WLC 2504 (8.0.121)+NPS Radius MS2012

Ответить

Автор	Сообщение
Сергей	# 02.03.2016, 13:40 Такая проблема не проходит аутентификация через Radius server. Настраивал всё по мануалу от cisco. В Radius Client указывал , и management интерфейс, и интерфейс,который смотрит в “локалку”. Во время второго случая,аутентификация прошла,но повторно подключиться не получилось. Статистика с WLC First Requests 5 Retry Requests 30 Accept Responses 2 Reject Responses 0 Challenge Responses 127 Malformed Messages 0 Bad Authenticator Msgs 0 В логах на Radius, access-request не приходит. Только accaunting-request (4-ый тип сообщений). При подключении клиента debug такой reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53 Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 EAP-PARAM Debug - eap-params for Wlan-Id :10 is disabled - applying Global eap timers and retries Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 Disable re-auth, use PMK lifetime. Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 1) Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Reset the reauth counter since EAPOL START has been received!!! Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53 Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Received EAPOL START from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 2) Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Received EAPOL EAPPKT from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Received Identity Response (count=1) from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Resetting reauth count 1 to 0 for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 EAP State update from Connecting to Authenticating for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Authenticating state Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Entering Backend Auth Response state for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:07.779: 74:29:af:2a:70:95 Reset the reauth counter since EAPOL START has been received!!! Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53 Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 Received EAPOL START from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Aborting state Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 4) Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 IPv6_Msg_Task: Mar 02 11:13:14.103: 74:29:af:2a:70:95 IP Addr Clear. AP MAC[50:67:ae:40:5a:40] Role[Unassociated] Pem State [8021X_REQD] Connected Time[19] Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Received EAPOL EAPPKT from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Received Identity Response (count=1) from mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Resetting reauth count 1 to 0 for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 EAP State update from Connecting to Authenticating for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Authenticating state Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Entering Backend Auth Response state for mobile 74:29:af:2a:70:95 Dot1x_NW_MsgTask_5: Mar 02 11:13:16.347: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71 Напрягает ,строчка Reset the reauth counter since EAPOL START has been received!!! И отстуствие 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3) Может кто сталкивался с такой проблемой? И кто поможет советом?
Kom-Way.Team	# 02.03.2016, 19:20 Добрый день, попробуйте не по мануалу, а по жизни. Например здесь хорошая статья, где вторая половина описывает конфигурирования радиуса. Единственное у Вас сейчас 8-й релиз и Web-UI может отличаться, но это не должно стать проблемой. https://habrahabr.ru/post/148903/

Автор

Сообщение

02.03.2016, 13:40

Такая проблема не проходит аутентификация через Radius server.
Настраивал всё по мануалу от cisco.

В Radius Client указывал , и management интерфейс, и интерфейс,который смотрит в “локалку”.
Во время второго случая,аутентификация прошла,но повторно подключиться не получилось.

Статистика с WLC
First Requests 5
Retry Requests 30
Accept Responses 2
Reject Responses 0
Challenge Responses 127
Malformed Messages 0
Bad Authenticator Msgs 0

В логах на Radius, access-request не приходит.
Только accaunting-request (4-ый тип сообщений).

При подключении клиента debug такой

reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 EAP-PARAM Debug - eap-params for Wlan-Id :10 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.345: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 1)
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Received EAPOL START from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 2)
*Dot1x_NW_MsgTask_5: Mar 02 11:12:55.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Received EAPOL EAPPKT from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Received Identity Response (count=1) from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Resetting reauth count 1 to 0 for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 EAP State update from Connecting to Authenticating for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Authenticating state
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 Entering Backend Auth Response state for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:02.769: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.779: 74:29:af:2a:70:95 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 Received EAPOL START from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Aborting state
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Connecting state
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 Sending EAP-Request/Identity to mobile 74:29:af:2a:70:95 (EAP Id 4)
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:07.780: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*IPv6_Msg_Task: Mar 02 11:13:14.103: 74:29:af:2a:70:95 IP Addr Clear. AP MAC[50:67:ae:40:5a:40] Role[Unassociated] Pem State [8021X_REQD] Connected Time[19]
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Received EAPOL EAPPKT from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Received Identity Response (count=1) from mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Resetting reauth count 1 to 0 for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 EAP State update from Connecting to Authenticating for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 dot1x - moving mobile 74:29:af:2a:70:95 into Authenticating state
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.346: 74:29:af:2a:70:95 Entering Backend Auth Response state for mobile 74:29:af:2a:70:95
*Dot1x_NW_MsgTask_5: Mar 02 11:13:16.347: 74:29:af:2a:70:95 reauth_sm state transition 0 —> 0 for mobile 74:29:af:2a:70:95 at 1x_reauth_sm.c:71

Напрягает ,строчка Reset the reauth counter since EAPOL START has been received!!!

И отстуствие 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

Может кто сталкивался с такой проблемой? И кто поможет советом?

Kom-Way.Team

02.03.2016, 19:20

Добрый день,
попробуйте не по мануалу, а по жизни. Например здесь хорошая статья, где вторая половина описывает конфигурирования радиуса. Единственное у Вас сейчас 8-й релиз и Web-UI может отличаться, но это не должно стать проблемой.
https://habrahabr.ru/post/148903/