取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

【原创】802.1x MAB Radius 使用Windows NPS

1906
查看次数
10
有帮助
5
评论
最近在做一个802.1X MAB的认证遇到一个问题,分享一下。设备2960X IOS 152-5.E Radius :WINDOS 2016 NPS
问题描述:
NPS上日志提示,认证通过,但是客户端没有获取到IP地址
A1-2F2-C2960X-OA01#show authentication sessions session-id 0A00C8780000008FBBA074A0 details
Session id=0A00C8780000008FBBA074A0
Interface: GigabitEthernet1/0/3
MAC Address: 002b.675d.431a
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 00-2b-67-5d-43-1a
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 103s
Common Session ID: 0A00C8780000008FBBA074A0
Acct Session ID: Unknown
Handle: 0x02000061
Current Policy: POLICY_Gi2/0/31
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Method status list:
Method State
mab Authc Success
接口配置如下:
interface g1/0/3
switch mode access
switch access vlan 10
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication event fail action next-method
authentication control-direction in
dot1x pae authenticator
mab
authentication order dot1x mab
authentication priority dot1x mab
dot1x timeout tx-period 10
dot1x max-reauth-req 1
日志:
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Received MAB context create from AuthMgr
Mar 18 18:03:01.845: mab-ev: MAB authorizing 002b.675d.431a
Mar 18 18:03:01.845: mab-ev: Created MAB client context 0xCF00005C
Mar 18 18:03:01.845: mab : initial state mab_initialize has enter
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Sending create new context event to EAP from MAB for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] MAB authentication started for 0x0DB509D0 (002b.675d.431a)
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Invalid EVT 9 from EAP
Mar 18 18:03:01.849: mab-sm: [002b.675d.431a, Gi2/0/31] Received event 'MAB_CONTINUE' on handle 0xCF00005C
Mar 18 18:03:01.849: mab : during state mab_initialize, got event 1(mabContinue)
Mar 18 18:03:01.849: @@@ mab : mab_initialize -> mab_authorizing
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a] formatted mac = 00-2b-67-5d-43-1a
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a] created mab pseudo dot1x profile dot1x_mac_auth_002b.675d.431a
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a, Gi2/0/31] Starting MAC-AUTH-BYPASS for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a, Gi2/0/31] Invalid EVT 9 from EAP
Mar 18 18:03:01.849: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Mar 18 18:03:01.849: RADIUS(00000000): Config NAS IP: 10.0.200.120
Mar 18 18:03:01.849: RADIUS(00000000): Config NAS IPv6: ::
Mar 18 18:03:01.849: RADIUS(00000000): sending
Mar 18 18:03:01.852: RADIUS: Long password processing
Mar 18 18:03:01.852: RADIUS(00000000): Send Access-Request to 10.0.6.51:1812 id 1645/142, len 282
Mar 18 18:03:01.852: RADIUS: authenticator 43 56 31 29 10 65 7E 5E - 5A 99 24 49 5C A7 AB B1
Mar 18 18:03:01.852: RADIUS: User-Name [1] 19 "00-2b-67-5d-43-1a"
Mar 18 18:03:01.852: RADIUS: User-Password [2] 34 *
Mar 18 18:03:01.852: RADIUS: Service-Type [6] 6 Call Check [10]
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 31
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Mar 18 18:03:01.852: RADIUS: Framed-MTU [12] 6 1500
Mar 18 18:03:01.852: RADIUS: Called-Station-Id [30] 19 "84-8A-8D-3B-6E-1F"
Mar 18 18:03:01.852: RADIUS: Calling-Station-Id [31] 19 "00-2B-67-5D-43-1A"
Mar 18 18:03:01.852: RADIUS: Message-Authenticato[80] 18
Mar 18 18:03:01.852: RADIUS: 31 51 EC A5 C8 B4 C5 F3 02 66 80 8E C3 ED 3D B4 [ 1Qf=]
Mar 18 18:03:01.852: RADIUS: EAP-Key-Name [102] 2 *
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 49
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A00C8780000008DBB97BF91"
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 18
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 12 "method=mab"
Mar 18 18:03:01.852: RADIUS: NAS-IP-Address [4] 6 10.0.200.120
Mar 18 18:03:01.852: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet2/0/31"
Mar 18 18:03:01.852: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 18 18:03:01.852: RADIUS: NAS-Port [5] 6 50231
Mar 18 18:03:01.852: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 18 18:03:01.856: RADIUS(00000000): Started 2 sec timeout
Mar 18 18:03:01.866: RADIUS: Received from id 1645/142 10.0.6.51:1812, Access-Accept, len 84
Mar 18 18:03:01.866: RADIUS: authenticator 83 DD 96 AC 4F AF 81 78 - 5D C6 40 2D DA AC 5F EC
Mar 18 18:03:01.866: RADIUS: Framed-MTU [12] 6 1344
Mar 18 18:03:01.866: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Mar 18 18:03:01.866: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Mar 18 18:03:01.866: RADIUS: Class [25] 46
Mar 18 18:03:01.870: RADIUS: 96 F1 09 1D 00 00 01 37 00 01 02 00 0A 00 06 33 00 00 00 00 91 5A 91 60 A5 C2 51 BF 01 D6 59 06 B7 ED 34 E0 00 00 00 00 00 00 11 4C [ 73Z`QY4L]
Mar 18 18:03:01.870: RADIUS(00000000): Received from id 1645/142
Mar 18 18:03:01.870: mab-ev: [002b.675d.431a, Gi2/0/31] MAB received an Access-Accept for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.870: mab-sm: [002b.675d.431a, Gi2/0/31] Received event 'MAB_RESULT' on handle 0xCF00005C
Mar 18 18:03:01.873: mab : during state mab_authorizing, got event 5(mabResult)
Mar 18 18:03:01.873: @@@ mab : mab_authorizing -> mab_terminate
Mar 18 18:03:01.873: mab-ev: [002b.675d.431a, Gi2/0/31] Deleted credentials profile for 0xCF00005C (dot1x_mac_auth_002b.675d.431a)
Mar 18 18:03:01.873: dot1x-ev:[Gi2/0/31] Interface state changed to UP
Mar 18 18:03:01.884: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet2/0/31
Mar 18 18:03:03.823: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/31, changed state to up
Mar 18 18:03:04.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/31, changed state to up
解决方式:是不使用默认的授权配置,使用自定义
aaa authorization network default group dot1x-auth
更改
aaa authorization network MAB group dot1x-auth
评论
one-time
Expert
感谢楼主分享,谢谢~
wuhao0015
Rising star
感谢分享~~! .
zhiinli84786
Beginner
感谢楼主分享
xuxiaoxunlxl
Beginner
感谢楼主分享,谢谢~
likuo
Community Member
实践经验。
Content for Community-Ad