簡介
本檔案介紹如何在Catalyst 9000系列交換器上設定、驗證和疑難排解802.1x網路存取控制(NAC)。
必要條件
需求
思科建議您瞭解這些主題。
- Catalyst 9000 系列交換器
- 身分識別服務引擎 (ISE)
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Catalyst 9300
- Catalyst 9400
- Catalyst 9500
- Catalyst 9600
- Cisco IOS® XE 17.6.x及更高版本
- ISE-VM-K9版本3.0.0.458
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
注意:有關用於在其他Cisco平台上啟用這些功能的命令,請參閱相應的配置指南。
背景資訊
802.1x標準定義了基於客戶端伺服器的訪問控制和身份驗證協定,防止未經授權的客戶端通過可公開訪問的埠連線到LAN,除非它們經過正確身份驗證。身份驗證伺服器在使交換機或LAN提供的任何服務可用之前,對連線到交換機埠的每個客戶端進行身份驗證。
802.1x身份驗證包括3個不同的元件:
SupplicantAnt — 提交憑據以進行身份驗證的客戶端
Authenticator — 在客戶端與網路之間提供網路連線並可允許或阻止網路流量的網路裝置。
驗證服務器 — 可以接收和響應網路訪問請求的伺服器,告訴驗證器是否可以允許連線,以及適用於驗證會話的各種其他設定。
本文檔的目標讀者是工程師和支援人員,他們未必關注安全性。有關802.1x基於埠的身份驗證和元件(如ISE)的詳細資訊,請參閱相應的配置指南。
注意:有關最準確的預設802.1x身份驗證配置,請參閱適用於您的特定平台和代碼版本的相應配置指南。
基本配置
本節介紹實施802.1x連線埠型驗證所需的基本設定。其他功能說明可以在本文檔的附錄頁籤中找到。不同版本之間的配置標準略有不同。根據當前的版本配置指南驗證您的配置。
在配置802.1x基於後端的身份驗證之前,必須啟用身份驗證、授權和帳戶(AAA),並且必須建立方法清單。
- 方法清單描述了要查詢以驗證使用者的順序和驗證方法。
- 還必須全域性啟用802.1x。
C9300> enable
C9300# configure terminal
C9300(config)# aaa new-model
C9300(config)# aaa authentication dot1x default group radius
C9300(config)# dot1x system-auth-control
在交換器上定義RADIUS伺服器
C9300(config)# radius server RADIUS_SERVER_NAME
C9300(config-radius-server)# address ipv4 10.0.1.12
C9300(config-radius-server)# key rad123
C9300(config-radius-server)# exit
在客戶端介面上啟用802.1x。
C9300(config)# interface TenGigabitEthernet 1/0/4
C9300(config-if)# switchport mode access
C9300(config-if)# authentication port-control auto
C9300(config-if)# dot1x pae authenticator
C9300(config-if)# end
驗證配置和操作
本節提供有關801.1x以及如何驗證配置和操作的背景資訊。
802.1x簡介
802.1x涉及兩種不同的流量型別 — 使用EAPoL(使用LAN的可擴充驗證通訊協定)的使用者端到驗證器(點對點)流量和透過RADIUS封裝的驗證器到驗證伺服器流量。
此圖表示簡單的dot1x事務的資料流
驗證器(交換器)和驗證伺服器(例如ISE)通常由第3層分開。RADIUS流量會在驗證器和伺服器之間透過網路路由。EAPoL流量在請求方(客戶端)和驗證方之間的直接鏈路上交換。
請注意,MAC學習發生在身份驗證和授權之後。
在處理涉及802.1x的問題時,請記住以下幾個問題:
- 配置是否正確?
- 身份驗證伺服器是否可訪問?
- Authentication Manager的狀態是什麼?
- 客戶端與身份驗證器之間或身份驗證器與身份驗證伺服器之間的資料包傳遞是否存在任何問題?
組態
某些組態會在主要版本之間略有不同。請參閱相關配置指南,瞭解平台/代碼特定指南。
必須將AAA配置為使用802.1x基於埠的身份驗證。
- 必須為「dot1x」建立驗證方法列表。這表示啟用802.1X的通用AAA配置。
C9300#show running-config | section aaa
aaa new-model <-- This enables AAA.
aaa group server radius ISEGROUP <-- This block establishes a RADIUS server group named "ISEGROUP".
server name DOT1x
ip radius source-interface Vlan1
aaa authentication dot1x default group ISEGROUP <-- This line establishes the method list for 802.1X authentication. Group ISEGROUP is be used.
aaa authorization network default group ISEGROUP
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISEGROUP
C9300#show running-config | section radius
aaa group server radius ISEGROUP
server name DOT1x
ip radius source-interface Vlan1 <-- Notice 'ip radius source-interface' configuration exists in both global configuration and the aaa server group block. These need to agree if configured in both places.
ip radius source-interface Vlan1
radius server DOT1x
address ipv4 10.122.141.228 auth-port 1812 acct-port 1813 <-- 1812 and 1813 are default auth-port and acct-port, respectively.
key secretKey
以下是啟用802.1x的介面組態範例。MAB(MAC Authentication Bypass)是一種常用的備份方法,用於對不支援dot1x請求方的客戶端進行身份驗證。
C9300#show running-config interface te1/0/4
Building configuration...
Current configuration : 148 bytes
!
interface TenGigabitEthernet1/0/4
switchport access vlan 50
switchport mode access
authentication order dot1x mab <-- Specifies authentication order, dot1x and then mab
authentication priority dot1x mab <-- Specifies authentication priority, dot1x and then mab
authentication port-control auto <-- Enables 802.1x dynamic authentication on the port
mab <-- Enables MAB
dot1x pae authenticator <-- Puts interface into "authenticator" mode.
end
判斷是否使用「show mac address-table interface <interface>」在介面上得知MAC位址。成功通過驗證後,介面只獲知MAC地址。
C9300#show mac address-table interface te1/0/4
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
50 0800.2766.efc7 STATIC Te1/0/4 <-- The "type" is STATIC and the MAC persists until the authentication session is cleared.
Total Mac Addresses for this criterion: 1
驗證作業階段
Show命令可用於驗證802.1x身份驗證。
使用「show authentication sessions」或「show authentication sessions <interface>」顯示有關當前身份驗證會話的資訊。在本例中,只有Te1/0/4已建立主動驗證作業階段。
C9300#show authentication sessions interface te1/0/4
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Te1/0/4 0800.2766.efc7 dot1x DATA Auth 13A37A0A0000011DC85C34C5 <-- "Method" and "Domain" in this example are dot1x and DATA, respectfully. Multi-domain authentication is supported.
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
13 5 dot1xSup
1 5 dot1x
2 10 webauth
14 15 mab
"Show authentication sessions interface <interface>details"提供了有關特定介面身份驗證會話的其他詳細資訊。
C9300#show authentication session interface te1/0/4 details
Interface: TenGigabitEthernet1/0/4
IIF-ID: 0x14D66776
MAC Address: 0800.2766.efc7
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: alice
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 152363s
Common Session ID: 13A37A0A0000011DC85C34C5
Acct Session ID: 0x00000002
Handle: 0xe8000015
Current Policy: POLICY_Te1/0/4 <-- If a post-authentication ACL is applied, it is listed here.
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Server Policies:
Method status list:
Method State
dot1x Authc Success <-- This example shows a successful 801.1x authentication session.
如果在介面上啟用了身份驗證,但是沒有活動會話,將顯示可運行的方法清單。還顯示「No sessions match provided criteria」。
C9300#show authentication sessions interface te1/0/5
No sessions match supplied criteria.
Runnable methods list:
Handle Priority Name
13 5 dot1xSup
1 5 dot1x
2 10 webauth
14 15 mab
如果介面上未啟用驗證,則介面上未偵測到驗證管理員存在。還顯示「No sessions match provided criteria」。
C9300#show authentication sessions interface te1/0/6
No sessions match supplied criteria.
No Auth Manager presence on this interface
可連線到驗證伺服器
802.1x身份驗證成功的前提條件是無法訪問身份驗證伺服器。
使用「ping <server_ip>」可快速測試可連線。確保您的ping來源是RADIUS來源介面。
C9300#ping 10.122.141.228 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.122.141.228, timeout is 2 seconds:
Packet sent with a source address of 10.122.163.19
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
命令「show aaa servers」用於標識伺服器狀態,並提供有關所有已配置AAA伺服器事務的統計資訊。
C9300#show aaa servers
RADIUS: id 3, priority 1, host 10.122.141.228, auth-port 1812, acct-port 1813, hostname DOT1x <-- Specific server
State: current UP, duration 84329s, previous duration 0s <-- Current State
Dead: total time 0s, count 1
Platform State from SMD: current UP, duration 24024s, previous duration 0s
SMD Platform Dead: total time 0s, count 45
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 510, timeouts 468, failover 0, retransmission 351 <-- Authentication Statistics
Response: accept 2, reject 2, challenge 38
Response: unexpected 0, server error 0, incorrect 12, time 21ms
Transaction: success 42, failure 117
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 42, avg response time: 21ms
Transaction: timeouts 114, failover 0
Transaction: total 118, success 2, failure 116
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 3, timeouts 0, failover 0, retransmission 0
Request: start 2, interim 0, stop 1
Response: start 2, interim 0, stop 1
Response: unexpected 0, server error 0, incorrect 0, time 11ms
Transaction: success 3, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 1d3h4m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 115
SMD Platform : max 113, current 0 total 113
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 2, current 2 total 2
Consecutive Timeouts: total 466
SMD Platform : max 455, current 0 total 455
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 11, current 11 total 11
Requests per minute past 24 hours:
high - 23 hours, 25 minutes ago: 4
low - 3 hours, 4 minutes ago: 0
average: 0
使用「test aaa」實用程式確認交換機與身份驗證伺服器之間的連通性。請注意,此實用程式已棄用,不能無限期使用。
C9300#debug radius <-- Classic Cisco IOS debugs are only useful in certain scenarios. See "Cisco IOS XE Debugs" for details.
C9300#test aaa group ISE username password new-code <-- This sends a RADIUS test probe to the identified server. The username and password is meant to elicit a rejection from RADIUS.
User rejected <-- This means that the RADIUS server received our test probe, but rejected our user. We can conclude the server is reachable and listening on the configured auth-port.
*Jul 16 21:05:57.632: %PARSER-5-HIDDEN: Warning!!! ' test platform-aaa group server-group ISE user-name username password new-code blocked count delay level profile rate users ' is a hidden command. Use of this command is not recommended/supported and will be removed in future.
*Jul 16 21:05:57.644: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Jul 16 21:05:57.644: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jul 16 21:05:57.644: RADIUS(00000000): Config NAS IP: 10.122.161.63
*Jul 16 21:05:57.644: vrfid: [65535] ipv6 tableid : [0]
*Jul 16 21:05:57.644: idb is NULL
*Jul 16 21:05:57.644: RADIUS(00000000): Config NAS IPv6: ::
*Jul 16 21:05:57.644: RADIUS(00000000): sending
*Jul 16 21:05:57.644: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
*Jul 16 21:05:57.644: RADIUS(00000000): Send Access-Request to 10.122.141.199:1812 id 1645/8, len 50 <-- Sending Access-Request to RADIUS server
RADIUS: authenticator 3B 65 96 37 63 E3 32 41 - 3A 93 63 B6 6B 6A 5C 68
*Jul 16 21:05:57.644: RADIUS: User-Password [2] 18 *
*Jul 16 21:05:57.644: RADIUS: User-Name [1] 6 "username"
*Jul 16 21:05:57.644: RADIUS: NAS-IP-Address [4] 6 10.122.161.63
*Jul 16 21:05:57.644: RADIUS(00000000): Sending a IPv4 Radius Packet
*Jul 16 21:05:57.644: RADIUS(00000000): Started 5 sec timeout
*Jul 16 21:05:57.669: RADIUS: Received from id 1645/8 10.122.141.199:1812, Access-Reject, len 20 <-- Receiving the Access-Reject from RADIUS server
RADIUS: authenticator 1A 11 32 19 12 F9 C3 CC - 6A 83 54 DF 0F DB 00 B8
*Jul 16 21:05:57.670: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
*Jul 16 21:05:57.670: RADIUS(00000000): Received from id 1645/8
疑難排解
本節提供有關如何對Catalyst交換機上的大多數802.1x問題進行故障排除的指南。
方法
系統地處理涉及802.1x和身份驗證的問題,以獲得最佳效果。一些好的問題需要回答:
- 此問題是否與單台交換機隔離?一個埠?單一客戶端型別?
- 配置是否已驗證?身份驗證伺服器是否可訪問?
- 問題是每次都出現,還是間歇出現?這是否僅在重新身份驗證或授權更改時發生?
如果排除明顯問題後仍繼續存在,則端到端檢查單個失敗的交易。用於調查802.1x事務的最佳且最完整的資料集包括:
1a。 客戶端和/或上的捕獲
1b。在客戶端連線的訪問介面上
此參考點對於深入瞭解在啟用dot1x的接入埠和客戶端之間交換的EAPoL資料包至關重要。SPAN是檢視使用者端和驗證器之間流量的最可靠工具。
2.驗證器上的調試
調試允許我們通過身份驗證器跟蹤事務。
- 驗證器必須傳送收到的EAPoL封包,並產生目的地為驗證伺服器的單點傳播RADIUS封裝流量。
- 確保設定適當的調試級別以取得最大效果。
3.捕獲身份驗證器旁的流量
此捕獲允許我們檢視身份驗證器與身份驗證伺服器之間的對話。
- 此捕獲從身份驗證器的角度準確顯示整個對話。
- 當與點4中的捕獲配對時,可以確定身份驗證伺服器和身份驗證器之間是否存在丟失。
4.在身份驗證伺服器旁捕獲
此擷取是第3點中擷取的夥伴。
- 此捕獲從身份驗證伺服器的角度提供了整個對話。
- 當與點3中的捕獲配對時,可以確定身份驗證器和身份驗證伺服器之間是否存在丟失。
5.捕獲、調試和登入身份驗證伺服器
謎題的最後一個部分,伺服器調試告訴我們伺服器對我們的交易瞭解多少。
- 通過此端對端資料集,網路工程師可以確定事務中斷的位置並排除不導致問題的元件。
示例症狀
此部分提供常見症狀和問題方案的清單。
如果交換器產生的EAPoL流量未引發回應,則會顯示此系統日誌:
Aug 23 11:23:46.387 EST: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (aaaa.bbbb.cccc) with reason (No Response from Client) on Interface Gi6/0/32 AuditSessionID CBFF000A000001056EFE9E73
原因代碼「No Response from Client」表示交換器已啟動dot1x程式,但在逾時期內未收到使用者端的回應。
這表示使用者端沒有收到或理解交換器連線埠傳送的驗證流量,或交換器連線埠沒有收到使用者端的回應。
如果身份驗證會話已啟動但未完成,則身份驗證伺服器(例如ISE)報告客戶端已啟動會話,但在完成前已放棄會話。
通常,這意味著身份驗證過程只能部分完成。
確保身份驗證器交換機和身份驗證伺服器之間的整個事務是端對端傳送的,並且身份驗證伺服器正確解釋了該事務。
如果RADIUS流量在網路上丟失,或以無法正確組合的方式傳輸,則事務不完整,客戶端將重試身份驗證。伺服器則回報使用者端已放棄其作業階段。
MAC Authentication Bypass(MAB)允許基於MAC地址的身份驗證。通常不支援請求者軟體的客戶端會通過MAB進行身份驗證。
如果將MAB用作身份驗證的後退方法,而dot1x是在交換機埠上運行的首選初始方法,則可能導致客戶端無法完成DHCP的情況。
問題歸結為操作的順序。當dot1x運行時,交換機埠會使用EAPoL以外的資料包,直到身份驗證完成或dot1x超時。但是,客戶端會立即嘗試獲取IP地址並廣播其DHCP發現消息。這些發現消息被交換機埠使用,直到dot1x超過其配置的超時值並且MAB能夠運行。如果客戶端DHCP超時週期小於dot1x超時週期,則DHCP會失敗,並且客戶端回退到APIPA或其回退策略規定的任何值。
此問題可通過多種方式預防。在MAB身份驗證客戶端連線的介面上優先使用MAB。如果dot1x必須首先運行,請注意客戶端DHCP行為並相應地調整超時值。
使用dot1x和MAB時,請注意考慮客戶端行為。如上所述,有效配置可能導致技術問題。
平台特定數量
本節概述了Catalyst 9000系列交換機上提供的許多平台特定實用程式,這些實用程式可用於排除dot1x的問題。
SPAN允許使用者將來自一或多個連線埠的流量映象到目的地連線埠以進行擷取和分析。本地SPAN是最「可信」的捕獲實用程式。
有關配置和實施的詳細資訊,請參閱以下配置指南:
配置SPAN和RSPAN,Cisco IOS XE Bengaluru 17.6.x(Catalyst 9300)
EPC利用CPU和記憶體資源提供板載本地資料包捕獲功能。
EPC存在一些限制,這些限制影響了它調查某些問題的效率。EPC的速率限製為每秒1000個資料包。EPC還無法在物理介面出口可靠地捕獲CPU注入的資料包。當重點是驗證器交換器與驗證伺服器之間的RADIUS交易時,這非常重要。通常,面向伺服器的介面上的流量速率會大大超過每秒1000個資料包。此外,面向伺服器的介面出口上的EPC無法捕獲驗證器交換機生成的流量。
使用雙向訪問清單過濾EPC,以避免受到每秒1000資料包限制的影響。如果對驗證器與伺服器之間的RADIUS流量感興趣,請關注驗證器RADIUS來源介面位址與伺服器位址之間的流量。
如果通向認證伺服器的下一個上游裝置是Catalyst交換機,請在通向認證器交換機的下行鏈路上使用過濾的EPC以獲得最佳結果。
有關配置和實施的詳細資訊,請參閱以下配置指南:
配置資料包捕獲,Cisco IOS Bengaluru 17.6.x(Catalyst 9300)
從Cisco IOS XE版本16.3.2開始的軟體架構更改將AAA元件移至單獨的Linux守護程式。熟悉的調試不再啟用日誌緩衝區中的可見調試。相反,
提示:傳統IOS AAA調試不再在系統日誌中提供系統日誌中的輸出,用於系統日誌緩衝區中的前面板埠身份驗證
dot1x和RADIUS的這些傳統Cisco IOS調試不再在交換機的交換機日誌緩衝區中啟用可視調試:
debug radius
debug access-session all
debug dot1x all
AAA元件調試現在可通過SMD(會話管理器守護程式)下的系統跟蹤訪問。
- 與傳統系統日誌一樣,Catalyst系統跟蹤報告處於預設級別,必須指示其收集更多深度日誌。
- 使用「set platform software trace smd switch active r0 <component> debug」命令更改所需子元件的常式跟蹤級別。
Switch#set platform software trace smd switch active R0 auth-mgr debug <<<--- This sets the "auth-mgr" subcomponent to "debug" log level.
下表將傳統IOS調試對映到其等效跟蹤。
舊樣式命令 |
新建樣式命令 |
#debug radius |
#set platform software trace smd switch active R0 radius debug |
#debug dot1x all |
#set platform software trace smd switch active R0 dot1x-all debug |
#debug access-session all |
#set platform software trace smd switch active R0 auth-mgr-all debug |
#debug epm all |
#set platform software trace smd switch active R0 epm-all debug |
經典調試支援所有相關的元件跟蹤到「調試」級別。平台命令還用於根據需要啟用特定跟蹤。
使用命令「show platform software trace level smd switch active R0」顯示SMD子元件的當前跟蹤級別。
Switch#show platform software trace level smd switch active R0
Module Name Trace Level
-----------------------------------------------
aaa Notice <--- Default level is "Notice"
aaa-acct Notice
aaa-admin Notice
aaa-api Notice
aaa-api-attr Notice
<snip>
auth-mgr Debug <--- Subcomponent "auth-mgr" traces at "debug" level
auth-mgr-all Notice
<snip>
子元件跟蹤級別可通過兩種方式恢復為預設值。
- 使用「undebug all」或「set platform software trace smd switch active R0 <sub-component> notice」進行還原。
- 如果裝置重新載入,跟蹤級別也會恢復為預設值。
Switch#undebug all
All possible debugging has been turned off
or
Switch#set platform software trace smd switch active R0 auth-mgr notice <--- Sets sub-component "auth-mgr" to trace level "Notice", the system default.
可在控制檯上檢視元件跟蹤日誌,也可以將其寫入存檔並離線檢視。 跟蹤在需要解碼的壓縮二進位制存檔中存檔。在處理已存檔的跟蹤時,請聯絡TAC以獲得調試幫助。此工作流程說明如何在CLI中檢視跟蹤。
使用命令「show platform software trace message smd switch active R0」查看SMD元件的記憶體中儲存的跟蹤日誌。
Switch#show platform software trace message smd switch active R0
2016/11/26 03:32:24.790 [auth-mgr]: [1422]: UUID: 0, ra: 0 (info): [0000.0000.0000:unknown] Auth-mgr aaa_acct_reply
2016/11/26 03:32:29.678 [btrace]: [1422]: UUID: 0, ra: 0 (note): Single message size is greater than 1024
2016/11/26 03:32:24.790 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Delay-Time [41] 6 0 RADIUS: authenticator 55 de 16 e1 82 2a d8 3f - a3 9d db 63 5d 61 a5 f0
2016/11/26 03:32:24.790 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Received from id 1646/52 10.48.26.135:0, Accounting-response, len 20
2016/11/26 03:32:24.758 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Started 5 sec timeout
2016/11/26 03:32:24.758 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Sending a IPv4 Radius Packet
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Output-Packets [48] 6 0
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Input-Packets [47] 6 8
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Output-Octets [43] 6 0
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Input-Octets [42] 6 658
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Session-Time [46] 6 125
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Event-Timestamp [55] 6 1480131144
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Status-Type [40] 6 Stop [2]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: 36 36 33 36 36 39 30 30 2f 33 39 39 38 [ 66366900/3998]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: 68 72 65 6e 65 6b 2d 69 73 65 32 31 2d 31 2f 32 [hrenek-ise21-1/2]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: 30 30 30 32 41 39 45 41 45 46 44 39 33 3a 76 63 [0002A9EAEFD93:vc]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Class [25] 63
RADIUS: 43 41 43 53 3a 30 41 30 30 30 41 46 45 30 30 30 [CACS:0A000AFE000]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Authentic [45] 6 Remote [3]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Acct-Session-Id [44] 10 "00000014"
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port [5] 6 50108
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/8"
2016/11/26 03:32:24.757 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Nas-Identifier [32] 17 "C3850-3-BUSHIDO"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: NAS-IP-Address [4] 6 10.48.44.182
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Calling-Station-Id [31] 19 "00-50-56-99-01-6B"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Called-Station-Id [30] 19 "00-CA-E5-52-46-08"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 12 "method=mab"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 18
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A000AFE0000002A9EAEFD93"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 49
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: User-Name [1] 19 "00-50-56-99-01-6B"
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Framed-IP-Address [8] 6 10.0.10.4
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 205 "cts-pac-opaque= "
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 211
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS: authenticator 95 52 40 05 8f f7 41 7d - fe cf 7e 1f e7 b6 4a f9
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Send Accounting-Request to 10.48.26.135:1646 id 1813/52, len 551
2016/11/26 03:32:24.756 [radius]: [1422]: UUID: 0, ra: 0 (debug): abcdefghijklmno:NO EAP-MESSAGE
2016/11/26 03:32:24.755 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS(00000000): sending
2016/11/26 03:32:24.755 [radius]: [1422]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Config NAS IP: 10.48.44.182
2016/11/26 03:32:24.755 [radius]: [1422]: UUID: 0, ra: 0 (debug): Config for source interface found in VRF DB for tableid:3, IDB: 73
<snip>
輸出是詳細的,因此將輸出重定向到檔案非常有用。
- 可以使用「more」實用程式通過CLI讀取檔案,也可以將其離線以便在文本編輯器中檢視。
Switch#show platform software trace message smd switch active R0 | redirect flash:SMD_debugs.txt
Switch#more flash:SMD_debugs.txt
This command is being deprecated. Please use 'show logging process' command.
executing cmd on chassis 1 ...
2022/12/02 15:04:47.434368 {smd_R0-0}{2}: [auth-mgr] [16908]: (debug): [0800.27dd.3016:Gi2/0/11] Started Accounting (0) timer (300 secs) for client 0800.27dd.3016
2022/12/02 15:04:47.434271 {smd_R0-0}{2}: [auth-mgr] [16908]: (info): [0800.27dd.3016:Gi2/0/11] Accounting timer (0) expired for client 0800.27dd.3016
2022/12/02 15:04:43.366688 {smd_R0-0}{2}: [auth-mgr] [16908]: (debug): [5057.a8e1.6f49:Gi2/0/11] Started Accounting (0) timer (300 secs) for client 5057.a8e1.6f49
2022/12/02 15:04:43.366558 {smd_R0-0}{2}: [auth-mgr] [16908]: (info): [5057.a8e1.6f49:Gi2/0/11] Accounting timer (0) expired for client 5057.a8e1.6f49
2022/12/02 15:01:03.629116 {smd_R0-0}{2}: [smd] [16908]: (warn): Setting trace for 52:7
2022/12/02 15:00:19.350560 {smd_R0-0}{2}: [smd] [16908]: (warn): Setting trace for 52:7
2022/12/02 01:28:39.841376 {smd_R0-0}{2}: [auth-mgr] [16908]: (ERR): [0000.0000.0000:unknown] sm ctx unlock: Invalid auth mgr handle
<snip>
「Show logging process」是Cisco IOS XE 17.9.x及更高版本中用於跟蹤和標準的更新實用程式。
C9300#show logging process smd ?
<0-25> instance number
end specify log filtering end location
extract-pcap Extract pcap data to a file
filter specify filter for logs
fru FRU specific commands
internal select all logs. (Without the internal keyword only
customer curated logs are displayed)
level select logs above specific level
metadata CLI to display metadata for every log message
module select logs for specific modules
reverse show logs in reverse chronological order
start specify log filtering start location
switch specify switch number
to-file decode files stored in disk and write output to file
trace-on-failure show the trace on failure summary
| Output modifiers
「Show logging process」與「show platform software trace」具有相同的功能,其格式更加優雅且易於訪問。
C9300#clear auth sessions
C9300#show logging process smd reverse
Logging display requested on 2023/05/02 16:44:04 (UTC) for Hostname: [C9300], Model: [C9300X-24HX], Version: [17.09.01], SN: [FOC263569FP], MD_SN: [FOC2641Y2MK]
Displaying logs from the last 0 days, 0 hours, 10 minutes, 0 seconds
executing cmd on chassis 1 ...
===========================================================
UTM [LUID NOT FOUND] .............. 0
UTM [PCAP] ........................ 0
UTM [MARKER] ...................... 0
UTM [APP CONTEXT] ................. 0
UTM [TDL TAN] ..................... 5
UTM [MODULE ID] ................... 0
UTM [DYN LIB] ..................... 0
UTM [PLAIN TEXT] .................. 6
UTM [ENCODED] ..................... 85839
UTM [Skipped / Rendered / Total] .. 85128 / 722 / 85850
Last UTM TimeStamp ................ 2023/05/02 16:44:03.775663010
First UTM TimeStamp ............... 2023/05/02 15:52:18.763729918
===========================================================
----------------- Decoder Output Information --------------
===========================================================
MRST Filter Rules ...... 1
UTM Process Filter ..... smd
Total UTM To Process ... 85850
Total UTF To Process ... 1
Num of Unique Streams .. 1
===========================================================
----------------- Decoder Input Information ---------------
===========================================================
======= Unified Trace Decoder Information/Statistics ======
===========================================================
2023/05/02 16:44:03.625123675 {smd_R0-0}{1}: [radius] [22624]: (ERR): Failed to mark Identifier for reuse
2023/05/02 16:44:03.625123382 {smd_R0-0}{1}: [radius] [22624]: (ERR): RSPE- Set Identifier Free for Reuse : Input Validation Failed Level-2
2023/05/02 16:44:03.625116747 {smd_R0-0}{1}: [radius] [22624]: (info): Valid Response Packet, Free the identifier
2023/05/02 16:44:03.625091040 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: authenticator 2b f4 ea 87 d9 db 75 3a - 2c 8a c4 36 56 46 b5 57
2023/05/02 16:44:03.625068520 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Received from id 1813/9 10.122.141.228:0, Accounting-response, len 20
2023/05/02 16:44:03.610151863 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Started 5 sec timeout
2023/05/02 16:44:03.610097362 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Acct-Delay-Time [41] 6 0
2023/05/02 16:44:03.610090044 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Event-Timestamp [55] 6 1683045843
2023/05/02 16:44:03.610085857 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Acct-Status-Type [40] 6 Start [1]
2023/05/02 16:44:03.610040912 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Class [25] 63 ...
2023/05/02 16:44:03.610037444 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Acct-Authentic [45] 6 Remote [3]
2023/05/02 16:44:03.610032802 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Acct-Session-Id [44] 10 "00000004"
2023/05/02 16:44:03.610028677 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Called-Station-Id [30] 19 "00-01-02-02-AA-BF"
2023/05/02 16:44:03.610024641 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Nas-Identifier [32] 7 "C9300"
2023/05/02 16:44:03.610020641 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Calling-Station-Id [31] 19 "08-00-27-66-EF-C7"
2023/05/02 16:44:03.610016809 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: NAS-Port [5] 6 50104
2023/05/02 16:44:03.610012487 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2023/05/02 16:44:03.610007504 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: NAS-Port-Id [87] 25 "TenGigabitEthernet1/0/4"
2023/05/02 16:44:03.610003581 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: NAS-IP-Address [4] 6 10.122.163.19
2023/05/02 16:44:03.609998136 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Calling-Station-Id [31] 19 "08-00-27-66-EF-C7"
2023/05/02 16:44:03.609994109 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Called-Station-Id [30] 19 "00-01-02-02-AA-BF"
2023/05/02 16:44:03.609989329 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
2023/05/02 16:44:03.609985171 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Vendor, Cisco [26] 20
2023/05/02 16:44:03.609981606 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=13A37A0A0000011FDD598189"
2023/05/02 16:44:03.609976961 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Vendor, Cisco [26] 49
2023/05/02 16:44:03.609969166 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: User-Name [1] 7 "alice"
2023/05/02 16:44:03.609963241 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: authenticator 0b 99 e3 50 d8 d3 8c 26 - e8 41 c3 f6 11 b9 ab 2f
2023/05/02 16:44:03.609953614 {smd_R0-0}{1}: [radius] [22624]: (info): RADIUS: Send Accounting-Request to 10.122.141.228:1813 id 1813/9, len 319
2023/05/02 16:44:03.609863172 {smd_R0-0}{1}: [auth-mgr] [22624]: (info): [0800.2766.efc7:Te1/0/4] Handling external PRE event AuthZ Success
2023/05/02 16:44:03.609695649 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0800.2766.efc7:Te1/0/4] EAPOL packet sent to client
2023/05/02 16:44:03.609689224 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0000.0000.0000:unknown] Pkt body: 03 68 00 04
2023/05/02 16:44:03.609686794 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0800.2766.efc7:Te1/0/4] EAP Packet - SUCCESS, ID : 0x68
2023/05/02 16:44:03.609683919 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0800.2766.efc7:Te1/0/4] Sent EAPOL packet - Version : 3,EAPOL Type : EAP, Payload Length : 4, EAP-Type = 0
2023/05/02 16:44:03.609334292 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0000.0000.0000:Te1/0/4] Sending out EAPOL packet
2023/05/02 16:44:03.609332867 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0000.0000.0000:Te1/0/4] Setting EAPOL eth-type to 0x888e, destination mac to 0800.2766.efc7
2023/05/02 16:44:03.609310820 {smd_R0-0}{1}: [dot1x] [22624]: (info): [0800.2766.efc7:Te1/0/4] Posting AUTHZ_SUCCESS on Client
2023/05/02 16:44:03.609284841 {smd_R0-0}{1}: [auth-mgr] [22624]: (info): [0800.2766.efc7:Te1/0/4] Raising ext evt AuthZ Success (21) on this session, client (unknown) (0)
跟蹤示例
此部分包含完整、失敗的事務(伺服器拒絕客戶端憑據)的dot1x和radius元件的會話管理器跟蹤。它旨在提供導航與前面板身份驗證相關的系統跟蹤的基本指南。
- 測試客戶端嘗試連線到GigabitEthernet1/0/2,但被拒絕。
在此示例中,SMD元件跟蹤設定為「debug」。
C9300#set platform software trace smd sw active r0 dot1x-all
C9300#set platform software trace smd sw active r0 radius debug
EAPoL:開始
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0000.0000.0000:unknown] Received EAPOL pkt (size=92) on l2 socket
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] queuing an EAPOL pkt on Auth Q
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Dequeued pkt: CODE= 0,TYPE= 0,LEN= 0
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Received pkt saddr = 0040.E93E.0000 , daddr = 0180.C200.0003, pae-ether-type = 0x888E
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Couldn't find the supplicant in the list
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] New client detected, sending session start event for 0040.E93E.0000
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: initialising
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: disconnected
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: entering restart
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Sending create new context event to EAP for 0x0A00000E (0040.E93E.0000)
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: entering init state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering idle state
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Created a client entry (0x0A00000E)
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Dot1x authentication started for 0x0A00000E (0040.E93E.0000)
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting !EAP_RESTART on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:enter connecting state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: restart connecting
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting RX_REQ on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: authenticating state entered
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:connecting authenticating action
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting AUTH_START for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering request state
EAPoL: EAP請求標識
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending out EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] EAPOL packet sent to client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:idle request action
EAPoL:EAP響應
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0000.0000.0000:unknown] Received EAPOL pkt (size=92) on l2 socket
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Queuing an EAPOL pkt on Authenticator Q
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Dequeued pkt: CODE= 2,TYPE= 1,LEN= 14
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Received pkt saddr = 0040.E93E.0000 , daddr = 0180.C200.0003, pae-ether-type = 0x888E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAPOL_EAP for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering response state
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Response sent to the server from 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:request response action
[aaa-authen]: [16498]: UUID: 0, ra: 0 (debug): AAA/AUTHEN/8021X (00000000): Pick method list 'default'
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Best Local IP-Address 172.28.99.147 for Radius-Server 172.28.99.252
[radius-failover]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Nas-Identifier "C9300"
[aaa-author]: [16498]: UUID: 0, ra: 0 (debug): VALID SG handle
RADIUS:ACCESS-REQUEST
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Send Access-Request to 172.28.99.252:1645 id 1812/82, len 242
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: authenticator 59 c9 e0 be 4d b5 1c 11 - 02 cb 5b eb 78 d0 4b ad
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: User-Name [1] 11 "ixia_data"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Service-Type [6] 6 Framed [2]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 27
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Framed-MTU [12] 6 1500
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Calling-Station-Id [31] 19 "00-40-E9-3E-00-00"
0e 01 69 78 69 61 5f 64 61 74 61 [ ixia_data]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 16
69 87 3c 61 80 3a 31 a8 73 2b 55 76 f4 [ Ei<a:1s+Uv]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Key-Name [102] 2 *
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 49
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1C639300000017E53C6E8E"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 20
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-IP-Address [4] 6 172.28.99.147
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Nas-Identifier [32] 8 "C9300"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/2"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Sending a IPv4 Radius Packet
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Started 5 sec timeout
RADIUS:ACCESS-CHALLENGE
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Received from id 1645/82 172.28.99.252:0, Access-Challenge, len 127
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port [5] 6 50014 RADIUS: authenticator 82 71 61 a5 30 bc 98 78 - fa f1 48 ec 05 fb ca 3a
RADIUS: 33 37 43 50 4d 53 65 73 73 69 6f 6e 49 44 3d 41 [37CPMSessionID=A]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: State [24] 81
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 43 31 43 36 33 39 33 30 30 30 30 30 30 31 37 45 [C1C639300000017E]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 35 33 43 36 45 38 45 3b 33 36 53 65 73 73 69 6f [53C6E8E;36Sessio]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 6e 49 44 3d 69 73 65 2d 70 6f 6c 2d 65 73 63 2f [nID=ise-pol-esc/]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 32 34 30 31 39 38 34 32 39 2f 38 39 32 34 3b [ 240198429/8924;]
RADIUS: 01 f9 00 06 0d 20 [ ]
02/15 14:01:28.986 [radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 8
RADIUS: 78 66 ec be 2c a4 af 79 5e ec c6 47 8b da 6a c2 [ xf,y^Gj]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS:rad_code 11, suppress reject flag 0
[radius-authen]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Received from id 1645/82
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAP_REQ for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:exiting response state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering request state########## EAPoL: EAP-REQUEST ##########
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending out EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] EAPOL packet sent to client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:response request action
EAPoL:EAP響應
02/15 14:01:28.988 [dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0000.0000.0000:unknown] Received EAPOL pkt (size=92) on l2 socket
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Queuing an EAPOL pkt on Authenticator Q
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Dequeued pkt: CODE= 2,TYPE= 3,LEN= 6
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Received pkt saddr = 0040.E93E.0000 , daddr = 0180.C200.0003, pae-ether-type = 0x888E
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAPOL_EAP for 0x0A00000E
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering response state
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Response sent to the server from 0x0A00000E
02/15 14:01:28.989 [dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:request response action
02/15 14:01:28.989 [aaa-authen]: [16498]: UUID: 0, ra: 0 (debug): AAA/AUTHEN/8021X (00000000): Pick method list 'default'
02/15 14:01:28.990 [radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Best Local IP-Address 172.28.99.147 for Radius-Server 172.28.99.252
02/15 14:01:28.990 [radius-failover]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Nas-Identifier "C9300"
02/15 14:01:28.990 [aaa-author]: [16498]: UUID: 0, ra: 0 (debug): VALID SG handle
RADIUS:ACCESS-REQUEST
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Send Access-Request to 172.28.99.252:1645 id 1812/83, len 315
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: authenticator 3d 31 3f ee 14 b8 9d 63 - 7a 8b 52 90 5f 77 6d b8
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: User-Name [1] 11 "ixia_data"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Service-Type [6] 6 Framed [2]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 27
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Framed-MTU [12] 6 1500
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Calling-Station-Id [31] 19 "00-40-E9-3E-00-00"
RADIUS: 02 f9 00 06 03 04
02/15 14:01:28.991 [radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 8
RADIUS: 8b 2a 2e 75 90 a2 e1 c9 06 84 c9 fe f5 d0 98 39 [ *.u9]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Key-Name [102] 2 *
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 49
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1C639300000017E53C6E8E"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 20
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-IP-Address [4] 6 172.28.99.147
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Nas-Identifier [32] 8 "C9300"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/2"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port [5] 6 50014
RADIUS: 33 37 43 50 4d 53 65 73 73 69 6f 6e 49 44 3d 41 [37CPMSessionID=A]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: State [24] 81
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 43 31 43 36 33 39 33 30 30 30 30 30 30 31 37 45 [C1C639300000017E]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 35 33 43 36 45 38 45 3b 33 36 53 65 73 73 69 6f [53C6E8E;36Sessio]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 6e 49 44 3d 69 73 65 2d 70 6f 6c 2d 65 73 63 2f [nID=ise-pol-esc/]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 32 34 30 31 39 38 34 32 39 2f 38 39 32 34 3b [ 240198429/8924;]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Sending a IPv4 Radius Packet
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Started 5 sec timeout
RADIUS:ACCESS-CHALLENGE
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Received from id 1645/83 172.28.99.252:0, Access-Challenge, len 154
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: authenticator 0c 8d 49 80 0f 51 89 fa - ba 22 2f 96 41 99 c2 4e
RADIUS: 33 37 43 50 4d 53 65 73 73 69 6f 6e 49 44 3d 41 [37CPMSessionID=A]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: State [24] 81
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 43 31 43 36 33 39 33 30 30 30 30 30 30 31 37 45 [C1C639300000017E]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 35 33 43 36 45 38 45 3b 33 36 53 65 73 73 69 6f [53C6E8E;36Sessio]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 6e 49 44 3d 69 73 65 2d 70 6f 6c 2d 65 73 63 2f [nID=ise-pol-esc/]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 32 34 30 31 39 38 34 32 39 2f 38 39 32 34 3b [ 240198429/8924;]
RADIUS: 01 fa 00 21 04 10 5b d0 b6 4e 68 37 6b ca 5e 6f 5a 65 78 04 77 bf 69 73 65 2d [![Nh7k^oZexwise-]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 35
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 70 6f 6c 2d 65 73 63 [ pol-esc]
RADIUS: a3 0d b0 02 c8 32 85 2c 94 bd 03 b3 22 e6 71 1e [ 2,"q]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS:rad_code 11, suppress reject flag 0
[radius-authen]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Received from id 1645/83
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAP_REQ for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:exiting response state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering request state
EAPoL:EAP請求
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending out EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] EAPOL packet sent to client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:response request action
EAPoL:EAP響應
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0000.0000.0000:unknown] Received EAPOL pkt (size=92) on l2 socket
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Queuing an EAPOL pkt on Authenticator Q
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Dequeued pkt: CODE= 2,TYPE= 4,LEN= 31
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Received pkt saddr = 0040.E93E.0000 , daddr = 0180.C200.0003, pae-ether-type = 0x888E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAPOL_EAP for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering response state
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Response sent to the server from 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:request response action
[aaa-authen]: [16498]: UUID: 0, ra: 0 (debug): AAA/AUTHEN/8021X (00000000): Pick method list 'default'
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Best Local IP-Address 172.28.99.147 for Radius-Server 172.28.99.252
[radius-failover]: [16498]: UUID: 0, ra: 0 (debug): RADIUS/ENCODE: Nas-Identifier "C9300"
[aaa-author]: [16498]: UUID: 0, ra: 0 (debug): VALID SG handle
RADIUS:ACCESS-REQUEST
radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Send Access-Request to 172.28.99.252:1645 id 1812/84, len 340
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: authenticator 41 4d 76 8e 03 93 9f 05 - 5e fa f1 d6 ca 3c 84 08
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: User-Name [1] 11 "ixia_data"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Service-Type [6] 6 Framed [2]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 27
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Framed-MTU [12] 6 1500
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Calling-Station-Id [31] 19 "00-40-E9-3E-00-00"
RADIUS: 02 fa 00 1f 04 10 02 b6 bc aa f4 91 2b d6 cf 9e 3b d5 44 96 78 d5 69 78 69 61 5f 64 61 74 61 [ +;Dxixia_data]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 33
RADIUS: 3b 70 b1 dd 97 ac 47 ae 81 ca f8 78 5b a3 7b fe [ ;pGx[{]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Key-Name [102] 2 *
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 49
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1C639300000017E53C6E8E"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Vendor, Cisco [26] 20
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-IP-Address [4] 6 172.28.99.147
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Nas-Identifier [32] 8 "C9300"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/2"
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: NAS-Port [5] 6 50014
RADIUS: 33 37 43 50 4d 53 65 73 73 69 6f 6e 49 44 3d 41 [37CPMSessionID=A]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: State [24] 81
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 43 31 43 36 33 39 33 30 30 30 30 30 30 31 37 45 [C1C639300000017E]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 35 33 43 36 45 38 45 3b 33 36 53 65 73 73 69 6f [53C6E8E;36Sessio]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 6e 49 44 3d 69 73 65 2d 70 6f 6c 2d 65 73 63 2f [nID=ise-pol-esc/]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: 32 34 30 31 39 38 34 32 39 2f 38 39 32 34 3b [ 240198429/8924;]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Sending a IPv4 Radius Packet
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Started 5 sec timeout
RADIUS:訪問拒絕
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Received from id 1645/84 172.28.99.252:0, Access-Reject, len 44---------->User not authenticaded
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: authenticator d1 a3 eb 43 11 45 6b 8f - 07 a7 34 dd 3a 49 67 c6
RADIUS: 04 fa 00 04
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: EAP-Message [79] 6
RADIUS: 80 77 07 f7 4d f8 a5 60 a6 b0 30 e4 67 85 ae ba [ wM`0g]
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS: Message-Authenticator[80] 18
[radius]: [16498]: UUID: 0, ra: 0 (debug): RADIUS:rad_code 3, suppress reject flag 0
[radius-authen]: [16498]: UUID: 0, ra: 0 (debug): RADIUS(00000000): Received from id 1645/84
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Received an EAP Fail
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting EAP_FAIL for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:exiting response state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering fail state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:response fail action
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering idle state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting AUTH_FAIL on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:exiting authenticating state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering authc result state
[errmsg]: [16498]: UUID: 0, ra: 0 (note): %DOT1X-5-FAIL: Authentication failed for client (0040.E93E.0000) on Interface Gi1/0/2 AuditSessionID AC1C639300000017E53C6E8E
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Added username in dot1x
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Dot1x did not receive any key data
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Received Authz fail (result: 2) for the client 0x0A00000E (0040.E93E.0000)
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting_AUTHZ_FAIL on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: held
EAPoL:EAP拒絕
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0000.0000.0000:Gi1/0/2] Sending out EAPOL packet
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] EAPOL packet sent to client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting FAILOVER_RETRY on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: exiting held state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: entering restart
[dot1x]: [16498]: UUID: 0, ra: 0 (info): [0040.E93E.0000:Gi1/0/2] Sending create new context event to EAP for 0x0A00000E (0040.E93E.0000)
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:restart action called
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting RESTART on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting !EAP_RESTART on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:enter connecting state
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: restart connecting
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting RX_REQ on Client 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E: authenticating state entered
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:connecting authenticating action
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] Posting AUTH_START for 0x0A00000E
[dot1x]: [16498]: UUID: 0, ra: 0 (debug): [0040.E93E.0000:Gi1/0/2] 0x0A00000E:entering request state
其他資訊
預設設定
功能 |
預設設定 |
交換機802.1x啟用狀態 |
已禁用。 |
每埠802.1x啟用狀態 |
已禁用(強制授權)。 此連線埠會傳送和接收未進行使用者端基於802.1x的驗證的正常流量。 |
AAA |
已禁用。 |
RADIUS伺服器
|
-
未指定任何內容。
-
1645.
-
1646.
-
未指定任何內容。
|
主機模式 |
單主機模式。 |
控制方向 |
雙向控制。 |
定期重新驗證 |
已禁用。 |
重新身份驗證嘗試之間的秒數 |
3600秒。 |
重新驗證號碼 |
2次(交換器在連線埠變更為未授權狀態之前重新啟動驗證程式的次數)。 |
靜默期 |
60秒(在與客戶端進行身份驗證交換失敗後,交換機保持靜默狀態的秒數)。 |
重新傳輸時間 |
30秒(在重新傳送請求之前,交換機等待客戶端對EAP請求/身份幀的響應的秒數)。 |
最大重傳次數 |
2次(交換機在重新啟動身份驗證過程之前傳送EAP請求/身份幀的次數)。 |
客戶端超時時間 |
30秒(將來自身份驗證伺服器的請求中繼到客戶端時,交換機在將請求重新傳送到客戶端之前等待響應的時間。) |
身份驗證伺服器超時時間 |
30秒(將客戶端的響應中繼到身份驗證伺服器時,交換機在將響應重新傳送到伺服器之前等待回覆的時間量。) 可以使用dot1x timeout server-timeout介面配置命令更改此超時時間。 |
非活動超時 |
已禁用。 |
訪客VLAN |
未指定任何內容。 |
無法訪問的身份驗證繞行 |
已禁用。 |
受限制的VLAN |
未指定任何內容。 |
驗證器(交換機)模式 |
未指定任何內容。 |
MAC身份驗證繞行 |
已禁用。 |
語音感知安全 |
已禁用。 |
可選設定
定期重新驗證
您可以啟用定期的802.1x客戶端重新身份驗證並指定其發生頻率:
- authentication periodic — 啟用客戶端的定期重新身份驗證
-
inactivity — 以秒為單位的時間間隔,如果客戶端沒有活動,則此間隔為未經授權的
-
reauthenticate — 啟動自動重新身份驗證嘗試的時間(秒)
-
restartvalue — 嘗試對未經授權的埠進行身份驗證的時間間隔(以秒為單位)
-
unauthorizedvalue — 刪除未授權會話的時間間隔(以秒為單位)
authentication periodic
authentication timer {{[inactivity | reauthenticate | restart | unauthorized]} {value}}
違規模式
您可以配置802.1x埠,以便當裝置連線到啟用802.1x的埠或埠上已驗證有關裝置的最大允許數量時,該埠關閉、生成系統日誌錯誤或丟棄來自新裝置的包。
authentication violation {shutdown | restrict | protect | replace}
更改靜默期
authentication timer restart介面配置命令控制空閒時段,該時段指示交換機在無法驗證客戶端之後保持空閒的設定時段。值的範圍為1到65535秒。
authentication timer restart {seconds}
更改交換機到客戶端的重傳時間
客戶端使用EAP-response/identity幀響應來自交換機的EAP請求/身份幀。如果交換機沒有收到此響應,它將等待一個設定的時間段(稱為重新傳輸時間),然後重新傳送該幀。
authentication timer reauthenticate {seconds}
設定交換機到客戶端的幀重新傳輸號
您可以更改交換機在重新啟動身份驗證過程之前向客戶端傳送EAP請求/身份幀(假設沒有收到響應)的次數。 範圍為1到10。
dot1x max-reauth-req {count}
配置主機模式
您可以在802.1x授權埠上允許多個主機(客戶端)。
authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
啟用MAC移動
MAC move允許經過身份驗證的主機從裝置的一個埠移動到另一個埠。
authentication mac-move permit
啟用MAC替換
MAC replace允許主機替換埠上經過身份驗證的主機。
-
protect - 連線埠捨棄具有意外MAC位址的封包,而不會產生系統訊息。
-
restrict - CPU丟棄違規資料包並生成系統消息。
-
shutdown - 連線埠收到意外的MAC位址時,因為錯誤而停用。
authentication violation {protect | replace | restrict | shutdown}
設定重新驗證號碼
您還可以更改裝置在埠變為未授權狀態之前重新啟動身份驗證過程的次數。 範圍為0到10
dot1x max-req {count}
配置訪客VLAN
設定訪客VLAN時,如果伺服器沒有收到對其EAP要求/身分框架的回應,則不支援802.1x的使用者端會置於訪客VLAN中。
authentication event no-response action authorize vlan {vlan-id}
配置受限制的VLAN
在裝置上配置受限制的VLAN時,如果身份驗證伺服器未收到有效的使用者名稱和密碼,則符合IEEE 802.1x標準的客戶端將移動到受限制的VLAN中。
authentication event fail action authorize vlan {vlan-id}
在受限制的VLAN上配置身份驗證嘗試次數
您可以配置在將使用者分配到受限制的VLAN之前允許的最大身份驗證嘗試次數,方法是: 身份驗證事件失敗重試重試計數介面配置命令。允許身份驗證嘗試的範圍是1到3。
authentication event fail retry {retry count}
使用關鍵語音VLAN配置802.1x無法訪問的身份驗證繞行
您可以在連線埠上設定重要語音VLAN,並啟用無法連線的驗證旁路功能。
- authorize - 將嘗試進行身份驗證的所有新主機移動到使用者指定的關鍵VLAN
- reinitialize - 將埠上的所有授權主機移動到使用者指定的關鍵VLAN
authentication event server dead action {authorize | reinitialize} vlanvlan-id]
authentication event server dead action authorize voice
使用WoL配置802.1x身份驗證
您可以使用Wake on LAN(WoL)啟用802.1x身份驗證
authentication control-direction both
配置MAC身份驗證繞行
mab
配置靈活的身份驗證訂購
authentication order [ dot1x | mab ] | {webauth}
authentication priority [ dot1x | mab ] | {webauth}
配置語音感知802.1x安全
您可在裝置上使用語音感知802.1x安全功能來僅禁用發生安全違規的VLAN,無論是資料還是語音VLAN。 在資料VLAN上發現的安全違規僅導致資料VLAN關閉。這是一個全域組態。
errdisable detect cause security-violation shutdown vlan
errdisable recovery cause security-violation
流程圖
身份驗證流程圖
連線埠型驗證啟動和訊息交換
下圖顯示使用者端向RADIUS伺服器發起訊息交換。
MAB身份驗證啟動和消息交換
下圖顯示MAC驗證略過(MAB)期間的訊息交換
相關資訊