请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

  思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 240|回复: 1

求助,ISE server dead后,客户端无法正常访问的问题

[复制链接]
发表于 2018-11-26 12:19:32 | 显示全部楼层 |阅读模式
0可用金钱
本帖最后由 挨踢小生 于 2018-11-26 12:21 编辑

求大神赐教,什么问题导致的

1、问题描述
内网中部署一台ISE服务器,在接入层交换机2960X上配置radius认证配置,端口下启用了认证配置,
要实现在ISE server dead后,客户端会被划分到其他可用的vlan,保证用户的正常使用。测试阶段,802.1X和MAB测试都是正常的
但是在测试ISE服务器dead这个问题时,发现客户端可以正常获取到指定的vlan的ip,也是可以正常访问业务,但是在使用不大一分钟后,就会出现中断,过一分钟又会正常,一直反反复复,检查交换机上的日志,如下:请大神帮忙分析一下是什么原因造成的。(AAA认证、共享秘钥等配置都是正常的,测试802.1X和MAB等都是正常的,除了服务器dead一直不正常)

2、现象:
测试端口配置
interface GigabitEthernet1/0/3
switchport access vlan 107
switchport mode access
switchport port-security violation  restrict
authentication event fail retry 0 action authorize vlan 107
authentication event server dead action authorize vlan 107
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
ip dhcp snooping limit rate 10

2960X#show authentication sessions int g1/0/3 de
            Interface:  GigabitEthernet1/0/3
          MAC Address:  3464.a934.cb79
         IPv6 Address:  Unknown
         IPv4 Address:  10.64.126.214
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  22s
    Common Session ID:  0A4100C7000002080F2678FB
      Acct Session ID:  0x000001C5
               Handle:  0x130001B8
       Current Policy:  POLICY_Gi1/0/3
Local Policies:
        Service Template: CRITICAL_AUTH_VLAN_Gi1/0/3 (priority 150)
           Vlan Group:  Vlan: 107
Method status list:
       Method           State
         
       mab              Stopped
       dot1x            Authc Failed

故障时,交换机日志如下:
Nov 23 14:47:46: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:47:51: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:47:51: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:48:34: %MAB-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:34: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group ISE
Nov 23 14:48:39: %DOT1X-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:39: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:51: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:48:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:48:57: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:48:57: %MAB-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:48:58: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group ISE
Nov 23 14:49:02: %DOT1X-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:49:03: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:49:57: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:50:02: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:50:02: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:51:02: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:51:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:51:13: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-11-27 14:05:58 来自手机 | 显示全部楼层
给radius server配deadtime,标记radius server dead隔x分钟不再使用,过了X分钟标记alive再试

radius server配个automate-tester 加快response time
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2018-12-12 19:08 , Processed in 0.082343 second(s), 33 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表