无线 : 思科 4100 系列无线局域网控制器

在无线局域网控制器上支持的RADIUS属性

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 15 日) | 反馈


目录


简介

本文解释在access-accept在核算请求发送到在访问请求的RADIUS服务器,被尊敬,并且发送支持的RADIUS属性的列表在无线局域网控制器(WLC)的。这也包括供应商专用属性。

先决条件

要求

Cisco 建议您了解以下主题:

  • 无线安全方法

  • 基于RADIUS的验证

使用的组件

本文档不限于特定的软件和硬件版本。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

在无线局域网控制器上支持的RADIUS属性

RADIUS属性用于定义在用户配置文件的特定验证、授权和统计(AAA)元素,在RADIUS守护存储。列出当前支持此部分无线局域网控制器RADIUS属性。

  • 服务质量—当在RADIUS访问的存在接受时, QoS-Level值改写在WLAN配置文件指定的QoS值。

  • ACL —当访问控制表(ACL)属性是存在RADIUS访问时请接受,系统运用ACL名称到客户端工作站,在验证后。这撤销的所有ACL都被分配到接口上。

  • VLAN —当VLAN Interface-Name或VLAN标记是存在RADIUS访问时请接受,系统放置客户端在一个特定接口。

  • WLAN ID —当WLAN-ID属性是存在RADIUS访问时请接受,系统应用WLAN-ID (SSID)到客户端工作站,在验证后。WLAN ID由在验证所有实例的WLC发送除了IPsec的。在Web验证,如果WLC接收在验证答复的一个ID属性从AAA服务器和它的情况下不匹配WLAN的ID,验证拒绝。安全方法的其他类型不执行此。

  • DSCP值—当在RADIUS访问的存在接受时, DSCP值改写在WLAN配置文件指定的DSCP值。

  • 802.1p TAG —当在RADIUS访问的存在接受时, 802.1p值改写在WLAN配置文件指定的默认。

注意: VLAN功能只支持MAC过滤, 802.1X和Wi-Fi保护访问(WPA)。VLAN功能不支持Web验证或IPsec。操作系统的本地MAC过滤器数据库被延伸包括接口名称。这允许建立接口客户端应该分配的本地MAC过滤器指定。可能也使用一个分开的RADIUS服务器,使用安全菜单,但是必须定义RADIUS服务器。

QoS-Level

QoS-Level属性指示级的服务质量应用到移动客户端的流量在交换结构内,以及在空气。此示例显示QoS-Level属性格式的摘要。字段从左到右传送。

0                   1                   2                   3 

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|     Type      |  Length       |            Vendor-Id 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     Vendor-Id (cont.)          | Vendor type   | Vendor length | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|                           QoS Level                           | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


•Type - 26 for Vendor-Specific

•Length - 10

•Vendor-Id - 14179

•Vendor type - 2

•Vendor length - 4

•Value - Three octets:

–3 - Bronze (Background)

–0 - Silver (Best Effort)

–1 - Gold (Video)

–2 - Platinum (Voice)

ACL名称

名字属性指示将应用的ACL名称对客户端。ACL名称属性格式的摘要显示此处。字段从左到右传送。

 0                   1                   2                   3 

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|     Type      |  Length       |            Vendor-Id 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

     Vendor-Id (cont.)          | Vendor type   | Vendor length | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|        ACL Name... 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 

•Type - 26 for Vendor-Specific

•Length - >7

•Vendor-Id - 14179

•Vendor type - 6

•Vendor length - >0

•Value - A string that includes the name of the ACL to use for the client

Interface-Name

Interface-Name属性指示VLAN接口客户端将关联。Interface-Name属性格式的摘要显示此处。字段从左到右传送。

 0                   1                   2                   3 

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|     Type      |  Length       |            Vendor-Id 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

     Vendor-Id (cont.)          |  Vendor type  | Vendor length | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|    Interface Name... 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 

•Type - 26 for Vendor-Specific

•Length - >7

•Vendor-Id - 14179

•Vendor type - 5

•Vendor length - >0

•Value - A string that includes the name of the interface 
the client is to be assigned to.

注意: 此属性只运作,当MAC过滤启用时或,如果802.1X或WPA使用作为安全策略。

VLAN标记

亦称VLAN标记属性指示特定隧道会话的Group ID,并且是隧道专用组ID属性。

此属性在访问请求信息包也许包括,如果通道发起者在访问接受信息包预先确定起因于特定的连接的组,并且如果包括,如果此隧道会话将对待,好象属于一个特定的专用组。专用组可以使用连结隧道会话与用户的一个特定组。例如,它可以用于实现路由未注册的IP地址通过特定接口。在包含与值的类型属性开始或终止,并且适合于给隧道会话的记帐请求数据包应该包括它。

隧道专用组ID属性格式的摘要显示此处。字段从左到右传送。

 0                   1                   2                   3 

 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

|      Type     |    Length     |     Tag       |   String... 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

•Type - 81 for Tunnel-Private-Group-ID.

•Length - > = 3

•Tag - The Tag field is one octet in length and is intended to 
provide a means of grouping attributes in the same packet 
which refer to the same tunnel. If the value of the Tag field is 
greater than 0x00 and less than or equal to 0x1F, it should 
be interpreted as indicating which tunnel (of several alternatives) 
this attribute pertains. If the Tag field is greater than 
0x1F, it should be interpreted as the first byte of the following 
String field.
•String - This field must be present. The group is represented by the 
String field. There is no restriction on the format of 
group IDs.

隧道属性

当其他RADIUS属性(QoS-Level、ACL名称、Interface-Name或者VLAN标记)中的任一个时返回,必须leavingcisco.com 也返回RFC 2868隧道属性。

RFC 2868leavingcisco.com 定义了用于认证和授权的RADIUS隧道属性,并且RFC 2867leavingcisco.com 定义了用于核算的隧道属性。由于验证,那里建立隧道IEEE 802.1X的认证者支持,一个强制通道可以为请求方设置。

特别是,允许将被放置的端口到特定VLAN,定义在IEEE 802.1Q,根据验证的结果也许是理想的。这可以用于,例如,允许一台无线主机在和一样在园区网络内移动的VLAN。

RADIUS服务器通过包括在Access-Accept内的隧道属性典型地指示希望的VLAN。然而, IEEE 802.1X验证器也许也提供提示至于将分配的VLAN到请求方通过包括在Access-Request内的隧道属性。

这些隧道属性使用VLAN分配:

  • Tunnel-Type=VLAN (13)

  • Tunnel-Medium-Type=802

  • Tunnel-Private-Group-ID=VLANID

VLANID是12 BITS,是在1和4094范围的一个值,并且包括。因为隧道专用组ID是类型字符串如对RFC 2868定义leavingcisco.com ,为了用在IEEE 802.1X上, VLANID整数值编码作为字符串。

当隧道属性发送时,填写标记字段是必要的。这在RFC 2868注释leavingcisco.com ,第3.1部分:

  • 标记字段是一个八位字节和打算提供分组在参考同一个通道的同一数据包的属性方法。此字段的有效值是0x01通过0x1F (包括)。如果未使用 Tag 字段,则它一定为零 (0x00)。

  • 为了用在Tunnel-Client-Endpoint、隧道服务器终点、隧道专用组ID、隧道分配ID、隧道客户端验证ID或者Tunnel-Server-Auth-ID属性(但是隧道类型、隧道媒体类型、不是隧道密码或者隧道首选上),标记字段极大比0x1F解释作为下个字符串字段的第一个八位位组。关于格式的详细信息参考的RFC 2868leavingcisco.com 第3.1部分。

  • 除非提供代替隧道类型, (例如,也许支持不是隧道,但是VLAN)的IEEE 802.1X证明人,指定单个通道隧道属性只是必要的。结果,其中只希望指定VLANID,应该调整标记字段到零(0x00)在所有隧道属性。那里提供代替隧道类型,您应该选择在0x01和0x1F范围的标记值。

WLC属性的配置的语法在RADIUS服务器的

思科在Cisco Access Registrar的Airespace VSAs

Cisco CNS接入登记程序是符合RADIUS标准的、访问策略服务器设计的支持拨号交付, ISDN和新建的服务包括DSL,电缆有Telco - Return的,无线和基于IP的语音。关于Cisco Access Registrar的详细信息参考Cisco Access Registrar支持页面

这是在Cisco Access Registrar需要使用定义WLC属性的语法。

  • 定义了Airespace RADIUS属性:

    Description = str:[0]
    Name = str:[0]Airespace
    Type = str:[0]SUB_ATTRIBUTES
    VendorID = int32:[0]14179
    VendorTypeSize = str:[0]8-bit
  • 定义了用户的WLAN-ID :

    Description = str:[0]
    Max = int32:[0]4294967295
    Min = int32:[0]0
    Name = str:[0]Airespace-WLAN-Id
    SubAttribute = int32:[0]1
    Type = str:[0]UINT32
  • 定义了用户的QoS级别:
    Description = str:[0]
    Max = int32:[0]3
    Min = int32:[0]0
    Name = str:[0]Airespace-QoS-Level
    SubAttribute = int32:[0]2
    Type = str:[0]ENUM
    0 = str:[0]Silver
    1 = str:[0]Gold
    2 = str:[0]Platinum
    3 = str:[0]Bronze
  • 定义了数据包的DSCP值从用户的:

    Description = str:[0]
    Max = int32:[0]4294967295
    Min = int32:[0]0
    Name = str:[0]Airespace-DSCP
    SubAttribute = int32:[0]3
    Type = str:[0]UINT32
  • 定义了802.1p标记:

    Description = str:[0]
    Max = int32:[0]4294967295
    Min = int32:[0]0
    Name = str:[0]Airespace-802.1P-Tag
    SubAttribute = int32:[0]4
    Type = str:[0]UINT32
  • 定义了用户被映射的接口:

    Description = str:[0]
    Max = int32:[0]253
    Min = int32:[0]0
    Name = str:[0]Airespace-Interface-Name
    SubAttribute = int32:[0]5
    Type = str:[0]STRING
  • 定义了应用的ACL :

    Description = str:[0]
    Max = int32:[0]253
    Min = int32:[0]0
    Name = str:[0]Airespace-ACL-Name
    SubAttribute = int32:[0]6
    Type = str:[0]STRING

思科在自由Radius塞弗的Airespace VSAs

自由RADIUS服务器的Airespace字典文件是可用的在安装目录在目录名称共享下。文件名是dictionary.airespace。

注意: 字典文件也许是不同的为更早版本。在本文给的示例是从自由RADIUS版本1.1.6。

# -*- text -*-
#
#	As found on the net.
#
#	$Id: dictionary.airespace,v 1.3.2.1 2005/11/30 22:17:19 aland Exp $
#
VENDOR		Airespace			14179

BEGIN-VENDOR	Airespace
ATTRIBUTE	Airespace-Wlan-Id			1	integer
ATTRIBUTE	Airespace-QOS-Level			2	integer
ATTRIBUTE	Airespace-DSCP				3	integer
ATTRIBUTE	Airespace-8021p-Tag			4	integer
ATTRIBUTE	Airespace-Interface-Name		5	string
ATTRIBUTE	Airespace-ACL-Name			6	string

VALUE	Airespace-QOS-Level		Bronze			3
VALUE	Airespace-QOS-Level		Silver			0
VALUE	Airespace-QOS-Level		Gold			1
VALUE	Airespace-QOS-Level		Platinum		2


END-VENDOR Airespace

Airespace产品的卖方细节字典在同一个目录下的字典文件联机包括。文件名是字典。

# -*- text -*-
#
# Version $Id: dictionary,v 1.93.2.5.2.10 2007/04/08 14:42:06 aland Exp $
#
#	DO NOT EDIT THE FILES IN THIS DIRECTORY
#
#
#	Use the main dictionary file (usually /etc/raddb/dictionary)
#	for local system attributes and $INCLUDEs.
#
#
#
#	This file contains dictionary translations for parsing
#	requests and generating responses.  All transactions are
#	composed of Attribute/Value Pairs.  The value of each attribute
#	is specified as one of 4 data types.  Valid data types are:
#
#	text       - printable, generally UTF-8 encoded (subset of 'string')
#	string     - 0-253 octets
#	ipaddr     - 4 octets in network byte order
#	integer    - 32 bit value in big endian order (high byte first)
#	date       - 32 bit value in big endian order - seconds since
#		     00:00:00 GMT,  Jan.  1,  1970
#	ifid       - 8 octets in network byte order
#	ipv6addr   - 16 octets in network byte order
#	ipv6prefix - 18 octets in network byte order
#
#	FreeRADIUS includes extended data types which are not defined
#	in the RFC's.  These data types are:
#
#	abinary - Ascend's binary filter format.
#	octets  - raw octets, printed and input as hex strings.
#		  e.g.: 0x123456789abcdef
#
#
#	Enumerated values are stored in the user file with dictionary
#	VALUE translations for easy administration.
#
#	Example:
#
#	ATTRIBUTE	  VALUE
#	---------------   -----
#	Framed-Protocol = PPP
#	7		= 1	(integer encoding)
#

#
#	Include compatibility dictionary for older users file. Move
#	this directive to the end of this file if you want to see the
#	old names in the logfiles, INSTEAD OF the new names.
#
$INCLUDE dictionary.compat

#
#	Include the RFC dictionaries next.
#
#	For a complete list of the standard attributes and values,
#	see:
#		http://www.iana.org/assignments/radius-types
#
$INCLUDE dictionary.rfc2865
$INCLUDE dictionary.rfc2866
$INCLUDE dictionary.rfc2867
$INCLUDE dictionary.rfc2868
$INCLUDE dictionary.rfc2869
$INCLUDE dictionary.rfc3162
$INCLUDE dictionary.rfc3576
$INCLUDE dictionary.rfc3580
$INCLUDE dictionary.rfc4372
$INCLUDE dictionary.rfc4675
$INCLUDE dictionary.rfc4679

#
#	Include vendor dictionaries after the standard ones.
#
$INCLUDE dictionary.3com
$INCLUDE dictionary.3gpp
$INCLUDE dictionary.3gpp2
$INCLUDE dictionary.acc
$INCLUDE dictionary.airespace
$INCLUDE dictionary.alcatel
$INCLUDE dictionary.alteon
$INCLUDE dictionary.alvarion
$INCLUDE dictionary.aruba
$INCLUDE dictionary.ascend
$INCLUDE dictionary.asn
$INCLUDE dictionary.bay
$INCLUDE dictionary.bintec
$INCLUDE dictionary.cablelabs
$INCLUDE dictionary.cabletron
$INCLUDE dictionary.cisco
#
#	 The Cisco VPN300 dictionary is the same as the altiga one.
#	 You shouldn't use both at the same time.
#
#$INCLUDE dictionary.cisco.vpn3000
$INCLUDE dictionary.cisco.vpn5000
$INCLUDE dictionary.cisco.bbsm



#
#	And finally the server internal attributes.
#
$INCLUDE dictionary.freeradius.internal

#
#	Miscellaneous attributes defined in weird places that
#	don't really belong anywhere else...
#
ATTRIBUTE	Originating-Line-Info			94	string

#  As defined in draft-sterman-aaa-sip-00.txt
ATTRIBUTE	Digest-Response				206	string
ATTRIBUTE	Digest-Attributes			207	octets	# 

#
#	Integer Translations
#
VALUE	Service-Type			Voice			12
VALUE	Service-Type			Fax			13
VALUE	Service-Type			Modem-Relay		14
VALUE	Service-Type			IAPP-Register		15
VALUE	Service-Type			IAPP-AP-Check		16

VALUE	Framed-Protocol			GPRS-PDP-Context	7

VALUE	NAS-Port-Type			Wireless-CDMA2000	22
VALUE	NAS-Port-Type			Wireless-UMTS		23
VALUE	NAS-Port-Type			Wireless-1X-EV		24
VALUE	NAS-Port-Type			IAPP			25

VALUE	Framed-Protocol			PPTP			9

思科在Microsoft IAS RADIUS服务器的Airespace VSAs

关于如何配置Microsoft互联网认证服务(MS IAS)服务器的信息支持思科Airespace卖方细节属性(VSAs)请读思科Airespace VSAs在MS IAS RADIUS服务器配置示例

思科在Cisco Secure ACS服务器的Airespace VSAs

思科安全访问控制服务器版本4.0解决方案引擎,支持包括思科Airespace属性的许多远程访问拨入用户服务(RADIUS)属性。

ACS不能提供IETF部分支持。因此,当您添加一个思科Airespace设备(到网络配置)时,它自动地启用所有IETF属性。此表给Cisco ACS支持的思科Airespace属性。

wlc-attributes-2.gif

思科Airespace设备支持802.1x标识网络的一些IETF属性:

  • 隧道类型(64)

  • 隧道媒体类型(65)

  • 通道私有组Id (81)

为了配置为用户将发送的一个特定属性,您必须以保证那:

  • 在Network Configuration部分,您必须配置对应于接入设备准许对用户的网络访问使用各种各样的RADIUS支持属性您想要发送对AAA客户端的AAA客户端条目。

  • 在接口配置部分,您必须启用属性,以便出现在用户或用户组配置文件页。您能启用对应于RADIUS种类支持属性在页的属性。例如, IETF RADIUS Session-timeout属性(27)出现在RADIUS (IETF)页。

    注意: 默认情况下,每用户RADIUS属性没有启用(他们在Interface Configuration页没出现)。在您能逐个用户前启用属性,您必须启用在高级选项页的每用户TACACS+/RADIUS属性选项在接口配置部分。在启用每个用户的属性以后,用户列在Interface Configuration页出现如禁用该属性的。

  • 在您使用控制的配置文件用户的授权—在用户或组中请编辑页或共享RADIUS授权组分页—您必须启用属性。当您启用此属性时,造成ACS发送属性对access-accept消息的AAA客户端。在关联与属性的选项,您能确定发送给AAA客户端属性的值。

参考用户指南的RADIUS属性部分Cisco Secure ACS解决方案引擎的4.0欲知更多信息。

验证与故障排除

当用户连接对与用户ID和密码时, WLC通过凭证到利用配置的条件和用户配置文件的WLAN验证用户的RADIUS服务器。如果用户认证是成功的,也包含为该用户配置的RADIUS属性的RADIUS服务器返回Accept请求的RADIUS。在本例中,用户的QoS策略返回。

您能发出debug aaa all enable命令为了发现在验证时发生的事件顺序。下面是一个输出示例:

(Cisco Controller) >debug aaa all enable
Wed Apr 18 18:14:24 2007: User admin authenticated
Wed Apr 18 18:14:24 2007: 28:1f:00:00:00:00 Returning AAA Error 'Success' (0) for 
                              mobile 28:1f:00:00:00:00
Wed Apr 18 18:14:24 2007: AuthorizationResponse: 0xbadff97c
Wed Apr 18 18:14:24 2007:       structureSize...........................70
Wed Apr 18 18:14:24 2007:       resultCode...............................0
Wed Apr 18 18:14:24 2007:       protocolUsed....................0x00000008
Wed Apr 18 18:14:24 2007:       proxyState...........................
                                    28:1F:00:00:00:00-00:00
Wed Apr 18 18:14:24 2007:       Packet contains 2 AVPs:
Wed Apr 18 18:14:24 2007:           AVP[01] Service-Type...................
                                        0x00000006 (6) (4 bytes)
Wed Apr 18 18:14:24 2007:           AVP[02] Airespace / WLAN-Identifier.....
                                        0x00000000 (0) (4 bytes)
Wed Apr 18 18:14:24 2007: User admin authenticated
Wed Apr 18 18:14:24 2007: 29:1f:00:00:00:00 Returning AAA Error 'Success'  
                              (0) for mobile 29:1f:00:00:00:00
Wed Apr 18 18:14:24 2007: AuthorizationResponse: 0xbadff97c
Wed Apr 18 18:14:24 2007:       structureSize.........................70
Wed Apr 18 18:14:24 2007:       resultCode.............................0
Wed Apr 18 18:14:24 2007:       protocolUsed..................0x00000008
Wed Apr 18 18:14:24 2007:       proxyState...............................
                                    29:1F:00:00:00:00-00:00
Wed Apr 18 18:14:24 2007:       Packet contains 2 AVPs:
Wed Apr 18 18:14:24 2007:           AVP[01] Service-Type.................

                                        0x00000006 (6) (4 bytes)
Wed Apr 18 18:14:24 2007:           AVP[02] Airespace / WLAN-Identifier.....
                                        0x00000000 (0) (4 bytes)
Wed Apr 18 18:15:08 2007: Unable to find requested user entry for User-VLAN10
Wed Apr 18 18:15:08 2007: AuthenticationRequest: 0xa64c8bc
Wed Apr 18 18:15:08 2007:       Callback..........................0x8250c40
Wed Apr 18 18:15:08 2007:       protocolType.....................0x00000001
Wed Apr 18 18:15:08 2007:       proxyState...................................
                                    00:40:96:AC:E6:57-00:00
Wed Apr 18 18:15:08 2007:       Packet contains 8 AVPs (not shown)
Wed Apr 18 18:15:08 2007: 00:40:96:ac:e6:57 Successful transmission 
                               of Authentication Packet
                              (id 26) to 172.16.1.1:1812, proxy state 
                              00:40:96:ac:e6:57-96:ac
Wed Apr 18 18:15:08 2007: 00000000: 01 1a 00 68 00 00 00 00  00 00 00 00 00 00 00 00  
                              ...h............
Wed Apr 18 18:15:08 2007: 00000010: 00 00 00 00 01 0d 55 73  65 72 2d 56 4c 41 4e 31  
                              ......User-VLAN1
Wed Apr 18 18:15:08 2007: 00000020: 30 02 12 fa 32 57 ba 2a  ba 57 38 11 bc 9a 5d 59  
                              0...2W.*.W8...]Y
Wed Apr 18 18:15:08 2007: 00000030: ed ca 23 06 06 00 00 00  01 04 06 ac 10 01 1e 20  
                              ..#.............
Wed Apr 18 18:15:08 2007: 00000040: 06 57 4c 43 32 1a 0c 00  00 37 63 01 06 00 00 00  
                              .WLC2....7c.....
Wed Apr 18 18:15:08 2007: 00000050: 01 1f 0a 32 30 2e 30 2e  30 2e 31 1e 0d 31 37 32  
                              ...20.0.0.1..172
Wed Apr 18 18:15:08 2007: 00000060: 2e 31 36 2e 31 2e 33 30 .16.1.30
Wed Apr 18 18:15:08 2007: 00000000: 02 1a 00 46 3f cf 1b cc  e4 ea 41 3e 28 7e cc bc  
                              ...F?.....A>(~..
Wed Apr 18 18:15:08 2007: 00000010: 00 e1 61 ae 1a 0c 00 00  37 63 02 06 00 00 00 03  
                              ..a.....7c......
Wed Apr 18 18:15:08 2007: 00000020: 06 06 00 00 00 01 19 20  37 d0 03 e6 00 00 01 37  
                              ........7......7
Wed Apr 18 18:15:08 2007: 00000030: 00 01 ac 10 01 01 01 c7  7a 8b 35 20 31 80 00 00  
                              ........z.5.1...
Wed Apr 18 18:15:08 2007: 00000040: 00 00 00 00 00 1b      ......
Wed Apr 18 18:15:08 2007: ****Enter processIncomingMessages: response code=2
Wed Apr 18 18:15:08 2007: ****Enter processRadiusResponse: response code=2
Wed Apr 18 18:15:08 2007: 00:40:96:ac:e6:57 Access-Accept received 
                              from RADIUS server  
                              172.16.1.1 for mobile 00:40:96:ac:e6:57 receiveId = 0
Wed Apr 18 18:15:08 2007: AuthorizationResponse: 0x9802520
Wed Apr 18 18:15:08 2007:       structureSize.......................114
Wed Apr 18 18:15:08 2007:       resultCode...........................0
Wed Apr 18 18:15:08 2007:       protocolUsed................0x00000001
Wed Apr 18 18:15:08 2007:       proxyState...........................
                                    00:40:96:AC:E6:57-00:00
Wed Apr 18 18:15:08 2007:       Packet contains 3 AVPs:
Wed Apr 18 18:15:08 2007:           AVP[01] Airespace / QOS-Level.........
                                        0x00000003 (3) (4 bytes)
Wed Apr 18 18:15:08 2007:           AVP[02] Service-Type...................
                                        0x00000001 (1) (4 bytes)
Wed Apr 18 18:15:08 2007:           AVP[03] Class......................
                                        DATA (30 bytes)
Wed Apr 18 18:15:08 2007: 00:40:96:ac:e6:57 Applying new AAA override for station 
                              00:40:96:ac:e6:57
Wed Apr 18 18:15:08 2007: 00:40:96:ac:e6:57 Override values for
                              station 00:40:96:ac:e6:57
            source: 48, valid bits: 0x3
            qosLevel: 3, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
            dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
            vlanIfName: '', aclName: '
Wed Apr 18 18:15:12 2007: AccountingMessage Accounting Start: 0xa64c8bc
Wed Apr 18 18:15:12 2007:       Packet contains 13 AVPs:
Wed Apr 18 18:15:12 2007:           AVP[01] User-Name.........................
                                        User-VLAN10 (11 bytes)
Wed Apr 18 18:15:12 2007:           AVP[02] Nas-Port..........................
                                        0x00000001 (1) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[03] Nas-Ip-Address....................
                                        0xac10011e (-1408237282) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[04] NAS-Identifier....................
                                        0x574c4332 (1464615730) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[05] Airespace / WLAN-Identifier.......
                                        0x00000001 (1) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[06] Acct-Session-Id...................
                                        4626602c/00:40:96:ac:e6:57/16 (29 bytes)
Wed Apr 18 18:15:12 2007:           AVP[07] Acct-Authentic....................
                                        0x00000001 (1) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[08] Tunnel-Type.......................
                                        0x0000000d (13) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[09] Tunnel-Medium-Type................
                                        0x00000006 (6) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[10] Tunnel-Group-Id...................
                                        0x3230 (12848) (2 bytes)
Wed Apr 18 18:15:12 2007:           AVP[11] Acct-Status-Type..................
                                        0x00000001 (1) (4 bytes)
Wed Apr 18 18:15:12 2007:           AVP[12] Calling-Station-Id................
                                        20.0.0.1 (8 bytes)
Wed Apr 18 18:15:12 2007:           AVP[13] Called-Station-Id.................
                                        172.16.1.30 (11 bytes)

此用户显示用户验证。然后, AAA覆盖值返回与RADIUS接受消息。在这种情况下,您看到QoS属性与RADIUS一起返回接受消息。所以,用户给改写为该SSID设置的默认QoS值铜牌服务的QoS策略。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 96103