知

远程802.1x认证后pc终端无法认证成功，手机用户终端可以认证成功

2021-12-10 发表

0关注
1收藏 2279浏览

zhiliao_ivS3Xs

zhiliao_ivS3Xs 四段

粉丝：1人关注：0人

组网及说明

如图所示组网：

AC作为DHCP server为AP和Client分配IP地址，

Vlan 8为控制vlan，Vlan 9为业务vlan，集中转发

采用iMC作为RADIUS服务器对用户进行认证、授权和计费，对无线用户进行远程802.1X认证。认证方式为peap

AC为WX5540E Version 7.1.064, Release 5446P06

问题描述

配置802.1x认证后pc终端无法认证成功，手机用户终端可以认证成功

过程分析

认证失败在检查了设备测配置无误后使用了debug radius，debug portal来进行分析

The reply packet is valid.

*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:

Decoded reply packet successfully.

*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/PACKET:

EAP-Message=0x04020004

Reply-Message="E63510: Certificate not imported."

Message-Authenticator=0x02c3ca68fcd60808ab1bd9d973d0dc6a

*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/PACKET:

03 2a 00 4f 0d 64 25 c6 df 2d 6e ae f0 6b c0 f8

b5 c7 e6 ae 4f 06 04 02 00 04 12 23 45 36 33 35

31 30 3a 20 43 65 72 74 69 66 69 63 61 74 65 20

6e 6f 74 20 69 6d 70 6f 72 74 65 64 2e 50 12 02

c3 ca 68 fc d6 08 08 ab 1b d9 d9 73 d0 dc 6a

*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:

Sent reply message successfully.

*Nov 6 00:02:20:695 2021 WX5540E-V7 RADIUS/7/EVENT:

PAM_RADIUS: Processing RADIUS authentication.

*Nov 6 00:02:20:696 2021 WX5540E-V7 RADIUS/7/EVENT:

PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 1

%Nov 6 00:02:20:696 2021 WX5540E-V7 DOT1X/5/DOT1X_WLAN_LOGIN_FAILURE: -Username=123456-UserMAC=646e-e0fc-e847-BSSID=80f6-2e4d-1e91-SSID=eap-APName=89-RadioID=2-VLANID=9; A user failed 802.1X authentication.Reason:AAA processed authentication request and return 26.

通过debug radius看到code为03分析出表示此报文是AAA向BAS发送的认证拒绝响应报文，因此问题原因在服务器侧，在检查了imc侧配置无误后，通过查看日志进行进一步分析

选择“系统管理”页签，单击导航树[系统配置/日志配置]菜单项，下载进程名为uam的日志，日志级别为DEBUG

日志中：

% 2021-11-04 20:12:20.050 ; [LDBG] ; [33448] ; EAP ; EapTlsAuth.procHshakeData: no data for SSLread returned -1.

怀疑证书有问题

进入【用户】|【接入策略管理】|【业务参数配置】|【证书配置】界面中点击【服务器证书】查看证书已过期

因手机终端可以不选择证书认证，所以可以成功上线到AC

参考以下案例重新获取证书并安装

https://zhiliao.h3c.com/Theme/details/123542

证书重新获取安装后重新进行认证

The reply packet is valid.

*Nov 6 00:04:23:812 2021 WX5540E-V7 RADIUS/7/EVENT:

Decoded reply packet successfully.

*Nov 6 00:04:23:812 2021 WX5540E-V7 RADIUS/7/PACKET:

User-Name="123456"

MS-MPPE-Receive-Key=******

MS-MPPE-Send-Key=******

EAP-Key-Name=0x19618556968c25d20b203edae3ce49c622d1880db1de906c3636f1dbec6c6501b863ff1da940f6b8e568cdd87c67a0b83b45eb0b182852e9ce85acc278753d65ea

Service-Type=Framed-User

State=0x754c39596d4c4e4b

Class=0x754c39596d4c4e4b

Termination-Action=Default

Session-Timeout=86400

Acct-Interim-Interval=600

H3c-Server-String=[]

EAP-Message=0x030c0004

Message-Authenticator=0xba69514b206e039b8364214cf96130ab

*Nov 6 00:04:23:813 2021 WX5540E-V7 RADIUS/7/PACKET:

02 f5 01 5e 3c 8f 15 93 66 ab 97 9b 7f 2e 8a a1

42 af 98 2f 01 08 31 32 33 34 35 36 1a 3a 00 00

01 37 11 34 c5 65 67 61 42 fc d5 05 fc 04 9e da

ff 0c 72 d4 7c 19 0d c9 b5 6c 52 3b 6b 90 ca 28

f2 94 48 dc b1 c6 d0 14 ff a9 63 c1 fd 07 bf 6c

93 02 04 9f ff ac 1a 3a 00 00 01 37 10 34 cd 35

86 ad 7d 67 2c 46 54 51 ee 24 db 14 45 e0 61 e0

d9 0d 47 5c b5 d2 98 df b1 5c 2f 3a a7 18 58 d9

e4 72 b6 12 67 a4 0b 51 9a 10 78 7c 54 0f ea 0a

66 43 19 61 85 56 96 8c 25 d2 0b 20 3e da e3 ce

49 c6 22 d1 88 0d b1 de 90 6c 36 36 f1 db ec 6c

65 01 b8 63 ff 1d a9 40 f6 b8 e5 68 cd d8 7c 67

a0 b8 3b 45 eb 0b 18 28 52 e9 ce 85 ac c2 78 75

3d 65 ea 06 06 00 00 00 02 18 0a 75 4c 39 59 6d

4c 4e 4b 19 0a 75 4c 39 59 6d 4c 4e 4b 1d 06 00

*Nov 6 00:04:23:813 2021 WX5540E-V7 RADIUS/7/PACKET:

00 00 00 1b 06 00 01 51 80 55 06 00 00 02 58 1a

47 00 00 63 a2 3d 41 36 06 00 00 00 00 37 06 00

00 00 00 38 06 00 00 00 00 3a 06 00 00 00 00 42

06 00 00 00 00 4a 06 00 00 00 00 43 11 52 30 30

33 42 30 35 44 30 34 32 53 50 30 31 3d 0a 75 4c

39 59 6d 4c 4e 4b 4f 06 03 0c 00 04 50 12 ba 69

51 4b 20 6e 03 9b 83 64 21 4c f9 61 30 ab