无线/移动 : "无线, LAN (WLAN)"

EAP-FAST用在自治接入点配置示例的内部RADIUS服务器

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述如何配置自治接入点作为通过安全协议的RADIUS服务器(EAP-FAST)执行思科扩展验证灵活协议验证客户端authenticatication的与最新的Cisco IOS版本(15.2JB),更新有GUI界面外观。

通常外部RADIUS服务器用于为了验证用户。在某些情况下,这不是一个可行的解决方案。在这些情况下,接入点(AP)能作为RADIUS服务器。在这种情况下,用户验证在接入点配置的本地数据库。此功能称为本地 RADIUS 服务器功能。您能也做在本地RADIUS服务器在AP以为特色的网络使用的其他接入点。

贡献用Surendra BG, Cisco TAC工程师。

先决条件

要求

Cisco 建议您在尝试进行此配置之前了解下列主题:

  • Cisco IOS GUI或CLI
  • 在可扩展的认证协议(EAP)后的概念
  • 服务集标识(SSID)配置
  • RADIUS

使用的组件

运行Cisco IOS Release15.2JB并且作为内部RADIUS服务器的本文档中的信息根据3600个AP。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

与GUI的配置

  1. 为了配置AP作为本地RADIUS服务器,请导航给AP GUI > Security >Server管理器,并且输入这些详细信息:
    • 主机名或IP地址
    • 共享秘密
    • 验证端口
    • 帐户端口

    注意:对于验证和计费端口,此示例使用1812和1813,分别。然而,可能也使用1645和1646。



    单击 Apply



  2. 导航对在AP的本地RADIUS服务器配置,点击常规设置选项卡,并且输入这些详细信息:
    • 网络接入服务器(NAS)用AP (网桥组虚拟接口(BVI) int IP)的IP地址
    • 共享秘密

    单击 Apply

    创建有用户名和密码的个人用户。如果组名要求,则请配置它(此示例不使用一个组名)。



  3. 非选定LEAPMAC复选框。



  4. 点击EAP-FAST设置选项卡,并且输入PAC加密密钥PAC内容的详细信息。

    注意:因为有32个六角形的字符,此示例使用零至九四次。





  5. 导航给加密管理器,配置有AES CCMP的密码器作为加密,并且单击应用所有无线电需要的无线电



配置SSID

  1. 导航给安全> SSID管理器,并且单击创建新



  2. 输入详细信息,并且单击应用



  3. 客户端验证Settings屏幕,请检查Open Authentication复选框,并且选择从下拉菜单的EAP。检查网络EAP复选框,并且选择从下拉菜单的RADIUS服务器。这应该是您配置作为在服务器管理器和本地RADIUS服务器页的AAA的AP IP地址。

配置无线受保护的访问版本2 (WPAv2)如必须

  1. 客户端验证密钥管理屏幕,请选择必须密钥管理下拉菜单。检查Enable (event) WPA复选框,并且选择从下拉菜单的WPAv2



  2. 单击页底部的 Apply。为了广播SSID,点击单个SSID单选按钮,选择从下拉菜单的SSID,和单击应用



  3. 导航对网络,并且启用2.4 GHz5 GHz的无线电。保证无线电是正在运行的。

CLI命令为配置

show run
Building configuration...

Current configuration : 3204 bytes
!
! Last configuration change at 01:11:36 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$06l4$E2pi.VeGTKUxxiwPScUEp.
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.105.135.185 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
 server 10.105.135.185 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid EAPFAST
   authentication open eap eap_methods1
   authentication network-eap eap_methods1
   authentication key-management wpa version 2
   guest-mode
!
!
crypto pki token default removal timeout 0
!
!
username Cisco password 7 01300F175804
!
!
!
class-map match-all _class_voice0
 match ip dscp ef
 class-map match-all _class_voice1
 match ip dscp default
!
!
policy-map voice
 class _class_voice0
  set cos 6
 class _class_voice1
  set cos 6
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid EAPFAST
 !
 antenna gain 0
 stbc
 power local 14
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid EAPFAST
 !
 antenna gain 0
 dfs band 3 block
 stbc
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.105.135.185 255.255.255.128
 no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
  eapfast authority id 01234567890123456789012345678901
  eapfast authority info cisco
  eapfast server-key primary 7 E1F54D861DC7150A7B949E5B4E630D8E5B
  eapfast server-key secondary 7 E7281DB670D36C052F60D36337436ABA13
  nas 10.105.135.185 key 7 01100F175804
  user user nthash 7 075A76681B514A2436465D28517D7A71786114033753342156777C79030
D2D5448
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.105.135.185 auth-port 1812 acct-port 1813 key 7 045802150C2E
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input all
!
end

ap#

验证

如果连接给客户端,则这是在AP显示在成功认证以后的日志:

*Mar  1 00:45:02.035: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1,
Associated To AP root XXXX.XXXX.XXXX [EAP-FAST WPAv2]

故障排除

完成这些步骤为了排除故障此配置。

  1. 为了排除无线电频率(RF)发出的可能性请防止成功认证,设置在SSID的方法打开为了临时地禁用验证。

  2. 从在SSID管理器页的GUI,请不选定Network-EAP复选框,并且检查开放

  3. 从CLI,请勿请使用authentication open命令和authentication network-eap eap_methods。如果客户端成功关联,则 RF 与关联问题无关。

  4. 验证所有共享密钥口令是否同步。这些线路必须包含同样共享的加密口令:
    • RADIUS服务器主机x.x.x.x auth端口x acct-port x关键<shared_secret>
    • nas x.x.x.x密钥<shared_secret>
  5. 删除所有用户组和他们相关的配置。有时冲突发生在域的AP定义的用户组和用户组之间。

debug 命令

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

这是有用的调试指令列表。

  • 调试全dot11 aaa的验证器此调试表示多种协商,客户端经历,当客户端通过802.1x或EAP进程联合并且验证从验证器(AP)的角度。这个debug在Cisco IOS软件版本12.2(15)JA介绍过。此命令废弃debug dot11 aaa dot1x all在这及以后版本中。

     *Mar  1 00:26:03.097: dot11_auth_add_client_entry:
    Create new client 0040.96af.3e93 for application 0x1
    *Mar 1 00:26:03.097: dot11_auth_initialize_client:
    0040.96af.3e93 is added to the client list for application 0x1
    -----------------------------------------------
    Lines Omitted for simplicity ------------------
    *Mar 1 00:26:03.098: dot11_auth_dot1x_start:
    in the dot11_auth_dot1x_start


    *Mar 1 00:26:03.132: dot11_auth_dot1x_run_rfsm:
    Executing Action(CLIENT_WAIT,EAP_START) for 0040.96af.3e93
    *Mar 1 00:26:03.132: dot11_auth_dot1x_send_id_req_to_client:
    Sending identity request to 0040.96af.3e93(client)

    *Mar 1 00:26:03.133: *Mar 1 00:26:03.099:
    dot11_auth_dot1x_send_id_req_to_client:
    Client 0040.96af.3e93 timer started for 30 seconds
    *Mar 1 00:26:03.132: dot11_auth_parse_client_pak:
    Received EAPOL packet from 0040.96af.3e93
    ------------------------------------------------
    Lines Omitted-----------------------------------
    *Mar 1 00:26:03.138: EAP code: 0x2 id: 0x1 length:
    0x000A type: 0x1
    01805BF0: 0100000A 0201000A 01757365 7231
    .........user1(User Name of the client)


    *Mar1 00:26:03.146: dot11_auth_dot1x_run_rfsm:
    Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0040.96af.3e93
    *Mar1 00:26:03.147: dot11_auth_dot1x_send_response_to_server:
    Sending client 0040.96af.3e93 data to server
    *Mar1 00:26:03.147: dot11_auth_dot1x_send_response_to_server:
    Started timer server_timeout 60 seconds
    -------------------------------------------------
    Lines Omitted------------------------------------
    *Mar1 00:26:03.150: dot11_auth_dot1x_parse_aaa_resp:
    Received server response:GET_CHALLENGE_RESPONSE
    *Mar1 00:26:03.150: dot11_auth_dot1x_parse_aaa_resp:
    found session timeout 10 sec


    *Mar 1 00:26:03.150: dot11_auth_dot1x_run_rfsm:
    Executing Action(SERVER_WAIT,SERVER_REPLY) for 0040.96af.3e93
    *Mar 1 00:26:03.150: dot11_auth_dot1x_send_response_to_client:
    Forwarding server message to client 0040.96af.3e93

    ----------------------------------------------
    Lines Omitted---------------------------------------
    *Mar 1 00:26:03.151: dot11_auth_send_msg:
    Sending EAPOL to requestor

    *Mar 1 00:26:03.151: dot11_auth_dot1x_send_response_to_client:
    Started timer client_timeout 10 seconds
    *Mar 1 00:26:03.166: dot11_auth_parse_client_pak:
    Received EAPOL packet(User Credentials) from 0040.96af.3e93

    *Mar 1 00:26:03.166: EAP code: 0x2 id: 0x11 length: 0x0025
    type: 0x1101805F90: 01000025 02110025...%...%01805FA0:
    11010018 7B75E719 C5F3575E EFF64B27 ....{ug.EsW^ovK'


    Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0040.96af.3e93
    *Mar 1 00:26:03.186: dot11_auth_dot1x_send_response_to_server:
    Sending client 0040.96af.3e93 data
    (User Credentials) to server

    *Mar 1 00:26:03.186: dot11_auth_dot1x_send_response_to_server:
    Started timer server_timeout 60 seconds
    ----------------------------------------------
    Lines Omitted----------------------------------------
    *Mar 1 00:26:03.196: dot11_auth_dot1x_parse_aaa_resp:
    Received server response: PASS


    *Mar 1 00:26:03.197: dot11_auth_dot1x_run_rfsm:
    Executing Action(SERVER_WAIT,SERVER_PASS) for 0040.96af.3e93
    *Mar 1 00:26:03.197: dot11_auth_dot1x_send_response_to_client:
    Forwarding server message(Pass Message) to client
    ------------------------------------------------
    Lines Omitted-------------------------------------
    *Mar 1 00:26:03.198: dot11_auth_send_msg:
    Sending EAPOL to requestor
    *Mar 1 00:26:03.199: dot11_auth_dot1x_send_response_to_client:
    Started timer client_timeout 30 second
    *Mar 1 00:26:03.199: dot11_auth_send_msg:
    client authenticated 0040.96af.3e93,
    node_type 64 for application 0x1
    *Mar 1 00:26:03.199: dot11_auth_delete_client_entry:
    0040.96af.3e93 is deleted for application 0x1
    *Mar 1 00:26:03.200: %DOT11-6-ASSOC:
    Interface Dot11Radio0, Station Station Name
    0040.96af.3e93 Associated KEY_MGMT[NONE]


  • debug radius authentication---此调试显示服务器和客户端之间的RADIUS协商,在这种情况下,二者都是AP。

  • debug radius local-server client -此调试从RADIUS服务器的角度显示客户端的验证。

     *Mar 1 00:30:00.742: RADIUS(0000001A): 
    Send Access-Request(Client's User Name)
    to 10.77.244.194:1812(Local Radius Server)



    id 1645/65, len 128
    *Mar 1 00:30:00.742: RADIUS:
    User-Name [1] 7 "user1"
    *Mar 1 00:30:00.742: RADIUS:
    Called-Station-Id [30] 16 "0019.a956.55c0"
    *Mar 1 00:30:00.743: RADIUS:
    Calling-Station-Id [31] 16 "0040.96af.3e93" (Client)


    *Mar 1 00:30:00.743: RADIUS:
    Service-Type [6] 6 Login [1]
    *Mar 1 00:30:00.743: RADIUS:
    Message-Authenticato[80]
    *Mar 1 00:30:00.743: RADIUS:
    23 2E F4 42 A4 A3 72 4B 28 44 6E 7A 58 CA 8F 7B [#.?B??rK(DnzX??{]
    *Mar 1 00:30:00.743: RADIUS:
    EAP-Message [79] 12
    *Mar 1 00:30:00.743:
    RADIUS: 02 02 00 0A 01 75 73 65 72 31
    [?????user1]

    *Mar 1 00:30:00.744: RADIUS:
    NAS-Port-Type [61] 6 802.11 wireless
    --------------------------------
    Lines Omitted For Simplicity---------------------
    *Mar 1 00:30:00.744: RADIUS:
    NAS-IP-Address [4] 6 10.77.244.194(Access Point IP)

    *Mar 1 00:30:00.744: RADIUS: Nas-Identifier [32] 4 "ap"

    ----------------------------------
    Lines Omitted---------------------------------
    *Mar 1 00:30:00.745: RADIUS:
    Received from id 1645/65 10.77.244.194:1812, Access-Challenge, len 117
    *Mar 1 00:30:00.746: RADIUS:
    75 73 65 72 31 [user1]
    *Mar 1 00:30:00.746: RADIUS:
    Session-Timeout [27] 6 10
    *Mar 1 00:30:00.747: RADIUS: State [24] 50
    *Mar 1 00:30:00.747: RADIUS:
    BF 2A A0 7C 82 65 76 AA 00 00 00 00 00 00 00 00
    [?*?|?ev?????????]
    ---------------------------------------
    Lines Omitted for simplicity -------------
    *Mar 1 00:30:00.756:
    RADIUS/ENCODE(0000001A):Orig. component type = DOT11
    *Mar 1 00:30:00.756: RADIUS: AAA Unsupported Attr: ssid [264] 5
    *Mar 1 00:30:00.756: RADIUS: 63 69 73 [cis]
    *Mar 1 00:30:00.756: RADIUS: AAA Unsupported Attr: interface [157] 3
    *Mar 1 00:30:00.756: RADIUS: 32 [2]
    *Mar 1 00:30:00.757: RADIUS(0000001A): Config NAS IP: 10.77.244.194
    *Mar 1 00:30:00.757: RADIUS/ENCODE(0000001A): acct_session_id: 26
    *Mar 1 00:30:00.757: RADIUS(0000001A): Config NAS IP: 10.77.244.194


    *Mar 1 00:30:00.779: RADIUS(0000001A):
    Send Access-Request to 10.77.244.194:1812 id 1645/67, len 189
    *Mar 1 00:30:00.779: RADIUS:
    authenticator B0 15 3C C1 BC F6 31 85 - 66 5D 41 F9 2E B4 48 7F
    *Mar 1 00:30:00.779: RADIUS: User-Name [1] 7 "user1"
    *Mar 1 00:30:00.780: RADIUS: Framed-MTU [12] 6 1400
    *Mar 1 00:30:00.780: RADIUS: Called-Station-Id [30] 16"0019.a956.55c0"
    *Mar 1 00:30:00.780: RADIUS: Calling-Station-Id [31] 16"0040.96af.3e93"
    *Mar 1 00:30:00.758: RADIUS:
    92 D4 24 49 04 C2 D2 0A C3 CE E9 00 6B F1 B2 AF [??$I????????k???]
    *Mar 1 00:30:00.759: RADIUS: EAP-Message [79] 39
    *Mar 1 00:30:00.759: RADIUS:
    02 17 00 25 11 01 00 18 05 98 8B BE 09 E9 45 E2 [??????????????E?]
    *Mar 1 00:30:00.759: RADIUS:
    73 5D 33 1D F0 2F DB 09 50 AF 38 9F F9 3B BD D4 [s]3??/??P?8??;??]
    *Mar 1 00:30:00.759: RADIUS:
    75 73 65 72 31 [user1]
    ----------------------------------------
    Lines Omitted---------------------------
    *Mar 1 00:30:00.781: RADIUS: State [24] 50 RADIUS:
    NAS-IP-Address [4] 6 10.77.244.194
    *Mar 1 00:30:00.783: RADIUS: Nas-Identifier [32] 4 "ap"

    *Mar 1 00:30:00.822: RADIUS:
    Received from id 1645/67 10.77.244.194:1812, Access-Accept, len 214
    *Mar 1 00:30:00.822:
    RADIUS: authenticator 10 0C B6 EE 7A 96 3A 46 - 36 49 FC D3 7A F4 42 2A
    ---------------------------------------
    Lines Omitted----------------------------
    *Mar 1 00:30:00.823: RADIUS: 75 73 65 72 31 [user1]
    *Mar 1 00:30:00.823: RADIUS: Vendor, Cisco [26] 59
    *Mar 1 00:30:00.823: RADIUS:
    Cisco AVpair [1] 53 "EAP-FAST:session-key=?+*ve=];q,oi[d6|-z."
    *Mar 1 00:30:00.823:
    RADIUS: User-Name [1] 28 "user1 *Mar 1 00:30:00.824: RADIUS:
    Message-Authenticato[80] 18
    *Mar 1 00:30:00.824: RADIUS:
    06 2D BA 93 10 C0 91 F8 B4 B8 A4 00 82 0E 11 36
    [?-?????????????6]
    *Mar 1 00:30:00.826: RADIUS/DECODE: EAP-Message fragments,
    37, total 37 bytes
    *Mar 1 00:30:00.826: found leap session key
    *Mar 1 00:30:00.830: %DOT11-6-ASSOC:
    Interface Dot11Radio0, Station Station Name
    Associated KEY_MGMT[NONE]


  • debug radius local-server packets -此调试显示被执行和从RADIUS服务器的角度的所有进程。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 116580