已有帐户?

  •   个性化内容
  •   您的产品和支持

需要帐户?

创建帐户

使用PEAP、ISE 2.1和WLC 8.3配置802.1x身份验证

下载选项

  • PDF     (488.4 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (909.2 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (1.8 MB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2018 年 10 月 31 日
文档 ID:201044
关于翻译

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文档介绍如何设置具有802.1x安全性的无线局域网(WLAN),以及使用受保护的可扩展身份验证协议(PEAP)作为可扩展身份验证协议(EAP)的虚拟局域网(VLAN)覆盖。

    先决条件

    要求

    Cisco 建议您了解以下主题:

    • 802.1x
    • PEAP
    • 认证机构(CA)
    • 证书

    使用的组件

    本文档中的信息基于以下软件和硬件版本:

    • WLC v8.3.102.0
    • 身份服务引擎(ISE)v2.1
    • Windows 10笔记本电脑 

    本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

    配置

    网络图

    201044-802-1x-authentication-with-PEAP-ISE-2-1-00.jpeg

    配置

    一般步骤如下:

    1. 在WLC上声明RADIUS服务器,反之亦然,以允许彼此通信。
    2. 在WLC中创建服务集标识符(SSID)。
    3. 在ISE上创建身份验证规则。
    4. 在ISE上创建授权配置文件。
    5. 在ISE上创建授权规则。
    6. 配置终端。

    在WLC上声明RADIUS服务器

    为了允许RADIUS服务器与WLC之间的通信,需要在WLC上注册RADIUS服务器,反之亦然。

    GUI:

    步骤1.打开WLC的GUI并导航至SECURITY > RADIUS > Authentication > New,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-01.png

    步骤2.输入RADIUS服务器信息,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-02.png

    CLI:

    > config radius auth add <index> <a.b.c.d> 1812 ascii <shared-key>
> config radius auth disable <index>
> config radius auth retransmit-timeout <index> <timeout-seconds>
> config radius auth enable <index>

    <a.b.c.d>对应于RADIUS服务器。

    创建 SSID

    GUI:

    步骤1.打开WLC的GUI并导航至WLANs > Create New > Go,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-03.png

    步骤2.为SSID和配置文件选择名称,然后单击Apply,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-04.png

    CLI:

    > config wlan create <id> <profile-name> <ssid-name>

    步骤3.将RADIUS服务器分配给WLAN。

    CLI:

    > config wlan radius_server auth add <wlan-id> <radius-index>

    GUI:

    导航至Security > AAA Servers并选择所需的RADIUS服务器,然后按Apply,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-05.png

      

    步骤4.启用允许AAA覆盖并选择性地增加会话超时

    CLI:

    > config wlan aaa-override enable <wlan-id> 
    > config wlan session-timeout <wlan-id> <session-timeout-seconds>

    GUI:

    导航至WLANs > WLAN ID > Advanced并启用Allow AAA Override,或者指定Session Timeout,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-06.png

    步骤5.启用WLAN。

    CLI:

    > config wlan enable <wlan-id>

    GUI:

    导航至WLANs > WLAN ID > General并启用SSID,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-07.png

    在ISE上声明WLC

    步骤1.打开ISE控制台并导航至Administration > Network Resources > Network Devices > Add,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-08.png

    步骤2.输入值。

    或者,它可以是指定的型号名称、软件版本、说明,并根据设备类型、位置或WLC分配网络设备组。

    a.b.c.d对应于发送请求的身份验证的WLC接口。默认情况下,它是管理接口,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-09.png

    有关网络设备组的详细信息,请查看此链接:

    ISE — 网络设备组

    在ISE上创建新用户

    步骤1.导航至Administration > Identity Management > Identities > Users > Add,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-10.png

    步骤2.输入信息。

    在本示例中,此用户属于名为ALL_ACCOUNTS的组,但可以根据需要调整,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-11.png

    创建身份验证规则

    身份验证规则用于验证用户的凭证是否正确(验证用户是否真正是其所说的用户),并限制允许其使用的身份验证方法。

    步骤1.导航至Policy > Authentication,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-12.png

    步骤2.插入新的身份验证规则,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-13.jpeg

    步骤3.输入值。

    此身份验证规则允许在默认网络访问列表下列出的所有协议,这适用于无线802.1x客户端的身份验证请求和Called-Station-ID,并以ise-ssid结尾,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-14.png

    此外,为匹配此身份验证规则的客户端选择身份源。此示例使用内部用户身份源列表,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-15.png

    完成后,单击完成保存,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-16.png

    有关允许协议策略的详细信息,请参阅以下链接:

    允许的协议服务

    有关身份源的详细信息,请参阅以下链接:

    创建用户身份组

    创建授权配置文件

    授权配置文件确定客户端是否具有网络访问权限、推送访问控制列表(ACL)、VLAN覆盖或任何其他参数。本示例中所示的授权配置文件为客户端发送访问接受并将客户端分配给VLAN 2404。

    步骤1.导航至Policy > Policy Elements > Results,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-17.png

    步骤2.添加新的授权配置文件。导航至Authorization > Authorization Profiles > Add,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-18.png

    步骤3.输入图中所示的值。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-19.png

    创建授权规则

    授权规则负责确定将哪些权限(哪个授权配置文件)结果应用于客户端。

    步骤1.导航至Policy > Authorization,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-20.png

    步骤2.插入新规则,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-21.png

    步骤3.输入值。

    首先,为规则和存储用户的身份组(ALL_ACCOUNTS)选择名称,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-22.png

    之后,选择执行授权过程的其他条件以归入此规则。在本示例中,如果授权进程使用802.1x无线且其被叫站ID以ise-ssid结尾,则授权进程会符合此规则,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-23.png

    最后,选择分配给符合该规则的客户端的授权配置文件,单击完成并保存,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-24.png

    终端设备配置

    配置笔记本电脑Windows 10计算机,以使用802.1x身份验证和PEAP/MS-CHAPv2(质询握手身份验证协议的Microsoft版本)版本2连接到SSID。

    在此配置示例中,ISE使用其自签名证书执行身份验证。

    要在Windows计算机上创建WLAN配置文件,有两个选项:

    1. 在计算机上安装自签名证书以验证和信任ISE服务器以完成身份验证。
    2. 绕过RADIUS服务器的验证,并信任用于执行身份验证的任何RADIUS服务器(不推荐,因为它可能会成为安全问题)。

    这些选项的配置将在终端设备配置 — 创建WLAN配置文件 — 步骤7中介绍。

    终端设备配置 — 安装ISE自签名证书

    步骤1.导出自签名证书。

    登录到ISE并导航至Administration > System > Certificates > System Certificates

    然后选择用于EAP身份验证的证书,并单击导出,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-25.png

    将证书保存到所需位置。该证书必须安装在Windows计算机上,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-26.png

    步骤2.在Windows计算机中安装证书。

    将从ISE导出的证书复制到Windows计算机,将文件的扩展名从.pem更改.crt,然后双击该文件以安装它,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-27.png

    步骤3.选择“本地计算机”中安装该设备,然后单击“下一步”,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-28.png

    第4步:选择Place all certificates in the following store,然后浏览并选择Trusted Root Certification Authorities。然后单击Next(下一步),如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-29.png

    步骤5.然后单击“完成”,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-30.png

    步骤6.确认证书的安装,点击,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-31.png

    步骤7.最后,单击OK,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-32.png

    终端设备配置 — 创建WLAN配置文件

    步骤1.右键单击“开始”图标并选择“控制面板”,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-33.png

    步骤2.导航至Network and Internet,然后导航至Network and Sharing Center,并单击Set up a new connection or network,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-34.png

    步骤3.选择Manually connect to a wireless network(手动连接到无线网络),然后单击Next(下一步),如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-35.png

    步骤4.输入名称为SSID的信息,并输入安全类型WPA2-Enterprise,然后单击Next,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-36.png

    步骤5.选择Change connection settings以自定义WLAN配置文件的配置,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-37.png

    步骤6.导航至“安全”选项卡,然后单击“设置”,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-38.png

    步骤7.选择是否验证RADIUS服务器。

    如果是,请启用通过验证证书和来自受信任根证书颁发机构验证服务器身份:列表选择ISE的自签名证书。

    然后选择配置并禁用自动使用Windows登录名和密码……,然后单击确定,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-39.png

    201044-802-1x-authentication-with-PEAP-ISE-2-1-40.png

    步骤8.配置用户凭证。

    返回到Security选项卡后,选择Advanced settings,将身份验证模式指定为User authentication,并保存在ISE上配置的凭据,以便对用户进行身份验证,如图所示。 

    201044-802-1x-authentication-with-PEAP-ISE-2-1-41.png

    201044-802-1x-authentication-with-PEAP-ISE-2-1-42.png

    201044-802-1x-authentication-with-PEAP-ISE-2-1-43.png

    验证

    使用本部分可确认配置能否正常运行。

    身份验证流可以从WLC或ISE角度进行验证。

    WLC上的身份验证过程

    运行下一命令以监控特定用户的身份验证过程:

    > debug client <mac-add-client>
> debug dot1x event enable
> debug dot1x aaa enable

    身份验证成功的示例(省略了一些输出):

    *apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Processing assoc-req station:e4:b3:18:7c:30:58 AP:00:c8:8b:26:2c:d0-00 thread:1a5cc288
*apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Reassociation received from mobile on BSSID 00:c8:8b:26:2c:d1 AP AP-1700-sniffer
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying site-specific Local Bridging override for station e4:b3:18:7c:30:58 - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Local Bridging Interface Policy for station e4:b3:18:7c:30:58 - vlan 2400, interface id 0, interface 'management'
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 RSN Capabilities:  60
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Marking Mobile as non-e4:b3:18:7c:30:58 Received 802.11i 802.1X key management suite, enabling dot1x Authentication11w Capable
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Received RSN IE with 1 PMKIDs from mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: Received PMKID:  (16)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Searching for PMKID in MSCB PMKID cache for mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 No valid PMKID found in the MSCB PMKID cache for mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfMsAssoStateInc
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2 (apf_policy.c:437) Changing state for mobile e4:b3:18:7c:30:58 on AP 00:c8:8b:26:2c:d0 from Idle to Associated
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2:session timeout forstation e4:b3:18:7c:30:58 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_1: Nov 24 04:30:44.320: e4:b3:18:7c:30:58 Sending Assoc Response to station on BSSID 00:c8:8b:26:2c:d1 (status 0) ApVapId 2 Slot 0
*spamApTask2: Nov 24 04:30:44.323: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0
*spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Received ADD_MOBILE ack - Initiating 1x to STA e4:b3:18:7c:30:58 (idx 55)
*spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Sent dot1x auth initiate message for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 reauth_sm state transition 0 ---> 1 for mobile e4:b3:18:7c:30:58 at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Connecting state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Sending EAP-Request/Identity to mobile e4:b3:18:7c:30:58 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received Identity Response (count=1) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Resetting reauth count 1 to 0 for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 EAP State update from Connecting to Authenticating for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticating state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Created Acct-Session-ID (58366cf4/e4:b3:18:7c:30:58/367) for the mobile
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.386: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=215) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 WARNING: updated EAP-Identifier 1 ===> 215 for STA e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 215)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Allocating EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAP Response from mobile e4:b3:18:7c:30:58 (EAP Id 215, EAP Type 3)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Resetting reauth count 0 to 0 for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=216) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 216)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
.
.
.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Processing Access-Accept for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Username entry (user1) created for mobile, length = 253
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 override for default ap group, marking intgrp NULL
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Re-applying interface policy for client
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Inserting AAA Override struct for mobile
        MAC: e4:b3:18:7c:30:58, source 4
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying override policy from source Override Summation: with value 200
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying Interface(vlan2404) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Re-applying interface policy for client
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Setting re-auth timeout to 0 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Creating a PKC PMKID Cache entry for station e4:b3:18:7c:30:58 (RSN 2)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Resetting MSCB PMK Cache Entry 0 for station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding BSSID 00:c8:8b:26:2c:d1 to PMKID cache at index 0 for station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531:      [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Updating AAA Overrides from local for station
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding Audit session ID payload in Mobility handoff
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 0 PMK-update groupcast messages sent
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Sending EAP-Success to mobile e4:b3:18:7c:30:58 (EAP Id 223)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Freeing AAACB from Dot1xCB as AAA auth is done for  mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Found an cache entry for BSSID 00:c8:8b:26:2c:d1 in PMKID cache at index 0 of station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: Including PMKID in M1  (16)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: M1 - Key Data: (22)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0000] dd 14 00 0f ac 04 cc 3a 3d 26 80 17 8b f1 2d c5
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0016] cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Starting key exchange to mobile e4:b3:18:7c:30:58, data packets will be dropped
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Entering Backend Auth Success state (id=223) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Received Auth Success while in Authenticating state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticated state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-key in PTK_START state (message 2) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Successfully computed PTK from PMK!!!
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Received valid MIC in EAPOL Key Message M2!!!!!
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Not Flex client. Do not distribute PMK Key cache.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Freeing EAP Retransmit Bufer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqCntInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqSuccessCntInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Mobility query, PEM State: L2AUTHCOMPLETE
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Building Mobile Announce :
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58   Building Client Payload:
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Ip: 0.0.0.0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Vlan Ip: 172.16.0.134, Vlan mask : 255.255.255.224
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Vap Security: 16384
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Virtual Ip: 7.7.7.7
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     ssid: ise-ssid
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58   Building VlanIpPayload.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name:
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6677, Adding TMP rule
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:c8:8b:26:2c:d0, slot 0, interface = 1, QOS = 0
  IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12  Local Bridging Vlan = 2400, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successfully Plumbed PTK session Keysfor mobile e4:b3:18:7c:30:58
*spamApTask2: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0
*pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local
  Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 172.16.0.3
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6315, Adding TMP rule
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  IPv4 ACL ID = 255,
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12  Local Bridging Vlan = 2400, Local Bridging intf id = 0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 Sent an XID frame
*dtlArpTask: Nov 24 04:30:47.932: e4:b3:18:7c:30:58 Static IP client associated to interface vlan2404 which can support client subnet.
*dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 apfMsRunStateInc
*dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 172.16.0.151 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

    要轻松读取调试客户端输出,请使用无线调试分析器工具:

    无线调试分析器

    ISE上的身份验证过程

    导航至操作> RADIUS >实时日志,以查看为用户分配的身份验证策略、授权策略和授权配置文件。 

    有关详细信息,请单击Details以查看更详细的身份验证过程,如图所示。

    201044-802-1x-authentication-with-PEAP-ISE-2-1-44.png

    故障排除

    目前没有针对此配置的故障排除信息。

    TAC Authored

    由思科工程师提供

    • Karla Cisneros Galvan
      Cisco TAC Engineer

    此文档是否有帮助?

    Feedback反馈

    联系我们

    相关的思科社区讨论

    本文档适用于以下产品