简介
本文档介绍在Catalyst 9800 WLC(无线LAN控制器)上配置本地EAP(可扩展身份验证协议),即WLC作为无线客户端的RADIUS身份验证服务器执行。
先决条件
要求
本文档假设您熟悉9800 WLC上WLAN的基本配置,并仅重点介绍作为无线客户端的本地EAP服务器运行的WLC。
使用的组件
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
版本16.12.1s上的Catalyst 9800
配置
网络图

主本地EAP配置
步骤1.本地EAP配置文件
在9800 Web UI中转到Configuration > Security > Local EAP。

选择添加
输入配置文件名称。
由于LEAP的安全性较差,因此完全不建议使用LEAP。任何其他3种EAP方法都需要您配置信任点。这是因为充当身份验证器的9800必须发送证书让客户端信任它。
客户端不信任WLC默认证书,因此您需要在客户端上停用服务器证书验证(未建议)或在客户端信任的9800 WLC上安装证书信任点(或在客户端信任存储中手动导入)。

CLI:
(config)#eap profile mylocapeap
(config-eap-profile)#method peap
(config-eap-profile)#pki-trustpoint admincert
步骤2. AAA身份验证方法
您需要配置一个AAA dot1x方法,该方法也指向本地,以便使用用户的本地数据库(但可以使用外部LDAP查找)。
转到Configuration > Security > AAA,然后转到Authentication的AAA方法列表选项卡。选择Add。
选择“dot1x”类型和本地组类型。

步骤3.配置AAA授权方法
转到“授权”子选项卡,为键入凭据下载创建新方法,并将其指向本地。
对网络授权类型执行相同
CLI:
(config)#aaa new-model
(config)#aaa authentication dot1x default local
(config)#aaa authorization credential-download default local
(config)#aaa local authentication default authorization default
(config)#aaa authorization network default local
步骤4.配置本地高级方法
转到AAA高级选项卡。
定义本地身份验证和授权方法。由于此示例使用“default” credential-download和“Default” dot1x方法,因此您需要在此处为本地身份验证和授权下拉框设置默认值。
如果您定义了命名方法,请在下拉列表中选择“方法列表”,另一个字段允许您输入方法名称。

CLI:
aaa local authentication default authorization default
步骤5.配置WLAN
然后,您可以根据上一步中定义的本地EAP配置文件和AAA身份验证方法配置WLAN的802.1x安全。
转至Configuration > Tags and Profiles > WLANs > + Add >
提供SSID和配置文件名称。
默认情况下,在第2层下选择Dot1x安全。
在AAA下,选择Local EAP Authentication,然后从下拉列表中选择Local EAP profile和AAA Authentication列表。


(config)#wlan localpeapssid 1 localpeapssid
(config-wlan)#security dot1x authentication-list default
(config-wlan)#local-auth mylocaleap
步骤6.创建一个或多个用户
在CLI中,用户必须是网络用户类型。以下是在CLI中创建的用户示例:
(config)#user-name 1xuser
creation-time 1572730075
description 1xuser
password 0 Cisco123
type network-user description 1xuser
在CLI中创建后,此用户在Web UI中可见,但如果在Web UI中创建,则没有方法将其设置为自16.12起的网络用户
步骤7.创建策略配置文件。创建策略标记,将此WLAN配置文件映射到策略配置文件
转到Configuration > Tags and profiles > Policy
为WLAN创建策略配置文件。
本示例显示了FlexConnect本地交换,但VLAN 1468上的集中身份验证方案,但这取决于您的网络。

转至Configuration> Tags and profiles > Tags
将WLAN分配到标记内的策略配置文件。

步骤8.将策略标记部署到接入点。
在这种情况下,对于单个AP,可以直接在AP上分配标记。
转到Configuration > Wireless > Access points并选择要配置的AP。
确保分配的标记是您配置的标记。
验证
主配置行如下
aaa new-model
aaa authentication dot1x default local
aaa authorization credential-download default local
aaa local authentication default authorization default
eap profile mylocaleap
method peap
pki-trustpoint admincert
user-name 1xuser
creation-time 1572730075 description 1xuser
password 0 Cisco123
type network-user description 1xuser
wlan ndarchis_leap 1 ndarchis_leap
local-auth mylocaleap
security dot1x authentication-list default
no shutdown
故障排除
请注意,Cisco IOS-XE 16.12及更早版本仅支持TLS 1.0进行本地EAP身份验证,如果您的客户端越来越普遍地仅支持TLS 1.2,则可能会导致问题。Cisco IOS-XE 17.1及更高版本支持TLS 1.2和TLS 1.0。
要排除连接故障的特定客户端,请使用RadioActive Tracing。转到Troubleshooting > RadioActive Trace并添加客户端mac地址。
选择Start以启用该客户端的跟踪。

一旦重现问题,您就可以选择“生成”按钮,以生成包含调试输出的文件。
由于密码错误而无法连接的客户端示例
2019/10/30 14:54:00.781 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 8, EAP-Type = EAP-FAST
2019/10/30 14:54:00.781 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0x5
2019/10/30 14:54:00.784 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 204, EAP-Type = EAP-FAST
2019/10/30 14:54:00.784 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0x5
2019/10/30 14:54:00.785 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.788 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 85, EAP-Type = EAP-FAST
2019/10/30 14:54:00.788 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0x6
2019/10/30 14:54:00.791 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 6, EAP-Type = EAP-FAST
2019/10/30 14:54:00.791 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0x6
2019/10/30 14:54:00.791 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.792 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 59, EAP-Type = EAP-FAST
2019/10/30 14:54:00.792 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0x7
2019/10/30 14:54:00.795 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 75, EAP-Type = EAP-FAST
2019/10/30 14:54:00.795 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0x7
2019/10/30 14:54:00.795 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.796 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 91, EAP-Type = EAP-FAST
2019/10/30 14:54:00.796 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0x8
2019/10/30 14:54:00.804 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 123, EAP-Type = EAP-FAST
2019/10/30 14:54:00.804 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0x8
2019/10/30 14:54:00.804 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.805 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 139, EAP-Type = EAP-FAST
2019/10/30 14:54:00.805 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0x9
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 75, EAP-Type = EAP-FAST
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0x9
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [eap] [23294]: (info): FAST:EAP_FAIL from inner method MSCHAPV2
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 59, EAP-Type = EAP-FAST
2019/10/30 14:54:00.808 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - REQUEST, ID : 0xa
2019/10/30 14:54:00.811 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Received EAPOL packet - Version : 1,EAPOL Type : EAP, Payload Length : 59, EAP-Type = EAP-FAST
2019/10/30 14:54:00.811 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] EAP Packet - RESPONSE, ID : 0xa
2019/10/30 14:54:00.811 {wncd_x_R0-0}{2}: [caaa-authen] [23294]: (info): [CAAA:AUTHEN:66000006] DEBUG: mlist=(null) for type=0
2019/10/30 14:54:00.812 {wncd_x_R0-0}{2}: [eap-auth] [23294]: (info): FAIL for EAP method name: EAP-FAST on handle 0xBD000006
2019/10/30 14:54:00.812 {wncd_x_R0-0}{2}: [dot1x] [23294]: (info): [e836.171f.a162:capwap_90000004] Raised identity update event for eap method EAP-FAST
2019/10/30 14:54:00.813 {wncd_x_R0-0}{2}: [errmsg] [23294]: (note): %DOT1X-5-FAIL: Authentication failed for client (e836.171f.a162) with reason (Cred Fail) on Interface capwap_90000004 AuditSessionID 00000000000000101D28423A Username: fakeuser
2019/10/30 14:54:00.813 {wncd_x_R0-0}{2}: [auth-mgr] [23294]: (info): [e836.171f.a162:capwap_90000004] Authc failure from Dot1X, Auth event fail
故障时跟踪
即使未启用调试,也可以使用trace-on-failure命令检查给定MAC地址的故障事件列表。
在下一个示例中,AAA方法最初丢失(AAA服务器关闭事件),几分钟后客户端使用了错误的凭证。
命令是show logging trace-on-failure summary in release 16.12 and before,在Cisco IOS-XE 17.1及更高版本中是show logging profile wireless(filter mac <mac>)trace-on-failure。除了17.1及更高版本允许您过滤客户端mac地址之外,没有技术差异。
Nico9800#show logging profile wireless filter mac e836.171f.a162 trace-on-failure
Displaying logs from the last 0 days, 0 hours, 10 minutes, 0 seconds
executing cmd on chassis 2 ...
sending cmd to chassis 1 ...
Collecting files on current[1] chassis.
# of files collected = 30
Collecting files on current[2] chassis.
# of files collected = 30
Collecting files from chassis 1.
Time UUID Log
----------------------------------------------------------------------------------------------------
2019/10/30 14:51:04.438 0x0 SANET_AUTHC_FAILURE - AAA Server Down username , audit session id 000000000000000F1D260BB0,
2019/10/30 14:58:04.424 0x0 e836.171f.a162 CLIENT_STAGE_TIMEOUT State = AUTHENTICATING, WLAN profile = ndarchis_leap, Policy profile = leap, AP name = LABap_2802