• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

port-base 802.1x Bằng Radius của Microsoft (IAS)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • port-base 802.1x Bằng Radius của Microsoft (IAS)

    Chào mọi người,

    Mọi người giúp mình case này như sau:

    triển khai port-base 802.1x trên switch 2950 xác thực bằng Radius của Microsoft (dùng IAS). Mình triển khai IAS hình như kô thành công thì phải. First, mình dùng ACS của Cisco thì ok, sau đó đổi qua IAS thì ko được.

    Mình đã vào trang microsoft và đọc file help của IAS, cấu hình theo hướng dẫn nhưng vẫn ko được. Trong quá trình debug thì có xuất hiện lỗi khi dùng lệnh như 'show dot1x interface f0/4' báo là port unauthorised (mình ko cấu hình và cũng ko bật tính năng authorised). Sau đậy là file cầu hình switch:

    DC (radius server) cùng subnet có ip là 192.168.1.100 (vlan 1)


    aaa new-model
    aaa authentication dot1x default group radius
    !
    username nsp privilege 15 password 0 nsp
    ip subnet-zero
    !
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    dot1x system-auth-control
    !

    !
    interface FastEthernet0/1
    spanning-tree portfast
    !
    interface FastEthernet0/2
    switchport mode access
    dot1x port-control auto
    dot1x guest-vlan 2
    spanning-tree portfast
    !
    interface FastEthernet0/3
    switchport mode access
    dot1x port-control auto
    dot1x guest-vlan 2
    spanning-tree portfast
    !
    interface FastEthernet0/4
    switchport mode access
    dot1x port-control auto
    dot1x guest-vlan 2
    spanning-tree portfast
    !
    interface FastEthernet0/5
    spanning-tree portfast
    !
    interface FastEthernet0/6
    spanning-tree portfast


    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    interface Vlan2
    ip address 172.16.1.254 255.255.255.0
    ip helper-address 192.168.1.100
    no ip route-cache
    shutdown
    !
    ip http server
    radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key abc
    radius-server retransmit 3

    Switch#sho ip int b
    Interface IP-Address OK? Method Status Protocol
    Vlan1 192.168.1.254 YES manual up up
    Vlan2 172.16.1.254 YES manual administratively down down
    FastEthernet0/1 unassigned YES unset up up





    Switch#sho dot1x interface f0/4
    Supplicant MAC 001c.c063.a4d1

    AuthSM State = HELD
    BendSM State = IDLE
    PortStatus = UNAUTHORIZED
    MaxReq = 2
    HostMode = Single
    Port Control = Auto
    QuietPeriod = 60 Seconds
    Re-authentication = Disabled
    ReAuthPeriod = 3600 Seconds
    ServerTimeout = 30 Seconds
    SuppTimeout = 30 Seconds
    TxPeriod = 30 Seconds
    Guest-Vlan = 2

    Debug lên thì thấy


    01:05 dot1x-registry:dot1x_port_linkchange invoked on interface FastEthernet0/4
    01:05 dot1x-registry:dot1x_port_linkcomingup invoked on interface FastEthernet0/4
    01:05 dot1x-ev:dot1x_port_enable: set dot1x ask handler on interface FastEthernet0/4
    01:05:50: dot1x_auth Fa0/4: initial state auth_initialize has enter
    01:05 dot1x-sm:Fa0/4:0000.0000.0000:auth_initialize_enter called
    01:05 dot1x-ev:auth_initialize_enter:0000.0000.0000: Current ID=0
    01:05 dot1x_auth Fa0/4:
    Switch# during state auth_initialize, got event 0(cfg_auto)
    01:05 @@@ dot1x_auth Fa0/4: auth_initialize -> auth_disconnected
    01:05 dot1x-sm:Fa0/4:0000.0000.0000:auth_disconnected_enter_action called
    01:05 dot1x-sm:
    dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_UNAUTHORIZED
    01:05 dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/4
    01:05 dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED
    01:05 dot1x-ev:dot
    Switch#1x_update_port_status: using mac 0000.0000.0000 to send port to unauthorized on vlan 0
    01:05 dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CDA378
    01:05:50: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on FastEthernet0/4
    01:05 dot1x-ev: GuestVlan configured=0
    01:05 dot1x-ev:supplicant 0000.0000.0000 is default
    01:05 dot1x-ev:supplicant 0000.0000.0000 is last
    01:05 dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CDA3780
    Switch#1:05 dot1x-ev:0000.0000.0000 is now unauthorized on port FastEthernet0/4
    01:05 dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/4
    01:05 dot1x-ev:Enter function dot1x_aaa_acct_end
    01:05 dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CDA378
    01:05 dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CDA378
    01:05 dot1x_auth Fa0/4: idle during state auth_disconnected
    01:05 @@@ dot1x_auth Fa0/4: auth_disconnected -> auth_connecting
    01:05 dot1x-sm:Fa0/4:0000.0000.0000:auth_connecting_enter called
    01:05 dot1x_bend Fa0/4: initial state dot1x_bend_initialize has enter
    01:05 dot1x-sm:Dot1x Initialize State Entered
    01:05:50: dot1x_bend Fa0/4: initial state dot1x_bend_initialize has idle
    01:05:50: dot1x_bend Fa0/4: during state dot1x_bend_initialize, got event 16383(idle)
    01:05 @@@ dot1x_bend Fa0/4: dot1x_bend_initialize -> dot1x_bend_idle
    01:05 dot1x-smot1x Idle State Entered
    01:05 dot1x-ev:Created port supplicant block 0000.0000.0000 expected_id=0 current_id=0
    01:05 dot1x-ev:dot1x_init_sb_oper_infoefault port supplicant at memloc 80CDA378
    01:05 dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4
    01:05 dot1x-ev:
    dot1x_post_message_to_auth_sm:0000.0000.0000: Sending TX_FAIL
    01:05 dot1x-ev:dot1x_post_message_to_auth_sm:0000.0000.0000: Current ID=1
    01:05 dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/4
    01:05 dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/4)
    01:05 dot1x-registry:registry:dot1x_ether_macaddr called
    01:05 dot1x-packet:Tx sa=0015.6243.af44, da=0180.c200.0003, et 888E (Fa0/4)
    01:05 dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4
    01:05 dot1x-ev:dot1x_post_message_to_auth_sm: Tx for req_id for supplicant 0000.0000.0000
    01:05 dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/4
    01:05 dot1x-packet:Tx EAP-Request(Id), id 1, ve
    Switch#r 1, len 5 (Fa0/4)
    01:05 dot1x-registry:registry:dot1x_ether_macaddr called
    01:05 dot1x-packet:Tx sa=0015.6243.af44, da=0180.c200.0003, et 888E (Fa0/4)
    01:05 dot1x-ev:Received an EAPOL frame on interface FastEthernet0/4
    01:05 dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/4)
    01:05 dot1x-packet:Rx sa=001c.c063.a4d1, da=0180.c200.0003, et 888E (Fa0/4)
    01:05 dot1x-ev:Couldn't find a supplicant block for mac 001c.c063.a4d1
    01:05 dot1x-ev:Found a supplicant block for mac 0000.0000.0000 80CDA378
    01:05 dot1x_auth Fa0/4: initial state auth_initialize has enter
    01:05 dot1x-sm:Fa0/4:001c.c063.a4d1:auth_initialize_enter called
    01:05 dot1x-ev:auth_initialize_enter:001c.c063.a4d1: Current ID=0
    01:05 dot1x_auth Fa0/4: during state auth_initialize, got event 0(cfg_auto)
    01:05 @@@ dot1x_auth Fa0/4: auth_initialize -> auth_disconnected
    01:05 dot1x-sm:Fa0/4:001c.c063.a4d1:auth_disconnected_enter_action called
    01:05 dot1x-sm:
    dot1x_update_por

    01:05 dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:05 dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vl
    Switch#an=0 on FastEthernet0/4
    01:05 dot1x-ev: GuestVlan configured=0
    01:05 dot1x-ev:supplicant 001c.c063.a4d1 is last
    01:05 dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:05 dot1x-ev:001c.c063.a4d1 is now unauthorized on port FastEthernet0/4
    01:05 dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/4
    01:05 dot1x-ev:Enter function dot1x_aaa_acct_end
    01:05 dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    Switch#
    01:05:51: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:05 dot1x_auth Fa0/4: idle during state auth_disconnected
    01:05 @@@ dot1x_auth Fa0/4: auth_disconnected -> auth_connecting
    01:05 dot1x-sm:Fa0/4:001c.c063.a4d1:auth_connecting_enter called
    01:05 dot1x_bend Fa0/4: initial state dot1x_bend_initialize has enter
    01:05 dot1x-smot1x Initialize State Entered
    01:05 dot1x_bend Fa0/4: initial state dot1x_bend_initialize has idle01:05
    Switch# dot1x_bend Fa0/4: during state dot1x_bend_initialize, got event 16383(idle)
    01:05 @@@ dot1x_bend Fa0/4: dot1x_bend_initialize -> dot1x_bend_idle
    01:05 dot1x-sm:Dot1x Idle State Entered
    01:05 dot1x-ev:Created port supplicant block 001c.c063.a4d1 expected_id=1 current_id=1
    01:05:51: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4
    01:05 dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4
    01:05 dot1x-ev:dot1x
    Switch#_post_message_to_auth_sm: Tx for req_id for supplicant 001c.c063.a4d1
    01:05 dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/4
    01:05 dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/4)
    01:05 dot1x-registry:registry:dot1x_ether_macaddr called
    01:05 dot1x-packet:Tx sa=0015.6243.af44, da=0180.c200.0003, et 888E (Fa0/4)
    01:05 %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
    Switch#
    01:06:05: dot1x-ev:Received an EAPOL frame on interface FastEthernet0/4
    01:06:05: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 27 (Fa0/4)
    01:06:05: dot1x-packet:Rx sa=001c.c063.a4d1, da=0180.c200.0003, et 888E (Fa0/4)
    01:06:05: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640

    01:06:05: dot1x_auth Fa0/4: during state auth_connecting, got event 6(rxRespId)
    01:06:05: @@@ dot1x_auth Fa0/4: auth_connecting -> auth_authenticating
    01:06:05: dot1x-sm:Fa0/4:001c.c063.a4d1:auth_c
    Switch#onnecting_exit alled
    01:06:05: dot1x-sm:Fa0/4:001c.c063.a4d1:auth_authenticating_enter called
    01:06:05: dot1x-ev:sending AUTH_START to BEND for supp_info=80D1E640
    01:06:05: dot1x-sm:Fa0/4:001c.c063.a4d1:auth_connecting_authenticating_ac tion called
    01:06:05: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D1E640
    01:06:05: dot1x_bend Fa0/4: during state dot1x_bend_idle, got event 1(auth_start)
    01:06:05: @@@ dot1x_bend Fa0/4: dot1x_bend_idle -> dot1x_bend_response
    01:06:05: dot1x-s
    Switch#m:Dot1x Response State Entered for supp_info=80D1E640 hwidb=807A0EEC, swidb=807A2240 on intf=Fa0/4

    01:06:05: dot1x-ev:Managed Timer in sub-block attached as leaf to master
    01:06:05: dot1x-sm:Started the ServerTimeout Timer
    01:06:05: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 27
    01:06:05: dot1x-ev:Got a Request from SP to send it to Radius with id 4294967276
    01:06:05: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
    01:06:06: dot1x-ev:
    Switch#Inserted the request on to list of pending requests
    01:06:06: dot1x-ev:Found a free slot at slot 0
    01:06:06: dot1x-ev:Found a free slot at slot 0
    01:06:06: dot1x-ev:Request id = -20 and length = 27
    01:06:06: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/4
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:Username is abc@nsp.com
    01:06:06: dot1x-ev:MAC Address is 001c.c063.a4d1
    01:06:06: dot1x-ev:RemAddr is 00-1C-C0-
    Switch#63-A4-D1/00-15-62-43-AF-44
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-err:Dot1x Authentication failed (AAA_AUTHEN_STATUS_FAIL)
    01:06:06: dot1x-err:EAP packet not recvd
    01:06:06: dot1x-ev:going to send to backend on SP, length = 4
    01:06:06: dot1x-ev:Received VLAN is No Vlan
    01:06:06: dot1x-ev:Enqueued the response to BackEnd
    01:06:06: dot1x-ev:Enter function dot1x_aaa_acct_end
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E6
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:Received QUEUE EVENT in response to AAA Request
    01:06:06: dot1x-ev:Dot1x matching request-response id 4294967276 found
    01:06:06: dot1x-ev:Length of recv eap packet from radius = 4
    01:06:06: dot1x-ev:Received VLAN Id -1
    01:06:06: dot1x_bend Fa0/4: during state dot1x_bend_response, got event 3(afail)
    01:06:06: @@@ dot1x
    Switch#_bend Fa0/4: dot1x_bend_response -> dot1x_bend_fail
    01:06:06: dot1x-sm:Dot1x Failure State Entered
    01:06:06: dot1x-ev:dot1x_bend_fail_enter:001c.c063.a4d1: Current ID=0
    01:06:06: dot1x-ev:dot1x_bend: Sending Radius Response to Supplicant of length 4
    01:06:06: dot1x-ev:Transmitting an EAPOL frame on FastEthernet0/4
    01:06:06: dot1x-packet:Tx EAP-Failure, id 0, ver 1, len 4 (Fa0/4)
    01:06:06: dot1x-registry:registry:dot1x_ether_macaddr called
    01:06:06: dot1x-packet:Tx sa=0015.6243.af44, da=0180.c200.0
    Switch#003, et 888E (Fa0/4)
    01:06:06: dot1x_bend Fa0/4: idle during state dot1x_bend_fail
    01:06:06: @@@ dot1x_bend Fa0/4: dot1x_bend_fail -> dot1x_bend_idle
    01:06:06: dot1x-sm:Dot1x Idle State Entered
    01:06:06: dot1x_auth Fa0/4: during state auth_authenticating, got event 8(authFail)
    01:06:06: @@@ dot1x_auth Fa0/4: auth_authenticating -> auth_held
    01:06:06: dot1x-sm:Fa0/4:001c.c063.a4d1:auth_held_enter called
    01:06:06: dot1x-sm:
    dot1x_update_port_status called with port_status = DOT1X_PORT_STATUS_
    Switch#UNAUTHORIZED
    01:06:06: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/4
    01:06:06: dot1x-ev:dot1x_update_port_status: Called with host_mode=0 state UNAUTHORIZED
    01:06:06: dot1x-ev:dot1x_update_port_status: using mac 001c.c063.a4d1 to send port to unauthorized on vlan 0
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:dot1x_port_unauthorized: Host-mode=0 radius/guest vlan=0 on FastEthernet0/4
    01:06:06: dot1x-ev: Gue
    Switch#stVlan configured=0
    01:06:06: dot1x-ev:supplicant 001c.c063.a4d1 is last
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:001c.c063.a4d1 is now unauthorized on port FastEthernet0/4
    01:06:06: dot1x-ev:dot1x_port_cleanup_author: cleanup author on interface FastEthernet0/4
    01:06:06: dot1x-ev:Enter function dot1x_aaa_acct_end
    01:06:06: dot1x-ev:Found a supplicant block for mac 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:Found a supplicant block for ma
    Switch#c 001c.c063.a4d1 80D1E640
    01:06:06: dot1x-ev:auth_held_enter:001c.c063.a4d1: Current ID=1
    01:06:06: dot1x-sm:Fa0/4:001c.c063.a4d1:auth_authenticating_held_action called
    01:06:06: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4
    01:06:06: dot1x-ev:dot1x_post_message_to_auth_sm: cleanup author from interface FastEthernet0/4



    Cho mình hỏi thêm là ACS của Cisco có support portBase của switch 3com ko ? Vì mình authen ko được mặc dù chọn là Radius IETF.
    Thanks các bạn nhiều lắm
    TRAN VAN THANH
    090 6778 447
    email: thanhtrannsp@gmail.com

    Giải pháp quản trị Data Center
    Giải pháp kiểm tra hệ thống cáp mạng.
Working...
X