需求:客户现场有多层办公楼,希望使用一个SSID统一接入,每层楼接入相同VLAN,终端在不同楼层间移动或者接入希望接入相同VLAN,保证终端访问权限不变;
组网:针对客户需求,现场使用MAC地址认证对认证成功用户授权,每次用户接入使用相同vlan,保证客户接入访问权限,由于现场没有单独radius服务器,现场使用AC作为radius服务器对用户认证并赋予认证权限;
问题现象:用户接入无线连接成功,但不久之后就下线,终端无法获取IP地址,设备上日志提示认证失败。
设备上日志提示测试终端接入认证失败,无线下线原因为reason 1:
%Jan 18 14:35:32:195 2016 WX3510E-zhu PORTSEC/6/PORTSEC_MACAUTH_LOGIN_FAILURE: -IfName=WLAN-DBSS1:417-MACAddr=38:59:F9:E9:22:F3-VlanId=1-UserName=3859f9e922f3-UserNameFormat=MAC address; The user failed the MAC address authentication.
%Jan 18 14:35:32:226 2016 WX3510E-zhu WMAC/6/WMAC_CLIENT_GOES_OFFLINE: Client 3859-f9e9-22f3 disconnected from WLAN HG-Office. Reason code is 1.
从设备日志记录信息分析,终端接入MAC地址格式正确:
%Jan 18 14:35:32:195 2016 WX3510E-zhu PORTSEC/6/PORTSEC_MACAUTH_LOGIN_FAILURE: -IfName=WLAN-DBSS1:417-MACAddr=38:59:F9:E9:22:F3-VlanId=1-UserName=3859f9e922f3-UserNameFormat=MAC address; The user failed the MAC address authentication.
由于认证过程需要对账户下发授权,通过调试信息看到设备对认证账户并未下发授权vlan:
*Jan 18 14:35:30:915 2016 WX3510E-zhu PORTSEC/7/Event: Process WLAN MSG:3, user-info:
ModuleID:0xb030000, SrcID:0xffffffff, UserIndex:4294967295
IfIndex:0xc70009, VlanID:1, LogoffCode:0
LeaveFlag:0, AuthorFlag:0
UserName:, SSID:HG-Office
StaMAC:3859-f9e9-22f3, BSSID:5866-bab6-06d0
AuthorInfo:
VlanID:0, Acl:0, UserprofileID:-1
*Jan 18 14:35:30:956 2016 WX3510E-zhu PORTSEC/7/Event: Port:WLAN-DBSS1:417,Receive PORTSEC_RCVMSG_AUTHREQ_PSK_11KEY msg
*Jan 18 14:35:30:976 2016 WX3510E-zhu MACAUTH/7/EVENT: Port:WLAN-DBSS1:417,Portsec received the Mac authenticate request from WLAN.
*Jan 18 14:35:30:996 2016 WX3510E-zhu MACAUTH/7/EVENT: Port:WLAN-DBSS1:417,new mac address 3859-f9e9-22f3
*Jan 18 14:35:31:017 2016 WX3510E-zhu MACAUTH/7/EVENT: Auth:751,Processing node CONNECTING...
*Jan 18 14:35:31:027 2016 WX3510E-zhu MACAUTH/7/EVENT: Auth:751,Processing node connecting trans...
*Jan 18 14:35:31:037 2016 WX3510E-zhu MACAUTH/7/Error:: Auth:751,The user (3859f9e922f3@mac) authentication failed.
*Jan 18 14:35:31:058 2016 WX3510E-zhu PORTSEC/7/Event: Port:WLAN-DBSS1:417,Auth:751,PortSec handling access user(MAC:3859-f9e9-22f3, userIndex:0x000002ef) event(4) of srcMod(11):
*Jan 18 14:35:31:078 2016 WX3510E-zhu MACAUTH/7/EVENT: Port:WLAN-DBSS1:417,Auth:751,PORTSEC HandleAccessUserEvent return 0
*Jan 18 14:35:31:098 2016 WX3510E-zhu MACAUTH/7/EVENT: Auth:751,Processing node RELEASE...
*Jan 18 14:35:31:109 2016 WX3510E-zhu PORTSEC/7/Event: Port:WLAN-DBSS1:417,Auth:751,PortSec handling access user(MAC:3859-f9e9-22f3, userIndex:0x000002ef) event(32) of srcMod(11):
*Jan 18 14:35:31:129 2016 WX3510E-zhu PORTSEC/7/Event: Port:WLAN-DBSS1:417,
Intrusion Protection occurs, NO action!
*Jan 18 14:35:31:149 2016 WX3510E-zhu PORTSEC/7/Event: Port:WLAN-DBSS1:417,PortSec Notify Event Module:0x0b030000, Event:0x00000004, RegEventMask:0x00000f8e, fun:0x81d90d78, ret:0x00000000
查询账户相关配置,发现账户下配置绑定VLAN,绑定vlan为终端认证时检测vlan是否与绑定vlan相同,如果不同将认证失败,经过沟通发现现场配置错误,应该配置为授权vlan:
#
local-user 3859f9e922f3
password cipher $c$3$EhA00UwbqM2lMJw8coMqPAr+JFe3LK4emgi8/OB06Q==
bind-attribute vlan 12
service-type lan-access
#
在账户下删除绑定vlan,增加授权vlan配置,终端重新接入认证成功,查询接入VLAN正确。
#
local-user 3859f9e922f3
password cipher $c$3$EhA00UwbqM2lMJw8coMqPAr+JFe3LK4emgi8/OB06Q==
authorization-attribute vlan 12
service-type lan-access
#
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作