网络工程 - 802.1x 仅在接入 VLAN 上，不在语音 VLAN 上 - 吾爱随笔录

802.1x 仅在接入 VLAN 上，不在语音 VLAN 上

网络工程思科 cisco催化剂验证 IEEE-802.1x mac-auth-绕过

2021-07-19 22:14:28

我已成功配置 Cisco 3750G 以执行 802.1x 进程的身份验证器功能。我有一台测试 Win7 机器作为请求者和一台运行 NPS 的 Windows 2008 服务器作为身份验证服务器。Win7 机器能够成功验证。

我现在已经在 Win7 机器前面连接了 Cisco 7941 IP 电话，使用swtichport voice vlan命令配置了交换机，我将其插入并授予电源，但端口迅速变为关闭状态。查看调试日志后，我认为问题出在 802.1x 尝试在接入 VLAN 和语音 VLAN 上进行身份验证时出现的问题。有没有办法只在接入 VLAN 上执行 802.1x？而不是声音？

设想：

{RADIUS}  <---->   {3750G} <-----> {Cisco 7941 Phone} <----->  {Win7 802.1x client}

我目前正在接口 gi1/0/3 上进行测试，这是接口配置行：

interface GigabitEthernet1/0/3
  description TestPort
  switchport access vlan 100
  switchport voice vlan 110
  switchport mode access
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  dot1x pae authenticator
  spanning-tree portfast
  auto qos voip cisco-phone

3750G 的一些调试

*Apr 21 13:44:04.045: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD
*Apr 21 13:44:04.322: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted
*Apr 21 13:44:07.811: dot1x-ev(Gi1/0/3): Interface state changed to UP
*Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: initial state auth_initialize has enter
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_initialize_enter called
*Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: during state auth_initialize, got event 0(cfg_auto)
*Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_disconnected
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_disconnected_enter called
*Apr 21 13:44:07.811:     dot1x_auth Gi1/0/3: idle during state auth_disconnected
*Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_disconnected -> auth_restart
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_initialize_enter called
*Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
*Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
*Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Created a client entry (0x0000003B)
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x0000003B
*Apr 21 13:44:07.820:     dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
*Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_enter called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_connecting_action called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x0000003B
*Apr 21 13:44:07.820:     dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_authenticating_enter called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_authenticating_action called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x0000003B
*Apr 21 13:44:07.820:     dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
*Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_request_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Role determination not required
*Apr 21 13:44:07.820: dot1x-registry:registry:dot1x_ether_macaddr called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending out EAPOL packet
*Apr 21 13:44:07.820: EAPOL pak dump Tx
*Apr 21 13:44:07.820: EAPOL Version: 0x3  type: 0x0  length: 0x0005
*Apr 21 13:44:07.820: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
*Apr 21 13:44:07.820: dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_request_action called
*Apr 21 13:44:09.791: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
*Apr 21 13:44:10.798: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
*Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Interface state changed to DOWN
*Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Deleting client 0x0000003B (0000.0000.0000)
*Apr 21 13:44:36.844: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3
*Apr 21 13:44:36.844: dot1x-ev:Delete auth client (0x0000003B) message
*Apr 21 13:44:36.844: dot1x-ev:Auth client ctx destroyed
*Apr 21 13:44:37.842: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
*Apr 21 13:44:38.841: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down

最新接口配置： interface GigabitEthernet1/0/3 switchport access vlan 105 switchport mode access switchport voice vlan 110 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication control-direction in authentication event fail action next-method authentication host-mode multi-auth 认证开放认证顺序 dot1x mab 认证优先级 mab dot1x mab mls qos 信任设备 cisco-phone mls qos 信任 cos auto qos voip cisco-phone dot1x pae 认证器生成树 portfast 服务策略输入 AUTOQOS-SRND4-CISCOPHONE-POLICY

全局配置 爸爸

调试：

show version
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3750G-24PS     15.0(2)SE6            C3750-IPSERVICESK9-M

#show authentication sessions interface gi1/0/3
            Interface:  GigabitEthernet1/0/3
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A6363FE0000001900347F3C
      Acct Session ID:  0x00000020
               Handle:  0x7A00001A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

#show dot1x all details
Sysauthcontrol              Enabled
Dot1x Protocol Version            3

Dot1x Info for GigabitEthernet1/0/3
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30

Dot1x Authenticator Client List Empty

show run | in dot1x
aaa authentication dot1x default group RADIUS
dot1x system-auth-control

安慰

Oct 15 20:16:41.392: dot1x-ev(Gi1/0/3): Interface state changed to DOWN
Oct 15 20:16:41.400: dot1x-ev(Gi1/0/3): Deleting client 0x74000003 (0000.0000.0000)
Oct 15 20:16:41.400: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3
Oct 15 20:16:41.400: dot1x-ev:Delete auth client (0x74000003) message
Oct 15 20:16:41.400: dot1x-ev:Auth client ctx destroyedshut
Oct 15 20:16:42.180: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi1/0/3, operational port trust state is now untrusted
Oct 15 20:16:43.363: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down
Oct 15 20:16:44.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state tno shut
SW1(config-if)#
Oct 15 20:16:47.801: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD
Oct 15 20:16:48.807: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted
Oct 15 20:16:48.916: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down
Oct 15 20:16:50.124: dot1x-ev(Gi1/0/3): Interface state changed to UP
Oct 15 20:16:50.133:     dot1x_auth Gi1/0/3: initial state auth_initialize has enter
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_initialize_enter called
Oct 15 20:16:50.133:     dot1x_auth Gi1/0/3: during state auth_initialize, got event 1(cfg_force_auth)
Oct 15 20:16:50.133: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_force_auth
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_force_auth_enter called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Role determination not required
Oct 15 20:16:50.133: dot1x-registry:registry:dot1x_ether_macaddr called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending out EAPOL packet
Oct 15 20:16:50.133: EAPOL pak dump Tx
Oct 15 20:16:50.133: EAPOL Version: 0x3  type: 0x0  length: 0x0004
Oct 15 20:16:50.133: EAP code: 0x3  id: 0x1  length: 0x0004
Oct 15 20:16:50.133: dot1x-packet(Gi1/0/3): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xD8000004 (0000.0000.0000)
Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_initialize_enter called
Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
Oct 15 20:16:50.133:     dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
Oct 15 20:16:50.133: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_idle_enter called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Created a client entry (0xD8000004)
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0xD8000004 (0000.0000.0000)
Oct 15 20:16:50.133: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
Oct 15 20:16:50.141: dot1x-ev(Gi1/0/3): Sending event (2) to Auth Mgr for 0000.0000.0000
Oct 15 20:16:50.141: dot1x-redundancy: State for client  0000.0000.0000 successfully retrieved
Oct 15 20:16:52.113: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
Oct 15 20:16:53.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
Oct 15 20:17:34.542: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/3, port's configured trust state is now operational.

端口仍处于关闭状态，但为电话供电...

4个回答

802.1x 是基于端口的。因此，以最简单的形式，端口要么被授权，要么不被授权；一旦获得授权——MAC 限制除外——任何流量都将被允许。现代 802.1x 系统更智能（“更复杂”），并且可以在单个端口上独立监管多个主机。这是multi-auth和multi-domain进来（请参阅思科这里）

正如 Jaxxs 指出的那样，唯一的妥协是允许电话无需身份验证（即通过 MAC）访问。因为 7941 本身不会执行 802.1x，但会通过 EAPOL，并在 PC 端口“假”注销时断开连接。

（忽略 NX-OS，这就是 MAB 的工作方式。）

您需要在多 VLAN 接口中为 IP 电话配置 MAB（Mac Auth Bypass）身份验证。您还需要多重身份验证，以便交换机知道要查找多个 MAC 地址。

-身份验证主机模式多重身份验证

- 认证命令mab dot1x

CDP 实际上应该负责 Cisco IP 电话的端口身份验证。有一个鲜为人知的功能称为“CDP 旁路”，它允许 Cisco 交换机检测 CDP 消息中的特定 TLV，从而允许立即进行身份验证。但是请注意，较新版本的 Cisco IOS 不再包含此 CDP 绕过功能。

手机必须能够进行 CDP。如果交换机将电话视为 CDP 邻居，它将绕过 CDP 并且不会尝试进行身份验证。

手机不需要多重身份验证。这将允许数据 vlan 中的多台机器，默认情况下禁用，并将在日志中显示“安全违规”。

多域将允许手机进行身份验证。

您应该配置身份验证命令 dot1x mab 以先尝试 dot1x。

还要添加身份验证端口控制自动。

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html

其它你可能感兴趣的问题

上一篇一个设备或一个接口可以拥有多少个IP地址？下一篇RSTP 与 STP 听起来真的只是一个大语义球吗？它们之间的主要区别是什么？