Cisco ISE 1.2与H3C 5560做802.1X认证

nlxnalongxi · ‎09-26-2019

各位好！
由于业务需求，需要对H3C交换机和ISE进行对接，并使用802.1X对用户进行认证。
从H3C下抓取的debuging如下：
terminal debugging
The current terminal is enabled to display debugging logs.
*Jan 1 06:41:07:650 2013 H3C DOT1X/7/EVENT: Processing interface event.
*Jan 1 06:41:07:651 2013 H3C DOT1X/7/EVENT: Processing interface up event.
%Jan 1 06:41:07:652 2013 H3C IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to up.
%Jan 1 06:41:07:660 2013 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to up.
%Jan 1 06:41:08:148 2013 H3C LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent neighbor created on port GigabitEthernet1/0/1 (IfIndex 1), neighbor's chassis ID is 2cfd-a1b1-e4db, port ID is 2cfd-a1b1-e4db.
*Jan 1 06:41:08:239 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=0180-c200-0003
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=1
Packet Length=0
*Jan 1 06:41:08:240 2013 H3C DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:240 2013 H3C DOT1X/7/EVENT: BE is in Initialize state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:240 2013 H3C DOT1X/7/EVENT: PAE is in Restart state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:240 2013 H3C DOT1X/7/EVENT: BE is in Idle state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:240 2013 H3C DOT1X/7/EVENT: PAE is in Connecting state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:241 2013 H3C DOT1X/7/EVENT: PAE is in Authenticating state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:241 2013 H3C DOT1X/7/EVENT: BE is in Request state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:241 2013 H3C DOT1X/7/EVENT: Sending EAP packet: Identifier=1, type=1.
*Jan 1 06:41:08:242 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=5
-----Packet Body-----
Code=1
Identifier=1
Length=1280
*Jan 1 06:41:08:286 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=0180-c200-0003
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=25
-----Packet Body-----
Code=2
Identifier=1
Length=25
*Jan 1 06:41:08:286 2013 H3C DOT1X/7/EVENT: BE is in Response state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:286 2013 H3C DOT1X/7/EVENT: Successfully created server timeout timer: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:287 2013 H3C DOT1X/7/EVENT: BE is in Request state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:287 2013 H3C DOT1X/7/EVENT: Sending EAP packet: Identifier=2, type=4.
*Jan 1 06:41:08:288 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=22
-----Packet Body-----
Code=1
Identifier=2
Length=5632
*Jan 1 06:41:08:293 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=542b-de37-3b3a
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=32
-----Packet Body-----
Code=2
Identifier=2
Length=32
*Jan 1 06:41:08:293 2013 H3C DOT1X/7/EVENT: BE is in Response state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:294 2013 H3C DOT1X/7/EVENT: Successfully created server timeout timer: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:294 2013 H3C DOT1X/7/EVENT: Sent authentication request: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:296 2013 H3C DOT1X/7/EVENT: AAA processed authentication request: Result=Processing, UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:300 2013 H3C DOT1X/7/EVENT: Received authentication response with code 26: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:301 2013 H3C DOT1X/7/EVENT: BE is in Fail state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:302 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=4
-----Packet Body-----
Code=4
Identifier=2
Length=1024
*Jan 1 06:41:08:302 2013 H3C DOT1X/7/EVENT: PAE is in Aborting state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:303 2013 H3C DOT1X/7/EVENT: BE is in Initialize state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:303 2013 H3C DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:303 2013 H3C DOT1X/7/EVENT: BE is in Idle state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:304 2013 H3C DOT1X/7/EVENT: Interface GigabitEthernet1/0/1 received Set the port authorization status to unauthorized event.
*Jan 1 06:41:08:306 2013 H3C DOT1X/7/EVENT: Processing AuthenFail event: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:306 2013 H3C DOT1X/7/EVENT: Notified PortSec of AuthenFail result 2: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:08:317 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=0180-c200-0003
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=6
-----Packet Body-----
Code=2
Identifier=2
Length=6
*Jan 1 06:41:08:317 2013 H3C DOT1X/7/ERROR: Mismatched identifier.
*Jan 1 06:41:13:224 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=0180-c200-0003
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=1
Packet Length=0
*Jan 1 06:41:13:224 2013 H3C DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:224 2013 H3C DOT1X/7/EVENT: BE is in Initialize state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:225 2013 H3C DOT1X/7/EVENT: PAE is in Restart state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:225 2013 H3C DOT1X/7/EVENT: BE is in Idle state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:225 2013 H3C DOT1X/7/EVENT: PAE is in Connecting state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:226 2013 H3C DOT1X/7/EVENT: PAE is in Authenticating state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:226 2013 H3C DOT1X/7/EVENT: BE is in Request state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:226 2013 H3C DOT1X/7/EVENT: Sending EAP packet: Identifier=1, type=1.
*Jan 1 06:41:13:227 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=5
-----Packet Body-----
Code=1
Identifier=1
Length=1280
*Jan 1 06:41:13:331 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=542b-de37-3b3a
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=47
-----Packet Body-----
Code=2
Identifier=1
Length=47
*Jan 1 06:41:13:331 2013 H3C DOT1X/7/EVENT: BE is in Response state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:331 2013 H3C DOT1X/7/EVENT: Successfully created server timeout timer: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:332 2013 H3C DOT1X/7/EVENT: BE is in Request state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:332 2013 H3C DOT1X/7/EVENT: Sending EAP packet: Identifier=2, type=4.
*Jan 1 06:41:13:333 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=22
-----Packet Body-----
Code=1
Identifier=2
Length=5632
*Jan 1 06:41:13:337 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=542b-de37-3b3a
Source Mac Address=2cfd-a1b1-e4db
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=32
-----Packet Body-----
Code=2
Identifier=2
Length=32
*Jan 1 06:41:13:337 2013 H3C DOT1X/7/EVENT: BE is in Response state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:338 2013 H3C DOT1X/7/EVENT: Successfully created server timeout timer: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:338 2013 H3C DOT1X/7/EVENT: Sent authentication request: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:340 2013 H3C DOT1X/7/EVENT: AAA processed authentication request: Result=Processing, UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:345 2013 H3C DOT1X/7/EVENT: Received authentication response with code 26: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:345 2013 H3C DOT1X/7/EVENT: BE is in Fail state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:346 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/1.
Destination Mac Address=2cfd-a1b1-e4db
Source Mac Address=542b-de37-3b3a
VLAN ID=132
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=4
-----Packet Body-----
Code=4
Identifier=2
Length=1024
*Jan 1 06:41:13:347 2013 H3C DOT1X/7/EVENT: PAE is in Aborting state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:347 2013 H3C DOT1X/7/EVENT: BE is in Initialize state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:347 2013 H3C DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:348 2013 H3C DOT1X/7/EVENT: BE is in Idle state: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:348 2013 H3C DOT1X/7/EVENT: Interface GigabitEthernet1/0/1 received Set the port authorization status to unauthorized event.
*Jan 1 06:41:13:350 2013 H3C DOT1X/7/EVENT: Processing AuthenFail event: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:13:350 2013 H3C DOT1X/7/EVENT: Notified PortSec of AuthenFail result 2: UserMAC=2cfd-a1b1-e4db, VLANID=132, Interface=GigabitEthernet1/0/1.
*Jan 1 06:41:15:198 2013 H3C DOT1X/7/EVENT: EAP-Request/Identity packet multicasting timed out on GigabitEthernet1/0/1.
*Jan 1 06:41:15:199 2013 H3C DOT1X/7/EVENT: Multicasted EAP-Request/Identity packets on interface GigabitEthernet1/0/1.
在ISE上观察，ISE认证不通过；且本机显示身份验证失败……这是为什么呢……

Rps-Cheers · ‎10-05-2019

兄弟，搞定了麽？什么情况？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Rockyw · ‎10-09-2019

ISE那边显示什么错误？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

nlxnalongxi · ‎10-11-2019

Rocky 发表于 2019-10-9 22:20
ISE那边显示什么错误？

ISE上反馈用户已经通过认证，但是IP地址是0.0.0.0，如下所示：
Overview
Event 5200 Authentication succeeded
Username zr_xuhchao
Endpoint Id 2C:FD:A1:B1:E4:DB
Endpoint Profile
Authorization Profile 2LG_PC_ADUser
AuthorizationPolicyMatchedRule 2lg-Wired-802.1x-ADUser
ISEPolicySetName Default
IdentitySelectionMatchedRule Default

Authentication Details
Source Timestamp 2019-10-12 11:25:02.783
Received Timestamp 2019-10-12 11:25:02.784
Policy Server ise-1
Event 5200 Authentication succeeded
Failure Reason
Resolution
Root cause
Username zr_xuhchao
User Type
Endpoint Id 2C:FD:A1:B1:E4:DB
Endpoint Profile
IP Address 0.0.0.0
Identity Store AD-WK-PRODUCTION
Identity Group
Audit Session Id
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
Service Type Framed
Network Device test-ruijie
Device Type Switch
Location 2lg
NAS IP Address 10.1.64.185
NAS Port Id GigabitEthernet 0/1
NAS Port Type Ethernet
Authorization Profile 2LG_PC_ADUser
Posture Status NotApplicable
Security Group
Response Time 15

Other Attributes
ConfigVersionId 13
DestinationPort 1812
Protocol Radius
NAS-Port 1
Framed-IP-Netmask 0.0.0.0
Framed-Routing None
Login-IP-Host 0.0.0.0
Framed-Route 0.0.0.0
State 37CPMSessionID=0a01208e00002A955DA1478E;32SessionID=ise-1/359873067/955788;
VendorSpecific 00:00:13:11:04:06:00:00:00:82
Acct-Session-Id 800588ca20e0_20_10047
AcsSessionID ise-1/359873067/955788
SelectedAuthenticationIdentityStores AD-WK-PRODUCTION
SelectedAuthenticationIdentityStores Internal Users
SelectedAuthenticationIdentityStores Guest Users
ADDomain corp.minmetals.com.cn
AuthorizationPolicyMatchedRule 2lg-Wired-802.1x-ADUser
CPMSessionID 0a01208e00002A955DA1478E
EndPointMACAddress 2C-FD-A1-B1-E4-DB
ISEPolicySetName Default
AllowedProtocolMatchedRule Dot1X
IdentitySelectionMatchedRule Default
Location Location#All Locations#2lg
Device Type Device Type#All Device Types#Switch
objectCategory cn=person
cn schema
cn configuration
dc corp
dc minmetals
dc com
dc cn
IdentityAccessRestricted false
RADIUS Username zr_xuhchao
Device IP Address 10.1.64.185
CiscoAVPair

Result
State ReauthSession:0a01208e00002A955DA1478E
Class CACS:0a01208e00002A955DA1478E:ise-1/359873067/955788
Session-Timeout 28800
Idle-Timeout 600
cisco-av-pair ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_2LG_PC_ADUser-5d7f6065
MS-MPPE-Send-Key 18:95:26:56:79:b2:c9:d6:3e:1a:ca:9e:73:15:27:97:ed:72:4b:0d:d4:c7:6e:14:e5:5e:48:31:81:13:bb:7d
MS-MPPE-Recv-Key 55:67:fc:fe:0d:ee:0b:7b:65:33:b4:a9:16:6b:dd:16:45:f4:47:d1:79:80:31:28:a1:85:8a:02:27:81:79:fc

nlxnalongxi · ‎10-11-2019

Rocky 发表于 2019-10-9 22:20
ISE那边显示什么错误？

但是，计算机网卡上显示用户认证失败

Rockyw · ‎10-11-2019

nlxnalongxi 发表于 2019-10-12 11:57
ISE上反馈用户已经通过认证，但是IP地址是0.0.0.0，如下所示：
Overview
Event 5200 ...

有没有DHCP服务？有的话检查一下是否工作正常。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

nlxnalongxi · ‎10-14-2019

1540488497lcj 发表于 2019-10-5 20:36
兄弟，搞定了麽？什么情况？

没有啊……ISE上看状态显示ok，但是问题是看锐捷交换机上的debug，显示被服务器拒绝。

nlxnalongxi · ‎10-14-2019

Rocky 发表于 2019-10-12 13:15
有没有DHCP服务？有的话检查一下是否工作正常。

好的，我看看会有什么问题。

Rps-Cheers · ‎10-14-2019

nlxnalongxi 发表于 2019-10-15 08:52
没有啊……ISE上看状态显示ok，但是问题是看锐捷交换机上的debug，显示被服务器拒绝。

有在ISE方和锐捷交换机上抓包吗？两边抓取的报文有什么不同？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

nlxnalongxi · ‎11-13-2019

1540488497lcj 发表于 2019-10-15 13:33
有在ISE方和锐捷交换机上抓包吗？两边抓取的报文有什么不同？

不好意思，好久没有来了。H3C的确实跟ISE现在对上了。从H3C上来看，是由于H3C使用的是组播报文发送raidus-request到ISE，然后radius回复给交换机后是单播，交换机就没有响应。最后，将H3C交换机上的multicast trigger关闭，并打开unicast后，即可。

robortlin · ‎11-17-2019

学习了。学习了。学习了。学习了。