Cisco ISE 的 RADIUS VLAN 分配

网络工程 思科 VLAN 半径 思科
2021-07-06 04:22:31

我正在尝试在我的交换机上安装 Cisco ISE 2.1 以用作具有 802.1x 的 RADIUS 服务器。我想根据连接到交换机端口的用户动态分配 VLAN。

问题是,尽管我的最终客户端已通过 ISE 的身份验证和授权,但交换机上从未从 ISE 收到 VLAN id。

在 ISE 上,我看到我的最终用户使用正确的策略进行身份验证,并使用我创建的策略进行授权。

DOT1X 配置 ISE

如此图所示,我想分配 VLAN 56。但是,我的端口没有获得此信息并停留在硬编码的 VLAN 中。

这里可能有什么问题?

难道 RADIUS 选项 064,065,081 没有从 ISE 转发到交换机?我在他们之间设置了防火墙。

这是我的交换机上 dot1x 的配置:

aaa new-model
aaa group server tacacs+ ServISE
 server-private X.X.X.X key XXXXX
aaa authentication login default local
aaa authentication login CON none
aaa authentication login VTY group ServISE local
aaa authentication dot1x default group radius local
aaa authorization console
aaa authorization exec CON none
aaa authorization exec VTY group ServISE local if-authenticated
aaa authorization network default group radius

radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 XXXX


interface FastEthernet0/10
 switchport access vlan 88
 switchport mode access
 switchport voice vlan 372
 authentication event fail action next-method
 authentication event server dead action authorize vlan 56
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication port-control auto
 authentication violation restrict
 dot1x pae authenticator
 spanning-tree portfast

这是最终用户通过 dot1x 进行身份验证时的输出: 

 Dot1x Info for FastEthernet0/10
 -----------------------------------
 PAE                       = AUTHENTICATOR
 PortControl               = AUTO
 ControlDirection          = Both
 HostMode                  = MULTI_AUTH
 QuietPeriod               = 60
 ServerTimeout             = 0
 SuppTimeout               = 30
 ReAuthMax                 = 2
 MaxReq                    = 2
 TxPeriod                  = 30

 Dot1x Authenticator Client List
 -------------------------------
 Supplicant                = 34e6.d735.483c
 Session ID                = 84A8A830000000254EE2CCAB
     Auth SM State         = AUTHENTICATED
     Auth BEND SM State    = IDLE
 Port Status               = AUTHORIZED

这是调试 dot1x all 的输出 

275: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): dot1x_exec_reauth_interface: Reauthenticating Authenticator instances
276: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting REAUTHENTICATE on Client 0xF5000034
277: Jun 16 18:30:40.370:     dot1x_auth Fa0/10: during state auth_authenticated, got event 17(reAuthenticate)
278: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_authenticated -> auth_restart
279: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticated_exit called
280  Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_restart_enter called
281: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending create new context event to EAP for 0xF5000034 (34e6.d735.483c)
282: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticated_restart_action called
283: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting !EAP_RESTART on Client 0xF5000034
284: Jun 16 18:30:40.370:     dot1x_auth Fa0/10: during state auth_restart, got event 6(no_eapRestart)
285: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_restart -> auth_connecting
286: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_connecting_enter called
287: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_restart_connecting_action called
288: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting RX_REQ on Client 0xF5000034
289: Jun 16 18:30:40.370:     dot1x_auth Fa0/10: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
290: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_connecting -> auth_authenticating
291: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticating_enter called
292: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_connecting_authenticating_action called
293: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting AUTH_START for 0xF5000034
294: Jun 16 18:30:40.370:     dot1x_auth_bend Fa0/10: during state auth_bend_idle, got event 4(eapReq_authStart)
295: Jun 16 18:30:40.370: @@@ dot1x_auth_bend Fa0/10: auth_bend_idle -> auth_bend_request
296: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_enter called
297: Jun 16 18:30:40.370: dot1x-packet(Fa0/10): EAP code: 0x1  id: 0x4E length: 0x0005 type: 0x1  data:
298: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending EAPOL packet to 34e6.d735.483c
299: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Role determination not required
300: Jun 16 18:30:40.370: dot1x-registry:registry:dot1x_ether_macaddr called
301: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending out EAPOL packet
302: Jun 16 18:30:40.370: EAPOL pak dump Tx
303: Jun 16 18:30:40.370: EAPOL Version: 0x2  type: 0x0  length: 0x0005
304: Jun 16 18:30:40.370: EAP code: 0x1  id: 0x4E length: 0x0005 type: 0x1
305: Jun 16 18:30:40.370: dot1x-packet(Fa0/10): EAPOL packet sent to client 0xF5000034 (34e6.d735.483c)
306: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_idle_request_action called
307: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): Role determination not required
308: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Queuing an EAPOL pkt on Authenticator Q
309: Jun 16 18:30:40.378: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
310: Jun 16 18:30:40.378: EAPOL pak dump rx
311: Jun 16 18:30:40.378: EAPOL Version: 0x1  type: 0x0  length: 0x0020
312: Jun 16 18:30:40.378: dot1x-ev:dot1x_auth_queue_event: Int Fa0/10 CODE= 2,TYPE= 1,LEN= 32
313: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAPOL frame
314: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): Received pkt saddr =34e6.d735.483c , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0020
315: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAP packet
316: Jun 16 18:30:40.378: EAPOL pak dump rx
317: Jun 16 18:30:40.378: EAPOL Version: 0x1  type: 0x0  length: 0x0020
318: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAP packet from 34e6.d735.483c
319: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): Posting EAPOL_EAP for 0xF5000034
320: Jun 16 18:30:40.378:     dot1x_auth_bend Fa0/10: during state auth_bend_request, got event 6(eapolEap)
321: Jun 16 18:30:40.378: @@@ dot1x_auth_bend Fa0/10: auth_bend_request -> auth_bend_response
322: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_enter called
323: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): dot1x_sendRespToServer: Response sent to the server from 0xF5000034 (34e6.d735.483c)
324: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_response_action called
325: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): Posting EAP_REQ for 0xF5000034
326: Jun 16 18:30:40.395:     dot1x_auth_bend Fa0/10: during state auth_bend_response, got event 7(eapReq)
327: Jun 16 18:30:40.395: @@@ dot1x_auth_bend Fa0/10: auth_bend_response -> auth_bend_request
328: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_exit called
329: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_enter called
330: Jun 16 18:30:40.395: dot1x-packet(Fa0/10): EAP code: 0x1  id: 0x2B length: 0x0006 type: 0xD  data:
331: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Sending EAPOL packet to 34e6.d735.483c
332: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Role determination not required
333: Jun 16 18:30:40.395: dot1x-registry:registry:dot1x_ether_macaddr called
334: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Sending out EAPOL packet
335: Jun 16 18:30:40.395: EAPOL pak dump Tx
336: Jun 16 18:30:40.395: EAPOL Version: 0x2  type:0x0  length: 0x0006
337: Jun 16 18:30:40.395: EAP code: 0x1  id: 0x2B length: 0x0006 type: 0xD
338: Jun 16 18:30:40.395: dot1x-packet(Fa0/10): EAPOL packet sent to client 0xF5000034 (34e6.d735.483c)
339: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_request_action called
340: Jun 16 18:30:40.404: dot1x-ev(Fa0/10): Role determination not required
341: Jun 16 18:30:40.404: dot1x-packet(Fa0/10): Queuing an EAPOL pkt on Authenticator Q
342: Jun 16 18:30:40.404: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
343: Jun 16 18:30:40.404: EAPOL pak dump rx
344: Jun 16 18:30:40.404: EAPOL Version: 0x1  type: 0x0  length: 0x0006
345: Jun 16 18:30:40.404: dot1x-ev:dot1x_auth_queue_event: Int Fa0/10 CODE= 2,TYPE= 3,LEN= 6

这是“调试半径身份验证”的输出

685: Jun 17 09:06:23.838: RADIUS/ENCODE(000004D5):Orig. component type = DOT1X
686: Jun 17 09:06:23.838: RADIUS(000004D5): Config NAS IP: 0.0.0.0
687: Jun 17 09:06:23.838: RADIUS/ENCODE(000004D5): acct_session_id: 1237
688: Jun 17 09:06:23.838: RADIUS(000004D5): sending
689: Jun 17 09:06:23.838: RADIUS/ENCODE: Best Local IP-Address 1.1.1.1 for Radius-Server X.X.X.X
690: Jun 17 09:06:23.838: RADIUS(000004D5): Send Access-Request to X.X.X.X:1645 id 1645/16, len 236
691: Jun 17 09:06:23.838: RADIUS:  authenticator C8 97 74 7C 01 99 CE 9E - 11 D2 87 96 10 15 A4 43
692: Jun 17 09:06:23.838: RADIUS:  User-Name           [1]   29  "host/MyComputer.testdomain.com"
693: Jun 17 09:06:23.838: RADIUS:  Service-Type        [6]   6   Framed                    [2]
694: Jun 17 09:06:23.838: RADIUS:  Framed-MTU          [12]  6   1500
695: Jun 17 09:06:23.838: RADIUS:  Called-Station-Id   [30]  19  "C8-F9-F9-C9-45-0C"
696: Jun 17 09:06:23.838: RADIUS:  Calling-Station-Id  [31]  19  "34-E6-D7-35-48-3C"
697: Jun 17 09:06:23.838: RADIUS:  EAP-Message         [79]  34
698: Jun 17 09:06:23.838: RADIUS:   02 85 00 20 01 68 6F 73 74 2F 47 52 45 30 34 37 39 34 37 2E  [ host/MyComputer.]
699: Jun 17 09:06:23.838: RADIUS:   69 6E 74 72 61 2E 63 65 61 2E 66 72      [ testdomain.com]
700: Jun 17 09:06:23.838: RADIUS:  Message-Authenticato[80]  18
701: Jun 17 09:06:23.838: RADIUS:   02 09 C8 4B FC 82 96 B9 61 8A 24 F6 81 4A 0B C2[ Ka$J]
702: Jun 17 09:06:23.846: RADIUS:  Vendor, Cisco       [26]  49
703: Jun 17 09:06:23.846: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=84A8A830000000254EE2CCAB"
704: Jun 17 09:06:23.846: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
705: Jun 17 09:06:23.846: RADIUS:  NAS-Port            [5]   6   5    0
706: Jun 17 09:06:23.846: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/10"
707: Jun 17 09:06:23.846: RADIUS:  NAS-IP-Address      [4]   6   1.1.1.1
708: Jun 17 09:06:23.846: RADIUS: Received from id 1645/16 X.X.X.X:1645, Access-Challenge, len 127
709: Jun 17 09:06:23.846: RADIUS:  authenticator 71 6A C0 FC 82 FE 8A 64 - 22 FA 09 EE 44 33 5A ED
710: Jun 17 09:06:23.846: RADIUS:  State               [24]  81
711: Jun 17 09:06:23.846: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 38  [37CPMSessionID=8]
712: Jun 17 09:06:23.855: RADIUS:   34 41 38 41 38 33 30 30 30 30 30 30 30 32 35 34  [4A8A830000000254]
713: Jun 17 09:06:23.855: RADIUS:   45 45 32 43 43 41 42 3B 33 36 53 65 73 73 69 6F  [EE2CCAB;36Sessio]
714: Jun 17 09:06:23.855: RADIUS:   6E 49 44 3D 67 72 65 78 70 33 31 32 61 64 6D 2F  [nID=MyComputer/]
715: Jun 17 09:06:23.855: RADIUS:   32 35 34 38 33 38 36 35 35 2F 31 38 37 35 3B   [ 254838655/1875;]
716: Jun 17 09:06:23.855: RADIUS:  EAP-Message         [79]  8
717: Jun 17 09:06:23.855: RADIUS:   01 44 00 06 0D 20[ D ]
718: Jun 17 09:06:23.855: RADIUS:  Message-Authenticato[80]  18
719: Jun 17 09:06:23.855: RADIUS:   AF 6F 4C 96 0A 75 CE 3D 4B 4C 7D ED E9 A9 94 48          [ oLu=KL}H]
720: Jun 17 09:06:23.855: RADIUS(000004D5): Received from id 1645/16
721: Jun 17 09:06:23.855: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
2个回答

我不知道您是否已经这样做了,但您必须更进一步,而不仅仅是创建 Auth 配置文件。您必须使用身份验证策略应用该身份验证配置文件。要创建身份验证策略,请执行以下操作。

转到策略/授权编辑 - 配置文件 - 标准,选择您的身份验证配置文件单击完成单击保存

对于那些仍然对这个问题感兴趣的人,我不得不将 IOS 升级到 12.2(55)SE10。现在它正在使用初始配置。

其它你可能感兴趣的问题
上一篇接口通告上的多个 IP 地址 下一篇OSPF 中的区域间环路预防