021 WX5540E-V7 RADIUS/7/EVENT:
Decoded reply packet successfully.
*Nov 6 00:04:23:812 2021 WX5540E-V7 RADIUS/7/PACKET:
User-Name="123456"
MS-MPPE-Receive-Key=******
MS-MPPE-Send-Key=******
EAP-Key-Name=0x19618556968c25d20b203edae3ce49c622d1880db1de906c3636f1dbec6c6501b863ff1da940f6b8e568cdd87c67a0b83b45eb0b182852e9ce85acc278753d65ea
Service-Type=Framed-User
State=0x754c39596d4c4e4b
Class=0x754c39596d4c4e4b
Termination-Action=Default
Session-Timeout=86400
Acct-Interim-Interval=600
H3c-Server-String=[]
EAP-Message=0x030c0004
Message-Authenticator=0xba69514b206e039b8364214cf96130ab
*Nov 6 00:04:23:813 2021 WX5540E-V7 RADIUS/7/PACKET:
02 f5 01 5e 3c 8f 15 93 66 ab 97 9b 7f 2e 8a a1
42 af 98 2f 01 08 31 32 33 34 35 36 1a 3a 00 00
01 37 11 34 c5 65 67 61 42 fc d5 05 fc 04 9e da
ff 0c 72 d4 7c 19 0d c9 b5 6c 52 3b 6b 90 ca 28
f2 94 48 dc b1 c6 d0 14 ff a9 63 c1 fd 07 bf 6c
93 02 04 9f ff ac 1a 3a 00 00 01 37 10 34 cd 35
86 ad 7d 67 2c 46 54 51 ee 24 db 14 45 e0 61 e0
d9 0d 47 5c b5 d2 98 df b1 5c 2f 3a a7 18 58 d9
e4 72 b6 12 67 a4 0b 51 9a 10 78 7c 54 0f ea 0a
66 43 19 61 85 56 96 8c 25 d2 0b 20 3e da e3 ce
49 c6 22 d1 88 0d b1 de 90 6c 36 36 f1 db ec 6c
65 01 b8 63 ff 1d a9 40 f6 b8 e5 68 cd d8 7c 67
a0 b8 3b 45 eb 0b 18 28 52 e9 ce 85 ac c2 78 75
3d 65 ea 06 06 00 00 00 02 18 0a 75 4c 39 59 6d
4c 4e 4b 19 0a 75 4c 39 59 6d 4c 4e 4b 1d 06 00
*Nov 6 00:04:23:813 2021 WX5540E-V7 RADIUS/7/PACKET:
00 00 00 1b 06 00 01 51 80 55 06 00 00 02 58 1a
47 00 00 63 a2 3d 41 36 06 00 00 00 00 37 06 00
00 00 00 38 06 00 00 00 00 3a 06 00 00 00 00 42
06 00 00 00 00 4a 06 00 00 00 00 43 11 52 30 30
33 42 30 35 44 30 34 32 53 50 30 31 3d 0a 75 4c
39 59 6d 4c 4e 4b 4f 06 03 0c 00 04 50 12 ba 69
51 4b 20 6e 03 9b 83 64 21 4c f9 61 30 ab
*Nov 6 00:04:23:814 2021 WX5540E-V7 RADIUS/7/EVENT:
Sent reply message successfully.
*Nov 6 00:04:23:814 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authentication.
*Nov 6 00:04:23:814 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
%Nov 6 00:04:23:814 2021 WX5540E-V7 DOT1X/6/DOT1X_WLAN_LOGIN_SUCC: -Username=123456-UserMAC=646e-e0fc-e847-BSSID=80f6-2e4d-1e91-SSID=eap-APName=89-RadioID=2-VLANID=9; A user passed 802.1X authentication and came online.
*Nov 6 00:04:23:814 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: Processing RADIUS authorization.
*Nov 6 00:04:23:814 2021 WX5540E-V7 RADIUS/7/EVENT:
PAM_RADIUS: RADIUS Authorization successfully.
%Nov 6 00:04:23:844 2021 WX5540E-V7 STAMGR/6/STAMGR_CLIENT_ONLINE: Client 646e-e0fc-e847 went online from BSS 80f6-2e4d-1e91 vlan 9 with SSID eap on AP 89 Radio ID 2. State changed to Run.
%Nov 6 00:04:23:990 2021 WX5540E-V7 STAMGR/6/STAMGR_CLIENT_SNOOPING: Detected client IP change: Client MAC: 646e-e0fc-e847, IP: 9.9.9.8, -NA-, -NA-, -NA-, Username: 123456, AP name: 89, Radio ID: 2, Channel number: 6, SSID: eap, BSSID: 80f6-2e4d-1e91.
Debug radius看到code为02表示此报文是AAA向BAS发送的认证成功响应报文
pc终端上线,认证成功
经过排查发现问题在于认证证书过期,经过重新获取导入证书后解决问题
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作