请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 421|回复: 3

【原创】802.1x MAB Radius 使用Windows NPS

[复制链接]
发表于 2020-7-23 11:27:09 | 显示全部楼层 |阅读模式
最近在做一个802.1X MAB的认证遇到一个问题,分享一下。设备2960X IOS 152-5.E   Radius :WINDOS 2016 NPS
问题描述:
NPS上日志提示,认证通过,但是客户端没有获取到IP地址  

A1-2F2-C2960X-OA01#show authentication sessions session-id 0A00C8780000008FBBA074A0 details
Session id=0A00C8780000008FBBA074A0
Interface: GigabitEthernet1/0/3
MAC Address: 002b.675d.431a
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 00-2b-67-5d-43-1a
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 103s
Common Session ID: 0A00C8780000008FBBA074A0
Acct Session ID: Unknown
Handle: 0x02000061
Current Policy: POLICY_Gi2/0/31

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

mab Authc Success


接口配置如下:
interface g1/0/3
switch mode access
switch access vlan 10
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication event fail action next-method
authentication control-direction in   
dot1x pae authenticator
mab
authentication order dot1x mab
authentication priority dot1x mab
dot1x timeout tx-period 10
dot1x max-reauth-req 1



日志:
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Received MAB context create from AuthMgr
Mar 18 18:03:01.845: mab-ev: MAB authorizing 002b.675d.431a
Mar 18 18:03:01.845: mab-ev: Created MAB client context 0xCF00005C
Mar 18 18:03:01.845: mab : initial state mab_initialize has enter
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Sending create new context event to EAP from MAB for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] MAB authentication started for 0x0DB509D0 (002b.675d.431a)
Mar 18 18:03:01.845: mab-ev: [002b.675d.431a, Gi2/0/31] Invalid EVT 9 from EAP
Mar 18 18:03:01.849: mab-sm: [002b.675d.431a, Gi2/0/31] Received event 'MAB_CONTINUE' on handle 0xCF00005C
Mar 18 18:03:01.849: mab : during state mab_initialize, got event 1(mabContinue)
Mar 18 18:03:01.849: @@@ mab : mab_initialize -> mab_authorizing
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a] formatted mac = 00-2b-67-5d-43-1a
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a] created mab pseudo dot1x profile dot1x_mac_auth_002b.675d.431a
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a, Gi2/0/31] Starting MAC-AUTH-BYPASS for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.849: mab-ev: [002b.675d.431a, Gi2/0/31] Invalid EVT 9 from EAP
Mar 18 18:03:01.849: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Mar 18 18:03:01.849: RADIUS(00000000): Config NAS IP: 10.0.200.120
Mar 18 18:03:01.849: RADIUS(00000000): Config NAS IPv6: ::
Mar 18 18:03:01.849: RADIUS(00000000): sending
Mar 18 18:03:01.852: RADIUS: Long password processing
Mar 18 18:03:01.852: RADIUS(00000000): Send Access-Request to 10.0.6.51:1812 id 1645/142, len 282
Mar 18 18:03:01.852: RADIUS: authenticator 43 56 31 29 10 65 7E 5E - 5A 99 24 49 5C A7 AB B1
Mar 18 18:03:01.852: RADIUS: User-Name [1] 19 "00-2b-67-5d-43-1a"
Mar 18 18:03:01.852: RADIUS: User-Password [2] 34 *
Mar 18 18:03:01.852: RADIUS: Service-Type [6] 6 Call Check [10]
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 31
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Mar 18 18:03:01.852: RADIUS: Framed-MTU [12] 6 1500
Mar 18 18:03:01.852: RADIUS: Called-Station-Id [30] 19 "84-8A-8D-3B-6E-1F"
Mar 18 18:03:01.852: RADIUS: Calling-Station-Id [31] 19 "00-2B-67-5D-43-1A"
Mar 18 18:03:01.852: RADIUS: Message-Authenticato[80] 18
Mar 18 18:03:01.852: RADIUS: 31 51 EC A5 C8 B4 C5 F3 02 66 80 8E C3 ED 3D B4 [ 1Qf=]
Mar 18 18:03:01.852: RADIUS: EAP-Key-Name [102] 2 *
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 49
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A00C8780000008DBB97BF91"
Mar 18 18:03:01.852: RADIUS: Vendor, Cisco [26] 18
Mar 18 18:03:01.852: RADIUS: Cisco AVpair [1] 12 "method=mab"
Mar 18 18:03:01.852: RADIUS: NAS-IP-Address [4] 6 10.0.200.120
Mar 18 18:03:01.852: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet2/0/31"
Mar 18 18:03:01.852: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 18 18:03:01.852: RADIUS: NAS-Port [5] 6 50231
Mar 18 18:03:01.852: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 18 18:03:01.856: RADIUS(00000000): Started 2 sec timeout
Mar 18 18:03:01.866: RADIUS: Received from id 1645/142 10.0.6.51:1812, Access-Accept, len 84
Mar 18 18:03:01.866: RADIUS: authenticator 83 DD 96 AC 4F AF 81 78 - 5D C6 40 2D DA AC 5F EC
Mar 18 18:03:01.866: RADIUS: Framed-MTU [12] 6 1344
Mar 18 18:03:01.866: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Mar 18 18:03:01.866: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Mar 18 18:03:01.866: RADIUS: Class [25] 46
Mar 18 18:03:01.870: RADIUS: 96 F1 09 1D 00 00 01 37 00 01 02 00 0A 00 06 33 00 00 00 00 91 5A 91 60 A5 C2 51 BF 01 D6 59 06 B7 ED 34 E0 00 00 00 00 00 00 11 4C [ 73Z`QY4L]
Mar 18 18:03:01.870: RADIUS(00000000): Received from id 1645/142
Mar 18 18:03:01.870: mab-ev: [002b.675d.431a, Gi2/0/31] MAB received an Access-Accept for 0xCF00005C (002b.675d.431a)
Mar 18 18:03:01.870: mab-sm: [002b.675d.431a, Gi2/0/31] Received event 'MAB_RESULT' on handle 0xCF00005C
Mar 18 18:03:01.873: mab : during state mab_authorizing, got event 5(mabResult)
Mar 18 18:03:01.873: @@@ mab : mab_authorizing -> mab_terminate
Mar 18 18:03:01.873: mab-ev: [002b.675d.431a, Gi2/0/31] Deleted credentials profile for 0xCF00005C (dot1x_mac_auth_002b.675d.431a)
Mar 18 18:03:01.873: dot1x-ev:[Gi2/0/31] Interface state changed to UP
Mar 18 18:03:01.884: dot1x-evOT1X Supplicant not enabled on GigabitEthernet2/0/31
Mar 18 18:03:03.823: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/31, changed state to up
Mar 18 18:03:04.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/31, changed state to up



解决方式:是不使用默认的授权配置,使用自定义
aaa authorization network default group dot1x-auth
更改
aaa authorization network MAB group dot1x-auth




  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-7-27 04:38:15 | 显示全部楼层
感谢楼主分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-7-27 08:58:26 | 显示全部楼层
感谢分享~~!          .
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 7 天前 | 显示全部楼层
感谢楼主分享
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-8-6 00:05 , Processed in 0.098579 second(s), 36 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表