请问一下 思科3750交换机 发送的eapol request/identity 报文都不带vlan id吗,我在trunk配置的802.1x,抓包显示发出去的eapol request/identity 报文不带vlan,为什么不带vlan啊?
还有我看华三、华为交换机手册,华三/华为交换机支持基于port和基于端口的接入控制方式,思科交换机是不是只支持基于port的接入控制方式啊?
交换机型号是
cisco-A20911954#show version
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 02-Dec-10 07:46 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
cisco-A20911954 uptime is 19 weeks, 4 days, 18 hours, 28 minutes
System returned to ROM by power-on
System image file is "flash:c3750-ipservicesk9-mz.122-55.SE1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C3750G-24TS-1U (PowerPC405) processor (revision H0) with 131072K bytes of memory.
Processor board ID FOC1446V3VR
Last reset from power-on
6 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 08:17:35:78:D3:00
Motherboard assembly number : 73-10219-09
Power supply part number : 341-0098-02
Motherboard serial number : FOC14464P7H
Power supply serial number : AZS143912L9
Model revision number : H0
Motherboard revision number : A0
Model number : WS-C3750G-24TS-S1U
System serial number : FOC1446V3VR
Top Assembly Part Number : 800-26859-03
Top Assembly Revision Number : B0
Version ID : V05
CLEI Code Number : COMB600BRA
Hardware Board Revision Number : 0x09
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24TS-1U 12.2(55)SE1 C3750-IPSERVICESK9-M
Configuration register is 0xF
cisco-A20911954#show running-config interface GigabitEthernet1/0/18
Building configuration...
Current configuration : 236 bytes
!
interface GigabitEthernet1/0/18
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 250,4094
switchport mode trunk
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
end
端口配置是
查看华三和华为交换机配置指导手册,802.1x接入控制方式支持 portbased和macbased两种方式。
查看手册,思科3750交换机支持在L2层 access口配置dot1x,不支持在trunk口
the 802.1x protocol is supported on Layer 2 static-access ports,but it is not supported on these port types:Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message appears, and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
思科3850交换机支持在access和trunk口配置dot1x
he IEEE 802.1X protocol is supported only on Layer 2 static-access ports, Layer 2 static-trunk ports
我的交换机是3750交换机,所以不支持在trunk口配置
好吧,查了一下还真有在trunk port启用802.1x的情况。
3750这种EOL的设备不支持trunk dot1x也算正常,不过3750应该也是支持MAB的,支持使用mac address来认证,当然也可使用普通用户名的方式。
至于trunk上面带vlan id的情况,有种变通的解决方法:普通接口配置为multi-auth模式,然后在radius上针对不同的身份下发对应的profile,profile中包含vlan id,这样通过authorization下发的profile强制变更客户端的所用的vlanid
至于图片上所写的802.1x的接入控制方式,这个应该有更新的解释
cisco设备支持4中模式 multi-auth , multi-domain , multi-host , single-host(host-mode不区分802.1x,MAB)
multi-auth一个接口支持多种认证,彼此独立,支持通过authorization profile下发 vlan id 和DACL
multi-domain 这个没用过=_=
multi-host 端口下一个主机认证即可,认证后允许多个主机的流量通过,认证的主机下线后其他的流量被阻塞
single-host 默认的模式,限制单台设备接入,支持 下发profile和DACL。