我正在尝试使用 MAC 身份验证绕过为 802.1x 配置 Cisco Nexus 5548。我发现在身份验证失败的情况下没有配置访客 VLAN 的选项。根据本文档,它应该是一个可用的功能。但正如您在下面看到的,它不是一个可用的选项。
Switch(config-if)# dot1x ?
default Configure Dot1x with default values for this port
host-mode Role of 802.1x authenticating entity
mac-auth-bypass Configure Mac-Auth-Bypass
max-reauth-req Maximum Re-authentication Attempts Before Failing
max-req Maximum Retries to Initiate Authentication
pae Role of 802.1x authenticating entity
port-control Port control
re-authentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
我已启用功能 dot1x。配置了我的半径服务器和预共享密钥。我还添加了所需的 aaa 语句。
我什至可以运行:“test aaa server radius xxxx testuser password”并且用户帐户认证成功。这只是我无法使用的来宾 vlan 功能。
我在链接的文档中注意到说:
如果配置了 MAB,并且由于 MAB 导致身份验证失败,则访客 VLAN(如果可用)将被分配为访问 VLAN。
它是什么意思(如果可用)?我是否需要定义一个 VLAN,然后使用某种参数将其建立为访客 VLAN?
我要强调的是,这是在 Nexus 5548 而不是 Nexus 9000 系列交换机上。我读过 Nexus 9Ks 不支持来宾 vlan 功能。
这里的消毒配置:
!Command: show running-config
!Time: Tue Jan 8 18:40:24 2019
version 7.1(0)N1(1a)
hostname NexusFiveKLab
no feature telnet
feature tacacs+
feature interface-vlan
feature dot1x
feature lacp
feature lldp
feature vtp
username admin password 5 XXXXXX role network-admin
fips mode enable
no ip domain-lookup
tacacs-server host 172.16.0.11 key 7 "XXXX"
aaa group server tacacs+ SSVR
server 172.16.0.11
source-interface Vlan19
radius-server host 192.168.101.11 key 7 "XXXX" authentication accounting
logging event link-status default
policy-map type network-qos jumbo
class type network-qos class-default
mtu 9216
multicast-optimize
system qos
service-policy type queuing input fcoe-default-in-policy
service-policy type queuing output fcoe-default-out-policy
service-policy type qos input fcoe-default-in-policy
service-policy type network-qos jumbo
snmp-server user admin network-admin auth md5 XXXX priv XXXX localizedkey
snmp-server host 172.16.0.3 traps version 3 auth NET_MONITOR udp-port 30055
snmp-server community 5K_Lab group network-operator
ntp server 192.168.1.1 prefer
ntp source-interface Vlan10
aaa authentication login default group SSVR local
aaa authentication login console group SSVR local
aaa authorization config-commands default group SSVR local
aaa authorization commands default group SSVR local
aaa authentication dot1x default group radius
aaa accounting default group SSVR
aaa authentication login error-enable
spanning-tree vlan 10, 900, 1000 priority 24576
vrf context management
ip route 0.0.0.0/0 192.168.1.254
interface Vlan1
interface Vlan10
no shutdown
ip address 192.168.1.4/25
interface Vlan101
no shutdown
ip address 192.168.101.2/24
interface port-channel1
switchport mode trunk
switchport trunk allowed vlan 4-5,10,19,119,900,1000
speed 1000
interface Ethernet1/1
***The only port I've configured for dot1x is eth2/16. All other ports are either access ports or trunk ports.***
interface Ethernet2/16
description 802.1x Test
dot1x port-control auto
dot1x re-authentication
dot1x max-req 3
dot1x timeout quiet-period 25
dot1x timeout re-authperiod 3300
dot1x timeout tx-period 40
dot1x timeout server-timeout 60
dot1x timeout ratelimit-period 10
dot1x timeout supp-timeout 20
dot1x pae authenticator
dot1x mac-auth-bypass
no cdp enable
switchport access vlan 40
speed 1000
interface mgmt0
vrf member management
ip address 192.168.1.2/25
cli alias name w copy system:running-config nvram:startup-config
cli alias name c config t
cli alias name sib show init brief
cli alias name sii show ip int brief
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.7.1.0.N1.1a.bin
boot system bootflash:/n5000-uk9.7.1.0.N1.1a.bin
ip radius source-interface Vlan101