我们的局域网上运行着一个 Radius 服务器,我可以通过直接链接到该服务器对其进行身份验证。
但是,当我们希望客户端通过我们的交换机(cisco 3750 版本 12.2(55)SE7)进行连接时,我们的服务器没有收到任何请求。
当我们想要验证我们的用户“bob”时,我们才会得到以下调试(在交换机上):
*Mar 1 04:02:53.847: %AUTHMGR-5-START: Starting 'dot1x' for client (5404.a631.e7dc) on Interface Gi1/0/11 AuditSessionID C0A802020000001C00DE6117
*Mar 1 04:02:53.855: RADIUS/ENCODE(00000028):Orig. component type = DOT1X
*Mar 1 04:02:53.855: RADIUS(00000028): Config NAS IP: 192.168.1.2
*Mar 1 04:02:53.855: RADIUS/ENCODE(00000028): acct_session_id: 39
*Mar 1 04:02:53.855: RADIUS(00000028): sending
*Mar 1 04:02:53.855: RADIUS(00000028): Send Access-Request to 192.168.69.201:1812 id 1645/57, len 195
*Mar 1 04:02:53.855: RADIUS: authenticator D7 81 62 F3 A3 9D 05 9E - 98 F5 F4 48 4A 05 3F 99
*Mar 1 04:02:53.855: RADIUS: User-Name [1] 5 "bob"
*Mar 1 04:02:53.855: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 04:02:53.855: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 04:02:53.855: RADIUS: Called-Station-Id [30] 19 "00-0F-23-01-DA-8B"
*Mar 1 04:02:53.855: RADIUS: Calling-Station-Id [31] 19 "54-04-A6-31-E7-DC"
*Mar 1 04:02:53.855: RADIUS: EAP-Message [79] 10
*Mar 1 04:02:53.855: RADIUS: 02 01 00 08 01 62 6F 62 [ bob]
*Mar 1 04:02:53.855: RADIUS: Message-Authenticato[80] 18
*Mar 1 04:02:53.855: RADIUS: 92 DE CA B6 10 03 8C 0F 00 70 4D 3C 8C FA FC 68 [ pM<h]
*Mar 1 04:02:53.855: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 04:02:53.855: RADIUS: Vendor, Cisco [26] 49
*Mar 1 04:02:53.855: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802020000001C00DE6117"
*Mar 1 04:02:53.855: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 04:02:53.855: RADIUS: NAS-Port [5] 6 50111
*Mar 1 04:02:53.855: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/11"
*Mar 1 04:02:53.855: RADIUS: NAS-IP-Address [4] 6 192.168.1.2
*Mar 1 04:02:53.855: RADIUS(00000028): Started 30 sec timeout
*Mar 1 04:03:15.724: RADIUS(00000027): Request timed out
*Mar 1 04:03:15.724: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/56
*Mar 1 04:03:15.724: RADIUS(00000027): Started 30 sec timeout
*Mar 1 04:03:23.374: RADIUS(00000028): Request timed out
*Mar 1 04:03:23.374: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/57
*Mar 1 04:03:23.374: RADIUS(00000028): Started 30 sec timeout
*Mar 1 04:03:44.069: RADIUS(00000027): Request timed out
*Mar 1 04:03:44.069: RADIUS: No response from (192.168.69.201:1812,1813) for id 1645/56
*Mar 1 04:03:44.069: RADIUS/DECODE: parse response no app start; FAIL
*Mar 1 04:03:44.069: RADIUS/DECODE: parse response; FAIL
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:38:19.392110 IP 192.168.69.75.60075 > 192.168.69.201.radius: RADIUS, Access Request (1), id: 0x5e length: 55
13:38:19.407249 IP 192.168.69.201.radius > 192.168.69.75.60075: RADIUS, Access Accept (2), id: 0x5e length: 20
服务器端没有收到任何数据包,也没有设置 iptables。我们的交换机配置如下:
Current configuration : 9050 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
!
username cisco password 0 cisco
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-24t
system mtu routing 1500
no ip domain-lookup
!
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.5
domain-name example.com
dns-server 192.168.1.5
!
!
!
!
crypto pki trustpoint TP-self-signed-587324032
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-587324032
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-587324032
certificate self-signed 01
0239 308201A2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383733 32343033 32301E17 0D393330 33303130 30303230
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 37333234
30333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AA357059 E5EAF5DF B9B393C5 4B38FECD 00850272 5991B279 859BDD2C AE5DACF0
F839D226 06A737F2 769D8910 EEC82E45 3686245A BCCFAEEA 77F140DF CF19E289
CFD1F9AB 6D5701C8 08E03854 9D0A2C0C 7ADE596E 9EE2178E 29E60792 789EBBD5
F44221FB 42D4A664 C9DE1C31 404FAFF5 B576A6D6 011A764A E3CFBDEF C07E718F
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
11040730 05820353 312E301F 0603551D 23041830 16801468 CC5707C3 5211381F
F9636305 48BD339F D9D47730 1D060355 1D0E0416 041468CC 5707C352 11381FF9
63630548 BD339FD9 D477300D 06092A86 4886F70D 01010405 00038181 000349FD
CEB74D48 5B92FFF1 FE60506C 9C5D3925 B65EFC09 FB20904B DCEC61D1 CBD10DA7
130E21F3 C7BBCB79 4E1FAAD7 44AEE7D2 B857F7D3 BCD3742D E99F1F8C 16E342A6
2C1D6EF3 93!
end
F48DBD 2CE4201D A01551F8 49BFD583 C0BE800B 5721DF6F 6D4F859D
A3C0EAEF 6D39FAC2 918FED6C C035A883 ED27FFA5 34C6FA15 58D89BD5 BC
quit
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
!
interface GigabitEthernet1/0/3
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
!
[...]
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
ip address 192.168.2.2 255.255.255.0
!
interface Vlan3
ip address 192.168.3.2 255.255.255.0
!
interface Vlan5
ip address 192.168.5.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan1
!
radius-server attribute 8 include-in-access-req
radius-server host 192.168.69.201 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key pf
radius-server vsa send authentication
!
!
line con 0
!
end
答案1
您需要在交换机的 radius 主机配置中设置“秘密”。您可能还应该包含 radius 配置的更多详细信息。