排除Umbrella無線控制器(9800)整合故障

下載選項

  • PDF     (529.3 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (181.6 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (102.6 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2025 年 9 月 30 日
文件 ID:225099

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文說明如何對9800系列無線控制器與Umbrella的整合進行疑難排解。

    概觀

    本文是Cisco Catalyst 9200和Catalyst 9300交換器的延伸,並指導您排除註冊問題以及9800和Cisco Umbrella之間的工作流程。

    Cisco Umbrella常規工作流程


    44153779835084415377983508

    1. 向Cisco Umbrella伺服器註冊無線控制器是一個一次性過程,通過安全HTTPS隧道進行。

    2. 從Cisco Umbrella控制面板獲取裝置(9800)註冊的API令牌。

    3. 在9800上套用權杖。這會將裝置註冊到Cisco Umbrella帳戶。接下來,在9800上建立Cisco Umbrella Profile。配置檔案自動推送到Cisco Umbrella,因為身份和策略是基於每個身份實施的。

    4. 無線客戶端流量流向Cisco Umbrella伺服器。

    5. 無線使用者端會向9800傳送DNS要求。

    6. 9800會監聽DNS封包,並使用Cisco Umbrella Profile對其進行標籤。設定檔是也駐留在Cisco Umbrella上的封包的身分。

    7. 此EDNS資料包重定向到Cisco Umbrella雲伺服器以進行名稱解析。

    8. 然後,Cisco Umbrella根據身份對其實施策略,並應用基於類別的過濾規則以確保組織合規性。

    9. 根據規則,它會將阻止的頁面或已解析的IP地址返回給客戶端用於查詢的DNS請求。

    安全配置指南中提供了配置9800的詳細步驟。

    註冊和證書匯入

    1. 從Umbrella儀表板獲取API令牌:Admin > API Keys >(create)Legacy Network Devices
    2. 使用以下任一方法,透過CLI將CA憑證匯入9800:
      從URL匯入
      發出命令並允許9800取得憑證:  
      crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

      直接匯入終端
      使用以下命令複製並貼上CA憑證(請參閱附件): 

      crypto pki trustpool import terminal
    3. 使用以下命令將API令牌輸入到9800 CLI:  
      parameter-map type umbrella global 
      token XXXXXXXXXXXXXXXXXXXXXXXXXXXX

    驗證Cisco Umbrella配置

    要檢視思科Umbrella配置詳細資訊,請使用以下命令:

    Device# show umbrella config
    Umbrella Configuration
    ========================
    Token: 5XXXXXXABXXXXXFXXXXXXXXXDXXXXXXXXXXXABXX
    API-KEY: NONE
    OrganizationID: xxxxxxx
    Local Domain Regex parameter-map name: dns_bypass
    DNSCrypt:Enabled 
    Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
    UDP Timeout: 5 seconds
    Resolver address:
    1. 208.67.220.220 
    2. 208.67.222.222 
    3. 2620:119:53::53 
    4. 2620:119:35::35
    ewc1#show umbrella deviceid detailed 

    Device registration details 
    1.global
         Tag : global 
         Device-id : 010a2ed75e520fda 
         Description : Device Id recieved successfully 
         WAN interface : None 
    ewc1#show umbrella dnscrypt
       DNSCrypt: Enabled
       Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
       Certificate Update Status:
            Last Successfull Attempt: 10:40:58 UTC Apr 8 2020
       Certificate Details:
           Certificate Magic     : DNSC
           Major Version         : 0x0001
           Minor Version         : 0x0000
           Query Magic           : 0x7163373861576F6F
           Serial Number         : 1574811744
           Start  Time           : 1574811744 (23:42:24 UTC Nov 26 2019)
           End Time              : 1606347744 (23:42:24 UTC Nov 25 2020)
           Server Public Key     : 88B4:E44B:35E9:64B4:90BD:DABA:E825:A24B:0415:A08B:E19D:7DDB:87A3:3CD7:7EDF:8E2F

           Client Secret Key Hash: E323:7E82:C0C2:1F0C:55AE:1473:862D:6D26:9607:B41D:3F51:F587:9482:8709:401E:2EC4
           Client Public key     : 8D52:4D73:CF69:4890:F130:2845:4CBE:A9CA:87AF:4CDA:FE17:C626:2F8A:1780:CD18:C855

           NM key Hash           : FAAD:4C16:6DA3:D6F3:655D:FF98:36B7:73E7:9D1C:21F5:A0E3:A083:17D7:C308:522E:722D

    調試和記錄

    要禁用DNSCrypt,請使用以下命令: 

    parameter-map type umbrella global > no dnscrypt

    您可能會看到以下錯誤:"無法使用URL匯入證書":

    crypto pki trustpool import urlhttp://www.cisco.com/security/pki/trs/ios.p7b

    % Error: failed to open file.

    % No certificates imported fromhttp://www.cisco.com/security/pki/trs/ios.p7b.

    因應措施: 

    從此位置手動複製和貼上PEM格式的CA證書。

    接下來,啟用裝置註冊調試日誌:

    debug umbrella dnscrypt
    debug umbrella device-registration
    debug umbrella config
    term monitor
    note-icon

    附註:某些情況下,多個9800可以分配相同的裝置ID。在虛擬9800(嵌入式無線控制器(WC))的情況下會發生這種情況。

    所有虛擬WC都具有相同的硬編碼MAC地址:「CC46D6CCCCCC」。

    從eWC A調試示例:

    Nov 2 19:21:18.903 Central: UMBRELLA-DEV-REG:Device registration process start: umbrella parameter-map global (tag: global): TCP socket created, connect state will be verified before sending out request
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Socket 0 event handler: event type = WRITE EVENT
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Send POST request invoked
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Get registration request info invoked
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Get registration request info: Found new queued request for umbrella parameter-map global (tag: global), status :REQ QUEUED 
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): status = 1
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): request license mode = TOKEN
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): POST size = 238, JSON size = 174,actual size = 412 , uri_size = 18
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:
    Nov 2 19:21:18.915 Central: Dev reg json buffer :{"model":"B77A8731C7F4D6E92C07D7DCB68961470000A553","macAddress":"CC46D6CCCCCC","label":"global","tag":"global","serialNumber":"9KZNYR9FRRQ"} and bytes: 141
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:
    Nov 2 19:21:18.915 Central: umbrella parameter-map name :global macAddr :cc46.d6cc.cccc 
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Build POST request invoked: post size = 238, size = 141
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Build POST request: hostname = api.opendns.com
    Nov 2 19:21:18.915 Central: UMBRELLA-DEV-REG:Build POST request: URI = /v3/networkdevices
    Nov 2 19:21:18.916 Central: UMBRELLA-DEV-REG:Build POST request done
    Nov 2 19:21:18.916 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): request buffer length = 368
    Nov 2 19:21:18.916 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): Built request = POST /v3/networkdevices HTTP/1.1
    Host: api.opendns.com
    Authorization:OpenDNS,api_key="B0E16D19C32D42EC996B635X4X9005B9",token="B77A8731C7F4D6E92C07D7DCB68961470000A553"
    Content-Type: application/json
    Content-Length: 141

    {"model":"B77A7561C7F4ABC92C07D7DCB68961470000A553","macAddress":"CC46D6CCCCCC","label":"global","tag":"global","serialNumber":"9KZNYR9FRRQ"}
    ----------------------------------------<OUTPUT OMITTED>----------------------------------------
    Nov 2 19:21:23.553 Central: UMBRELLA-DEV-REG:Registration response: msg_part = 3, bytes = 256, resp: content-type: application/json
    x-envoy-upstream-service-time: 1462
    x-xss-protection: 1; mode=block
    x-ingress-point: mil1

    {"deviceId":"010a7859d0d39393","deviceKey":"B77A8731C7F4D6E92C07D7DCB68961470000A553-CC46D6CCCCCC-global","label":"global","seria
    Nov 2 19:21:23.553 Central: UMBRELLA-DEV-REG:Registration response: msg_part = 4, bytes = 1
    78, resp: lNumber":"9KZNYR9FPPQ","phishing":1,"createdAt":1635877282,"originId":xxxxxxxx,"
    apiKey":"b0e16d19c32d42ec996b635x4x9005b9","deviceTypeId":1,"vendorId":51,"organizationId":xxxxx}

    從eWC B調試示例:

    Nov 2 19:21:41.909 Central: UMBRELLA-DEV-REG:Device registration process start: umbrella parameter-map global (tag: global): TCP socket created, connect state will be verified before sending out request
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Socket 0 event handler: event type = WRITE EVENT
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request invoked
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Get registration request info invoked
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Get registration request info: Found new queued request for umbrella parameter-map global (tag: global), status :REQ QUEUED 
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): status = 1
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): request license mode = TOKEN
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): POST size = 238, JSON size = 174,actual size = 412 , uri_size = 18
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:
    Nov 2 19:21:41.919 Central: Dev reg json buffer :{"model":"B77A7561C7F4ABC92C07D7DCB68961470000A553","macAddress":"CC46D6CCCCCC","label":"global","tag":"global","serialNumber":"9BRCYQ9KDRU"} and bytes: 141
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:
    Nov 2 19:21:41.919 Central: umbrella parameter-map name :global macAddr :cc46.d6cc.cccc 
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Build POST request invoked: post size = 238, size = 141
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Build POST request: hostname = api.opendns.com
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Build POST request: URI = /v3/networkdevices
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Build POST request done
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): request buffer length = 368
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Send POST request for umbrella parameter-map global (tag: global): Built request = POST /v3/networkdevices HTTP/1.1
    Host: api.opendns.com
    Authorization:OpenDNS,api_key="B0E16D19C32D42EC996B635X4X9005B9",token="B77A8731C7F4D6E92C07D7DCB68961470000A553"
    Content-Type: application/json
    Content-Length: 141

    {"model":"B77A8731C7F4D6E92C07D7DCB68961470000A553","macAddress":"CC46D6CCCCCC","label":"global","tag":"global","serialNumber":"9BRCYQ8RDRU"}
    ----------------------------------------<OUTPUT OMITTED>----------------------------------------
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Registration response: msg_part = 3, bytes = 256, resp: content-type: application/json
    x-envoy-upstream-service-time: 1462
    x-xss-protection: 1; mode=block
    x-ingress-point: mil1

    {"deviceId":"010a7859d0d39393","deviceKey":"B77A8731C7F4D6E92C07D7DCB68961470000A553-CC46D6CCCCCC-global","label":"global","serialNumber":"9BRCYQ8RDRU"}
    Nov 2 19:21:41.919 Central: UMBRELLA-DEV-REG:Registration response: msg_part = 4, bytes = 1
    78, resp: lNumber":"9KZNYR9FPPQ","phishing":1,"createdAt":1635877282,"originId":573529511,"
    apiKey":"b0e16d19c32d42ec996b635x4x9005b9","deviceTypeId":1,"vendorId":51,"organizationId":xxxxx}

    此處,POST請求包含API令牌(來自Cisco Umbrella控制面板的舊裝置API令牌)、API金鑰、型號(與API令牌相同)、無線LAN控制器(WLC)的MAC地址、引數對映名稱(標籤)以及裝置序列號。

    裝置ID是使用API令牌、API金鑰、標籤和MAC地址生成的。因為這兩個9800具有相同的上述值,所以為它們分配相同的裝置ID。

    這是預期行為。要解決此問題,必須在9800的一個或兩個上建立自定義引數對映;

    parameter-map type umbrella <custom name>

    通過建立自定義引數對映「cpm」,我們正在建立一個新標籤,該標籤將產生不同的裝置ID(deviceId)。

    {"deviceId":"010a30f6275c92ce","deviceKey":"0DCDA24CDD6A92D714FE357539FDCAE80051BA0A-DD46D6BBCCCC-global","label":"global","serialNumber":"F222424Q4M8","phishing":1,"createdAt":1641192490,"originId":563829932,"apiKey":"b0e16d15c32d4e8c996b635afa9005b9","deviceTypeId":1,"vendorId":51,"organizationId":******}

    {"deviceId":"010a341b037ea6b9","deviceKey":"0DCDA24CDD6A92D714FE357539FDCAE80051BA0A-DD46D6BBCCCC-cpm","label":"global","serialNumber":"F222424Q4M8","phishing":1,"createdAt":1641825561,"originId":563829932,"apiKey":"b0e16d15c32d4e8c996b635afa9005b9","deviceTypeId":1,"vendorId":51,"organizationId":******}

    修訂記錄

    修訂 發佈日期 意見
    1.0
    30-Sep-2025
    初始版本
    TAC Authored

    由思科工程師貢獻

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品