取消
显示结果 
搜索替代 
您的意思是: 
cancel
2417
查看次数
0
有帮助
1
回复

求助,ISE server dead后,客户端无法正常访问的问题

挨踢小生
Level 1
Level 1
本帖最后由 挨踢小生 于 2018-11-26 12:21 编辑
求大神赐教,什么问题导致的
1、问题描述
内网中部署一台ISE服务器,在接入层交换机2960X上配置radius认证配置,端口下启用了认证配置,
要实现在ISE server dead后,客户端会被划分到其他可用的vlan,保证用户的正常使用。测试阶段,802.1X和MAB测试都是正常的
但是在测试ISE服务器dead这个问题时,发现客户端可以正常获取到指定的vlan的ip,也是可以正常访问业务,但是在使用不大一分钟后,就会出现中断,过一分钟又会正常,一直反反复复,检查交换机上的日志,如下:请大神帮忙分析一下是什么原因造成的。(AAA认证、共享秘钥等配置都是正常的,测试802.1X和MAB等都是正常的,除了服务器dead一直不正常)
2、现象:
测试端口配置
interface GigabitEthernet1/0/3
switchport access vlan 107
switchport mode access
switchport port-security violation restrict
authentication event fail retry 0 action authorize vlan 107
authentication event server dead action authorize vlan 107
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
ip dhcp snooping limit rate 10
2960X#show authentication sessions int g1/0/3 de
Interface: GigabitEthernet1/0/3
MAC Address: 3464.a934.cb79
IPv6 Address: Unknown
IPv4 Address: 10.64.126.214
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 22s
Common Session ID: 0A4100C7000002080F2678FB
Acct Session ID: 0x000001C5
Handle: 0x130001B8
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/3 (priority 150)
Vlan Group: Vlan: 107
Method status list:
Method State
mab Stopped
dot1x Authc Failed

故障时,交换机日志如下:
Nov 23 14:47:46: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:47:51: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:47:51: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:48:34: %MAB-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:34: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group ISE
Nov 23 14:48:39: %DOT1X-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:39: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C7000002090F27FB4D
Nov 23 14:48:51: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:48:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:48:57: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:48:57: %MAB-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:48:58: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group ISE
Nov 23 14:49:02: %DOT1X-5-FAIL: Authentication failed for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:49:03: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (3464.a934.cb79) on Interface Gi1/0/1 AuditSessionID 0A4100C70000020C0F28562E
Nov 23 14:49:57: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:50:02: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:50:02: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91
Nov 23 14:51:02: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.64.20.135:1645,1646 is being marked alive.
Nov 23 14:51:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.64.20.135:1645,1646 is not responding.
Nov 23 14:51:13: %MAB-5-FAIL: Authentication failed for client (0026.8bb0.9873) on Interface Gi1/0/3 AuditSessionID 0A4100C70000000C00015C91

1 条回复1

cisco.feng
Spotlight
Spotlight
给radius server配deadtime,标记radius server dead隔x分钟不再使用,过了X分钟标记alive再试
radius server配个automate-tester 加快response time
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接