WLAN 認証の AAA RADIUS インタラクションのトラブルシューティング
-
次のコマンドを入力して、WLAN 認証の AAA RADIUS インタラクションをテストします。
test aaa radius username username password password wlan-id wlan-id [ apgroup apgroupname server-index server-index]
コマンドのパラメータには、次のものがあります。 -
ユーザ名とパスワード(両方ともプレーン テキスト)
-
WLAN ID
-
AP グループ名(任意)
-
AAA サーバ インデックス(任意)
このテスト コマンドは RADIUS サーバにクライアント認証のアクセス要求を送信します。アクセス要求交換は Cisco WLC と AAA サーバの間で行われ、登録 RADIUS コールバックは応答を処理します。
応答には、認証ステータス、再試行回数、および RADIUS 属が含まれます。
-
-
次のコマンドを入力して、RADIUS 応答を表示し、RADIUS 要求をテストします。
test aaa show radius
ガイドライン
-
ユーザ名とパスワードはどちらも MAC 認証と同様、プレーン テキストである必要があります
-
AP グループを入力すると、入力された WLAN はその AP のグループに属する必要があります
-
サーバ インデックスを入力すると、RADIUS のテスト要求がその RADIUS サーバにのみ送信されます
-
RADIUS 要求が応答を取得しない場合、要求は他のどの RADIUS サーバにも送信されません
-
サーバ インデックスにある RADIUS サーバは有効な状態でなければなりません
-
このテスト コマンドは、AAA RADIUS サーバに関係する設定および通信の確認に使用でき、実際のユーザ認証に使用しないでください
-
AAA サーバのクレデンシャルが必要に応じて設定されているものとします
制約事項
-
GUI のサポートなし
-
TACACS+ のサポートなし
例:アクセス許可
(Cisco Controller) > test aaa radius username user1 password Cisco123 wlan-id 7 apgroup default-group server-index 2
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 172.20.227.39
NAS-Identifier WLC5520
Airespace / WLAN-Identifier 0x00000007 (7)
User-Password Cisco123
Service-Type 0x00000008 (8)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Tunnel-Type 0x0000000d (13)
Tunnel-Medium-Type 0x00000006 (6)
Tunnel-Group-Id 0x00000051 (81)
Cisco / Audit-Session-Id ac14e327000000c456131b33
Acct-Session-Id 56131b33/00:11:22:33:44:55/210
test radius auth request successfully sent. Execute 'test aaa show radius' for response
(Cisco Controller) > test aaa show radius
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Server Index................................... 2
Radius Test Response
Radius Server Retry Status
------------- ----- ------
172.20.227.52 1 Success
Authentication Response:
Result Code: Success
Attributes Values
---------- ------
User-Name user1
Class CACS:rs-acs5-6-0-22/230677882/20313
Session-Timeout 0x0000001e (30)
Termination-Action 0x00000000 (0)
Tunnel-Type 0x0000000d (13)
Tunnel-Medium-Type 0x00000006 (6)
Tunnel-Group-Id 0x00000051 (81)
(Cisco Controller) > debug aaa all enable
*emWeb: Oct 06 09:48:12.931: 00:11:22:33:44:55 Sending Accounting request (2) for station
00:11:22:33:44:55
*emWeb: Oct 06 09:48:12.932: 00:11:22:33:44:55 Created Cisco-Audit-Session-ID for the mobile:
ac14e327000000c85613fb4c
*aaaQueueReader: Oct 06 09:48:12.932: User user1 password lengths don't match
*aaaQueueReader: Oct 06 09:48:12.932: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 06 09:48:12.932: AuthenticationRequest: 0x2b6d5ab8
*aaaQueueReader: Oct 06 09:48:12.932: Callback.....................................0x101cd740
*aaaQueueReader: Oct 06 09:48:12.932: protocolType.................................0x40000001
*aaaQueueReader: Oct 06 09:48:12.932: proxyState......................00:11:22:33:44:55-00:00
*aaaQueueReader: Oct 06 09:48:12.932: Packet contains 16 AVPs (not shown)
*aaaQueueReader: Oct 06 09:48:12.932: Putting the quth request in qid 5, srv=index 1
*aaaQueueReader: Oct 06 09:48:12.932: Request
Authenticator 3c:b3:09:34:95:be:ab:16:07:4a:7f:86:3b:58:77:26
*aaaQueueReader: Oct 06 09:48:12.932: 00:11:22:33:44:55 Sending the packet
to v4 host 172.20.227.52:1812
*aaaQueueReader: Oct 06 09:48:12.932: 00:11:22:33:44:55 Successful transmission of
Authentication Packet (id 13) to 172.20.227.52:1812 from server queue 5,
proxy state 00:11:22:33:44:55-00:00
. . .
*radiusTransportThread: Oct 06 09:48:12.941: 00:11:22:33:44:55 Access-Accept received from
RADIUS server 172.20.227.52 for mobile 00:11:22:33:44:55 receiveId = 0
*radiusTransportThread: Oct 06 09:48:12.941: AuthorizationResponse: 0x146c56b8
*radiusTransportThread: Oct 06 09:48:12.941: structureSize................................263
*radiusTransportThread: Oct 06 09:48:12.941: resultCode...................................0
*radiusTransportThread: Oct 06 09:48:12.941: protocolUsed.................................0x00000001
*radiusTransportThread: Oct 06 09:48:12.941: proxyState.......................00:11:22:33:44:55-00:00
*radiusTransportThread: Oct 06 09:48:12.941: Packet contains 7 AVPs:
*radiusTransportThread: Oct 06 09:48:12.941: AVP[01] User-Name..................user1 (5 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[02] Class..........CACS:rs-acs5-6-0-22/230677882/20696 (35 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[03] Session-Timeout........0x0000001e (30) (4 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[04] Termination-Action....0x00000000 (0) (4 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[05] Tunnel-Type......0x0100000d (16777229) (4 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[06] Tunnel-Medium-Type...0x01000006 (16777222) (4 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: AVP[07] Tunnel-Group-Id.......DATA (3 bytes)
*radiusTransportThread: Oct 06 09:48:12.941: Received radius callback for
test aaa radius request result 0 numAVPs 7.
例:アクセス失敗
(Cisco Controller) > test aaa radius username user1
password C123 wlan-id 7 apgroup default-group server-index 2
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 172.20.227.39
NAS-Identifier WLC5520
. . .
Tunnel-Type 0x0000000d (13)
Tunnel-Medium-Type 0x00000006 (6)
Tunnel-Group-Id 0x00000051 (81)
Cisco / Audit-Session-Id ac14e327000000c956140806
Acct-Session-Id 56140806/00:11:22:33:44:55/217
test radius auth request successfully sent. Execute 'test aaa show radius' for response
(Cisco Controller) > test aaa show radius
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Server Index................................... 2
Radius Test Response
Radius Server Retry Status
------------- ----- ------
172.20.227.52 1 Success
Authentication Response:
Result Code: Authentication failed
No AVPs in Response
(Cisco Controller) > debug aaa all enable
*emWeb: Oct 06 10:42:30.638: 00:11:22:33:44:55 Sending Accounting request
(2) for station 00:11:22:33:44:55
*emWeb: Oct 06 10:42:30.638: 00:11:22:33:44:55 Created Cisco-Audit-Session-ID for the
mobile: ac14e327000000c956140806
*aaaQueueReader: Oct 06 10:42:30.639: User user1 password lengths don't match
*aaaQueueReader: Oct 06 10:42:30.639: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 06 10:42:30.639: AuthenticationRequest: 0x2b6bdc3c
*aaaQueueReader: Oct 06 10:42:30.639: Callback.....................................0x101cd740
*aaaQueueReader: Oct 06 10:42:30.639: protocolType.................................0x40000001
*aaaQueueReader: Oct 06 10:42:30.639: proxyState......................00:11:22:33:44:55-00:00
*aaaQueueReader: Oct 06 10:42:30.639: Packet contains 16 AVPs (not shown)
*aaaQueueReader: Oct 06 10:42:30.639: Putting the quth request in qid 5, srv=index 1
*aaaQueueReader: Oct 06 10:42:30.639: Request Authenticator
34:73:58:fd:8f:11:ba:6c:88:96:8c:e5:e0:84:e4:a5
*aaaQueueReader: Oct 06 10:42:30.639: 00:11:22:33:44:55
Sending the packet to v4 host 172.20.227.52:1812
*aaaQueueReader: Oct 06 10:42:30.639: 00:11:22:33:44:55
Successful transmission of Authentication Packet (id 14) to 172.20.227.52:1812 from server queue 5,
proxy state 00:11:22:33:44:55-00:00
. . .
*radiusTransportThread: Oct 06 10:42:30.647: 00:11:22:33:44:55 Access-Reject received from RADIUS
server 172.20.227.52 for mobile 00:11:22:33:44:55 receiveId = 0
*radiusTransportThread: Oct 06 10:42:30.647: 00:11:22:33:44:55 Returning AAA Error
'Authentication Failed' (-4) for mobile 00:11:22:33:44:55
*radiusTransportThread: Oct 06 10:42:30.647: AuthorizationResponse: 0x3eefd664
*radiusTransportThread: Oct 06 10:42:30.647: structureSize................................92
*radiusTransportThread: Oct 06 10:42:30.647: resultCode...................................-4
*radiusTransportThread: Oct 06 10:42:30.647: protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 06 10:42:30.647: proxyState......................00:11:22:33:44:55-00:00
*radiusTransportThread: Oct 06 10:42:30.647: Packet contains 0 AVPs:
*radiusTransportThread: Oct 06 10:42:30.647: Received radius callback for
test aaa radius request result -4 numAVPs 0.
例:応答しない AAA サーバ
(Cisco Controller) > test aaa radius username user1
password C123 wlan-id 7 apgroup default-group server-index 3
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 172.20.227.39
NAS-Identifier WLC5520
. . .
Tunnel-Group-Id 0x00000051 (81)
Cisco / Audit-Session-Id ac14e327000000ca56140f7e
Acct-Session-Id 56140f7e/00:11:22:33:44:55/218
test radius auth request successfully sent. Execute 'test aaa show radius' for response
(Cisco Controller) >test aaa show radius
previous test command still not completed, try after some time
(Cisco Controller) > test aaa show radius
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Server Index................................... 3
Radius Test Response
Radius Server Retry Status
------------- ----- ------
172.20.227.72 6 No response received from server
Authentication Response:
Result Code: No response received from server
No AVPs in Response
(Cisco Controller) > debug aaa all enable
*emWeb: Oct 06 11:42:20.674: 00:11:22:33:44:55 Sending Accounting request
(2) for station 00:11:22:33:44:55
*emWeb: Oct 06 11:42:20.674: 00:11:22:33:44:55 Created Cisco-Audit-Session-ID for the mobile:
ac14e327000000cc5614160c
*aaaQueueReader: Oct 06 11:42:20.675: User user1 password lengths don't match
*aaaQueueReader: Oct 06 11:42:20.675: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 06 11:42:20.675: AuthenticationRequest: 0x2b6d2414
*aaaQueueReader: Oct 06 11:42:20.675: Callback.....................................0x101cd740
*aaaQueueReader: Oct 06 11:42:20.675: protocolType.................................0x40000001
*aaaQueueReader: Oct 06 11:42:20.675: proxyState........................00:11:22:33:44:55-00:00
*aaaQueueReader: Oct 06 11:42:20.675: Packet contains 16 AVPs (not shown)
*aaaQueueReader: Oct 06 11:42:20.675: Putting the quth request in qid 5, srv=index 2
*aaaQueueReader: Oct 06 11:42:20.675: Request
Authenticator 03:95:a5:d5:16:cd:fb:60:ef:31:5d:d1:52:10:8e:7e
*aaaQueueReader: Oct 06 11:42:20.675: 00:11:22:33:44:55 Sending the packet
to v4 host 172.20.227.72:1812
*aaaQueueReader: Oct 06 11:42:20.675: 00:11:22:33:44:55 Successful transmission of
Authentication Packet (id 3) to
172.20.227.72:1812 from server queue 5, proxy state 00:11:22:33:44:55-00:00
. . .
*radiusTransportThread: Oct 06 11:42:22.789: 00:11:22:33:44:55 Retransmit the
'Access-Request' (id 3) to 172.20.227.72 (port 1812, qid 5) reached for mobile
00:11:22:33:44:55. message retransmit cnt 1, server retries 15
*radiusTransportThread: Oct 06 11:42:22.790: 00:11:22:33:44:55 Sending the packet to v4 host
172.20.227.72:1812
*radiusTransportThread: Oct 06 11:42:22.790: 00:11:22:33:44:55 Successful transmission of
Authentication Packet (id 3) to 172.20.227.72:1812 from server queue 5, proxy state
00:11:22:33:44:55-00:00
. . .
*radiusTransportThread: Oct 06 11:42:33.991: 00:11:22:33:44:55 Max retransmit
of Access-Request (id 3) to 172.20.227.72 (port 1812, qid 5) reached for mobile
00:11:22:33:44:55. message retransmit cnt 6, server retransmit cnt 20
*radiusTransportThread: Oct 06 11:42:33.991: server_index is provided with test aaa radius request.
Not doing failover.
*radiusTransportThread: Oct 06 11:42:33.991: 00:11:22:33:44:55 Max servers (tried 1)
retransmission of Access-Request (id 3) to 172.20.227.72 (port 1812, qid 5) reached for
mobile 00:11:22:33:44:55. message retransmit cnt 6, server r
*radiusTransportThread: Oct 06 11:42:33.991: 00:11:22:33:44:55 Returning AAA Error
'Timeout' (-5) for mobile 00:11:22:33:44:55
*radiusTransportThread: Oct 06 11:42:33.991: AuthorizationResponse: 0x3eefe934
*radiusTransportThread: Oct 06 11:42:33.991: structureSize................................92
*radiusTransportThread: Oct 06 11:42:33.991: resultCode...................................-5
*radiusTransportThread: Oct 06 11:42:33.991: protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 06 11:42:33.991: proxyState......................00:11:22:33:44:55-00:00
*radiusTransportThread: Oct 06 11:42:33.991: Packet contains 0 AVPs:
*radiusTransportThread: Oct 06 11:42:33.991: Received radius callback for
test aaa radius request result -5 numAVPs 0.
例:NAS ID
(Cisco Controller) > show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.2.1.82
. . .
System Nas-Id.................................... WLC5520
WLC MIC Certificate Types........................ SHA1
(Cisco Controller) >show interface detailed engineering_v81
Interface Name................................... engineering_v81
MAC Address...................................... 50:57:a8:c7:32:4f
IP Address....................................... 10.10.81.2
. . .
NAS-Identifier................................... v81-nas-id
Active Physical Port............................. LAG (13)
. . .
(Cisco Controller) > test aaa radius username user1
password C123 wlan-id 7 apgroup default-group server-index 2
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 172.20.227.39
NAS-Identifier v81-nas-id
Airespace / WLAN-Identifier 0x00000007 (7)
. . .
(Cisco Controller) > debug aaa all enable
*emWeb: Oct 06 13:54:52.543: 00:11:22:33:44:55 Sending Accounting request
(2) for station 00:11:22:33:44:55
*emWeb: Oct 06 13:54:52.543: 00:11:22:33:44:55 Created Cisco-Audit-Session-ID for the
mobile: ac14e327000000ce5614351c
*aaaQueueReader: Oct 06 13:54:52.544: User user1 password lengths don't match
*aaaQueueReader: Oct 06 13:54:52.544: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 06 13:54:52.544: AuthenticationRequest: 0x2b6bf140
*aaaQueueReader: Oct 06 13:54:52.544: Callback.....................................0x101cd740
*aaaQueueReader: Oct 06 13:54:52.544: protocolType.................................0x40000001
*aaaQueueReader: Oct 06 13:54:52.544: proxyState......................00:11:22:33:44:55-00:00
*aaaQueueReader: Oct 06 13:54:52.544: Packet contains 16 AVPs (not shown)
*aaaQueueReader: Oct 06 13:54:52.544: Putting the quth request in qid 5, srv=index 1
*aaaQueueReader: Oct 06 13:54:52.544: Request
Authenticator bc:e4:8e:cb:56:9b:e8:fe:b7:f9:a9:04:15:25:10:26
*aaaQueueReader: Oct 06 13:54:52.544: 00:11:22:33:44:55 Sending the packet
to v4 host 172.20.227.52:1812
*aaaQueueReader: Oct 06 13:54:52.544: 00:11:22:33:44:55
Successful transmission of Authentication Packet (id 16) to 172.20.227.52:1812 from server queue 5,
proxy state 00:11:22:33:44:55-00:00
*aaaQueueReader: Oct 06 13:54:52.545: 00000000: 01 10 00 f9 bc e4 8e cb 56 9b e8 fe b7 f9 a9 04 ........V.......
*aaaQueueReader: Oct 06 13:54:52.545: 00000010: 15 25 10 26 01 07 75 73 65 72 31 1e 22 30 30 3a .%.&..user1."00:
*aaaQueueReader: Oct 06 13:54:52.545: 00000020: 30 30 3a 30 30 3a 30 30 3a 30 30 3a 30 30 3a 45 00:00:00:00:00:E
*aaaQueueReader: Oct 06 13:54:52.545: 00000030: 6e 67 69 6e 65 65 72 69 6e 67 56 38 31 1f 13 30 ngineeringV81..0
*aaaQueueReader: Oct 06 13:54:52.545: 00000040: 30 3a 31 31 3a 32 32 3a 33 33 3a 34 34 3a 35 35 0:11:22:33:44:55
*aaaQueueReader: Oct 06 13:54:52.545: 00000050: 05 06 00 00 00 0d 04 06 ac 14 e3 27 20 0c 76 38 ...........'..v8
*aaaQueueReader: Oct 06 13:54:52.545: 00000060: 31 2d 6e 61 73 2d 69 64 1a 0c 00 00 37 63 01 06 1-nas-id....7c..
*aaaQueueReader: Oct 06 13:54:52.545: 00000070: 00 00 00 07 02 12 88 65 4b bf 0c 2c 86 6e b0 c7 .......eK..,.n..
*aaaQueueReader: Oct 06 13:54:52.545: 00000080: 7a c1 67 fa 09 12 06 06 00 00 00 08 0c 06 00 00 z.g.............
*aaaQueueReader: Oct 06 13:54:52.545: 00000090: 05 14 3d 06 00 00 00 13 40 06 00 00 00 0d 41 06 ..=.....@.....A.
*aaaQueueReader: Oct 06 13:54:52.545: 000000a0: 00 00 00 06 51 04 38 31 1a 31 00 00 00 09 01 2b ....Q.81.1.....+
*aaaQueueReader: Oct 06 13:54:52.545: 000000b0: 61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 audit-session-id
*aaaQueueReader: Oct 06 13:54:52.545: 000000c0: 3d 61 63 31 34 65 33 32 37 30 30 30 30 30 30 63 =ac14e327000000c
*aaaQueueReader: Oct 06 13:54:52.545: 000000d0: 65 35 36 31 34 33 35 31 63 2c 20 35 36 31 34 33 e5614351c,.56143
*aaaQueueReader: Oct 06 13:54:52.545: 000000e0: 35 31 63 2f 30 30 3a 31 31 3a 32 32 3a 33 33 3a 51c/00:11:22:33:
*aaaQueueReader: Oct 06 13:54:52.545: 000000f0: 34 34 3a 35 35 2f 32 32 34 44:55/224
*radiusTransportThread: Oct 06 13:54:52.560: 5.client sockfd 35 is set. process the msg
*radiusTransportThread: Oct 06 13:54:52.560: ****Enter processIncomingMessages: Received Radius
response (code=3)
例:MAC デリミタの変更
(Cisco Controller) > test aaa radius username user1
password Cisco123 wlan-id 7 apgroup default-group server-index 2
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00-00-00-00-00-00:EngineeringV81
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 0xac14e327 (-1407917273)
NAS-Identifier WLC5520
. . .
(Cisco Controller) > config radius auth mac-delimiter colon
(Cisco Controller) > test aaa radius username user1 password
Cisco123 wlan-id 7 apgroup default-group server-index 2
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
.......
例:RADIUS のフォールバック
(Cisco Controller) > test aaa radius username user1 password Cisco123 wlan-id 7 apgroup default-group
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Attributes Values
---------- ------
User-Name user1
Called-Station-Id 00:00:00:00:00:00:EngineeringV81
Calling-Station-Id 00:11:22:33:44:55
Nas-Port 0x0000000d (13)
Nas-Ip-Address 172.20.227.39
NAS-Identifier WLC5520
. . .
(Cisco Controller) > test aaa show radius
Radius Test Request
Wlan-id........................................ 7
ApGroup Name................................... default-group
Radius Test Response
Radius Server Retry Status
------------- ----- ------
172.20.227.62 6 No response received from server
172.20.227.52 1 Success
Authentication Response:
Result Code: Success
Attributes Values
---------- ------
User-Name user1
. . .