基于身份的网络服务(IBNS)2.0故障排除
目录
简介
本文档介绍在使用基于身份的网络服务(IBNS)2.0的交换机上排除身份验证故障的过程
先决条件
要求
Cisco 建议您了解以下主题:
- 身份服务引擎(ISE)
- IEEE 802.1X概念(dot1X)
- MAC身份验证绕行(MAB)
使用的组件
本文档中的信息基于这些软件和硬件版本,但不限于:
- 思科交换机 — C3750X-48PF-S,带IOS 15.2.1E3(ED)
- 身份服务引擎2.1
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
背景信息
IBNS 2.0是取代传统身份验证管理器的新策略引擎。它配备了一组增强功能,通过思科通用分类策略语言(C3PL)提供灵活的配置。 IBNS 2.0现在称为访问会话管理器,它为管理员提供了根据特定条件和终端事件配置策略和操作的选项。C3PL用于定义身份验证条件、参数和操作,而不是常规条件。有关IBNS 2.0的详细信息,请点击“相关信息”部分中提供的链接。
有不同类型的策略映射用于各种用途。本段重点介绍用户类型。策略映射中有三个部分需要注意。
- “事件”部分
- 类部分
- 操作部分
它们遵循层次结构“事件”>“类”>“操作”。将策略映射应用到接口时,将评估策略映射中定义的所有事件。根据当前事件,在策略映射中定义的适当操作在接口级别应用。
一旦事件匹配,就有一个选项根据身份验证/授权的事件/方法/结果评估类。这些类的结果可以是ALWAYS EXECUTE或在其他类映射中调用。
在“操作”部分,可以包括的重要操作包括:
- 指定具有优先级的身份验证方法
event session-started match-all 10 classdo-until-failure 10 authenticate using priority - 指定特定身份验证方法的身份验证方法列表
event session-started match-all 10 classdo-until-failure 10 authenticate using aaa authc-list - 指定身份验证方法的授权方法列表
event session-started match-all 10 classdo-until-failure 10 authenticate using aaa authz-list - 指定重试次数
event session-started match-all 10 classdo-until-failure 10 authenticate using retries - 用新的身份验证/授权数据替换现有的身份验证/授权数据
event timer-expiry match-all 10 classdo-until-failure 10 authenticate using replace aaa - 强制授权
event session-started match-all 10 classdo-until-failure 10 authorize - 强制取消授权
event timer-expiry match-all 10 classdo-until-failure 10 unauthorize
- 激活服务模板
event timer-expiry match-all 10 classdo-until-failure 10 activate service-template
在传统IOS交换机中,没有选项可应用特定于已验证会话的方法列表。IBNS 2.0使用服务模板提供此功能。服务模板在交换机上本地配置,并在会话成功后应用。还有从AAA服务器推送所需服务模板的选项。
用于执行相同操作的RADIUS属性是subscriber:service-name = <服务模板的名称>。在身份服务引擎(ISE)中,您可以将授权配置文件命名为与交换机上配置的本地服务模板完全相同,并选中Service Template复选框。此授权配置文件以及任何其他授权配置文件可作为授权结果推送。
在授权结果报告中,有一个名为subscriber:service-name = <服务模板名称>的Cisco-AV-Pair。这表示交换机已收到通知,要为该会话应用该服务模板。
此图显示了示例策略映射的每个实体的确切含义。
配置
AAA配置
aaa new-model aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius aaa accounting identity default start-stop group radius aaa session-id common
dot1x system-auth-control
RADIUS 服务器配置
radius server ise address ipv4 X.X.X.X auth-port 1812 acct-port 1813 automate-tester username probe-user key XXXXXXXXXX
策略映射配置
policy-map type control subscriber Inter_Gi_3/0/48 event session-started match-all //On session-start event 10 class always do-until-failure //Both mab and dot1x start at the same time 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first //On authentication event failure 10 class DOT1X_NO_RESP do-until-failure //If dot1x fails 10 terminate dot1x 20 authenticate using mab priority 20 20 class MAB_FAILED do-until-failure //If mab fails 10 terminate mab 20 authentication-restart 60 30 class always do-until-failure //If both mab and dot1x fail 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 event agent-found match-all //On dot1x agent found event 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10
类映射配置
class-map type control subscriber match-all DOT1X_NO_RESP //If dot1x and no response from client match method dot1x match result-type method dot1x agent-not-found
class-map type control subscriber match-all MAB_FAILED //On mab failure match method mab match result-type method mab authoritative
接口配置
interface GigabitEthernet3/0/48 description ** Access Port ** switchport access vlan 100 switchport mode access switchport voice vlan 10 ip access-group IPV4-PRE-AUTH-ACL in access-session port-control auto mab dot1x pae authenticator spanning-tree portfast service-policy type control subscriber Inter_Gi_3/0/48
故障排除
排除故障的最佳方法是比较工作日志和非工作日志。这样,过程出错的确切步骤便已知。需要启用一些调试来排除mab/dot1x问题。以下是用于启用这些调试的命令。
- debug aaa authentication
- debug aaa authorization
- debug mab all
- debug dot1x all
- debug radius
以下是同时启用dot1x和mab的工作日志。
debug mab all
mab-ev: [28d2.4496.5376, Gi3/0/48] Received MAB context create from AuthMgr // New mac-address detected mab-ev: MAB authorizing 28d2.4496.5376 //mab authorization event should start mab-ev: Created MAB client context 0xB0000001 mab : initial state mab_initialize has enter //Initialize mab mab-ev: [28d2.4496.5376, Gi3/0/48] Sending create new context event to EAP from MAB for 0xB0000001 (28d2.4496.5376) mab-ev: [28d2.4496.5376, Gi3/0/48] MAB authentication started for 0x0782A870 (28d2.4496.5376) //mab authentication initialized %AUTHMGR-5-START: Starting 'mab' for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003300C586C2 mab-ev: [28d2.4496.5376, Gi3/0/48] Invalid EVT 9 from EAP mab-sm: [28d2.4496.5376, Gi3/0/48] Received event 'MAB_CONTINUE' on handle 0xB0000001 mab : during state mab_initialize, got event 1(mabContinue) @@@ mab : mab_initialize -> mab_authorizing //mab authorizing event started mab-ev: [28d2.4496.5376] formatted mac = 28d244965376 //mac-address formatted as required mab-ev: [28d2.4496.5376] created mab pseudo dot1x profile dot1x_mac_auth_28d2.4496.5376 //peuso dot1x profile formed (username=macaddress) mab-ev: [28d2.4496.5376, Gi3/0/48] Starting MAC-AUTH-BYPASS for 0xB0000001 (28d2.4496.5376) //starting mab authentication mab-ev: [28d2.4496.5376, Gi3/0/48] Invalid EVT 9 from EAP mab-ev: [28d2.4496.5376, Gi3/0/48] MAB received an Access-Accept for 0xB0000001 (28d2.4496.5376) //received mab success from the server %MAB-5-SUCCESS: Authentication successful for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003300C586C2 mab-sm: [28d2.4496.5376, Gi3/0/48] Received event 'MAB_RESULT' on handle 0xB0000001 // mab authorization result received mab : during state mab_authorizing, got event 5(mabResult) @@@ mab : mab_authorizing -> mab_terminate //mab authorization process terminate mab-ev: [28d2.4496.5376, Gi3/0/48] Deleted credentials profile for 0xB0000001 (dot1x_mac_auth_28d2.4496.5376) //deleted pseudo dot1x profile %AUTHMGR-5-SUCCESS: Authorization succeeded for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003300C586C2 // posting mab authorization succeeded
debug dot1x all
由于dot1x由于协议协商、证书交换等原因而进行了大量的消息交换,因此此处并未提及所有调试日志。此处记录了事件的发生顺序及其相应的调试日志。
dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1 // Initial EAPoL packet received by switch dot1x-packet: length: 0x0000 dot1x-ev:[28d2.4496.5376, Gi3/0/48] New client detected, sending session start event for 28d2.4496.5376 // dot1x client detected dot1x-ev:[28d2.4496.5376, Gi3/0/48] Dot1x authentication started for 0x26000007 (28d2.4496.5376) //dot1x started %AUTHMGR-5-START: Starting 'dot1x' for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003500C9CFC3 dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting !EAP_RESTART on Client 0x26000007 //requesting client to restart the EAP Proces dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting RX_REQ on Client 0x26000007 //waiting fot the EAPoL packet fromt he client dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting AUTH_START for 0x26000007 // Starting authentication process dot1x-ev:[28d2.4496.5376, Gi3/0/48] Sending out EAPOL packet // Identity Request dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0 dot1x-packet: length: 0x0005 dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005 dot1x-packet: type: 0x1 dot1x-packet:[28d2.4496.5376, Gi3/0/48] EAPOL packet sent to client 0x26000007 dot1x-ev:[Gi3/0/48] Received pkt saddr =28d2.4496.5376 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.000a dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0 // Identity Response dot1x-packet: length: 0x000A dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting EAPOL_EAP for 0x26000007 //EAPoL packet(EAP Response) received, preparing request to server dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting EAP_REQ for 0x26000007 //Server response received, EAP Request is being prepared dot1x-ev:[28d2.4496.5376, Gi3/0/48] Sending out EAPOL packet dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0 dot1x-packet: length: 0x0006 dot1x-packet:EAP code: 0x1 id: 0xE5 length: 0x0006 dot1x-packet: type: 0xD dot1x-packet:[28d2.4496.5376, Gi3/0/48] EAPOL packet sent to client 0x26000007 //EAP request sent out dot1x-ev:[Gi3/0/48] Received pkt saddr =28d2.4496.5376 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006 //EAP response received dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0 dot1x-packet: length: 0x0006 || || || || Here a lot of EAPOL-EAP and EAP_REQ events occur as a lot of information is exchanged between the switch and the client
|| If the events after this do not follow, then the timers and the information sent till now need to be checked || || || dot1x-packet:[28d2.4496.5376, Gi3/0/48] Received an EAP Success //EAP Success recieved from Server dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting EAP_SUCCESS for 0x26000007 //Posting EAP Success event dot1x-sm:[28d2.4496.5376, Gi3/0/48] Posting AUTH_SUCCESS on Client 0x26000007 //Posting Authentication success %DOT1X-5-SUCCESS: Authentication successful for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003500C9CFC3
dot1x-packet:[28d2.4496.5376, Gi3/0/48] EAP Key data detected adding to attribute list //Additional key data detected sent by server
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003500C9CFC3 dot1x-ev:[28d2.4496.5376, Gi3/0/48] Received Authz Success for the client 0x26000007 (28d2.4496.5376) //Authorization Success dot1x-ev:[28d2.4496.5376, Gi3/0/48] Sending out EAPOL packet //Sending EAP Success to the client dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0 dot1x-packet: length: 0x0004 dot1x-packet:EAP code: 0x3 id: 0xED length: 0x0004 dot1x-packet:[28d2.4496.5376, Gi3/0/48] EAPOL packet sent to client 0x26000007
debug radius
由于EAP消息很多,因此发送到服务器并收到的RADIUS数据包也会更多。并非每个dot1x身份验证都以Access-Request结束。因此,此处显示的日志是重要的日志,并且随着流的流动而变化。
//mab and dot1x start at the same time as per the configuration
%AUTHMGR-5-START: Starting 'dot1x' for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC037 %AUTHMGR-5-START: Starting 'mab' for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC037 RADIUS/ENCODE(00000000):Orig. component type = Invalid RADIUS(00000000): Config NAS IP: 0.0.0.0 //Since dot1x client didn't respond yet, mab authentication is done
RADIUS(00000000): sending RADIUS/ENCODE: Best Local IP-Address 10.106.37.142 for Radius-Server 10.106.73.143 RADIUS(00000000): Send Access-Request to 10.106.73.143:1812 id 1645/56, len 267 RADIUS: authenticator F0 E4 E3 28 7E EA E6 83 - 43 55 7F DC 96 19 EB 42 RADIUS: User-Name [1] 14 "28d244965376" RADIUS: User-Password [2] 18 * RADIUS: Service-Type [6] 6 Call Check [10] RADIUS: Vendor, Cisco [26] 31 RADIUS: Cisco AVpair [1] 25 "service-type=Call Check" RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [] 19 "CC-EF-48-AD-6B-" RADIUS: Calling-Station-Id [31] 19 "28-D2-44-96-53-76" RADIUS: Message-Authenticato[80] 18 RADIUS: AD DC 22 D7 83 8C 02 C5 1E 11 B2 94 80 85 2F 3D [ "/=] RADIUS: EAP-Key-Name [102] 2 * RADIUS: Vendor, Cisco [26] 49 RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A6A258E0000003600CCC037" RADIUS: Vendor, Cisco [26] 18 RADIUS: Cisco AVpair [1] 12 "method=mab" RADIUS: Framed-IP-Address [8] 6 1.1.1.2 RADIUS: NAS-IP-Address [4] 6 10.106.37.142 RADIUS: NAS-Port [5] 6 60000 RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet3/0/48" RADIUS: NAS-Port-Type [61] 6 Ethernet [15] RADIUS(00000000): Sending a IPv4 Radius Packet RADIUS(00000000): Started 5 sec timeout RADIUS: Received from id 1645/56 10.106.73.143:1812, Access-Accept, len 176 RADIUS: authenticator 7B D6 DA E1 70 49 6E 6D - 3D AC 5C 1D C0 AC CF D0 RADIUS: User-Name [1] 19 "28-D2-44-96-53-76" RADIUS: State [24] 40 RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 41 [ReauthSession:0A] RADIUS: 36 41 32 35 38 45 33 36 [6A258E0000003600] RADIUS: 43 43 43 33 37 [ CCC037] RADIUS: Class [25] 51 RADIUS: 43 41 43 53 3A 41 36 41 32 35 38 45 [CACS:0A6A258E000] RADIUS: 33 36 43 43 43 33 37 3A 69 73 [0003600CCC037:is] RADIUS: 65 31 34 2F 32 35 35 38 35 37 38 34 2F 36 34 [e14/255857804/64] RADIUS: 36 [ 6] RADIUS: Message-Authenticato[80] 18 RADIUS: D3 F3 6E 9A 25 09 01 8C D6 B1 20 D6 84 D3 18 3D [ n? =] RADIUS: Vendor, Cisco [26] 28 RADIUS: Cisco AVpair [1] 22 "profile-name=Unknown" //mab succeeds %MAB-5-SUCCESS: Authentication successful for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC037 %AUTHMGR-5-SUCCESS: Authorization succeeded for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC037 //A dot1x client is detected and mab is stopped as per the configuration and dot1x authentication starts
%AUTHMGR-7-STOPPING: Stopping 'mab' for client 28d2.4496.5376 on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC037 RADIUS/ENCODE(00000000):Orig. component type = Invalid RADIUS(00000000): Config NAS IP: 0.0.0.0 RADIUS(00000000): sending RADIUS/ENCODE: Best Local IP-Address 10.106.37.142 for Radius-Server 10.106.73.143 RADIUS(00000000): Send Access-Request to 10.106.73.143:1812 id 1645/57, len 252 RADIUS: authenticator 1B E9 37 F4 AC C7 73 BE - F4 95 CB 5F FC 2D 3D E1 RADIUS: User-Name [1] 7 "cisco" RADIUS: Service-Type [6] 6 Framed [2] RADIUS: Vendor, Cisco [26] 27 RADIUS: Cisco AVpair [1] 21 "service-type=Framed" RADIUS: Framed-MTU [12] 6 1500 RADIUS: Called-Station-Id [] 19 "CC-EF-48-AD-6B-" RADIUS: Calling-Station-Id [31] 19 "28-D2-44-96-53-76" RADIUS: EAP-Message [79] 12 RADIUS: 02 01 00 0A 01 63 69 73 63 6F [ cisco] RADIUS: Message-Authenticato[80] 18 RADIUS: 7B 42 C2 C2 69 CB 73 49 1A 40 81 28 71 CF CC 86 [ {BisI@(q] RADIUS: EAP-Key-Name [102] 2 * RADIUS: Vendor, Cisco [26] 49 RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A6A258E0000003600CCC037" RADIUS: Vendor, Cisco [26] 20 RADIUS: Cisco AVpair [1] 14 "method=dot1x" RADIUS: Framed-IP-Address [8] 6 1.1.1.2 RADIUS: NAS-IP-Address [4] 6 10.106.37.142 RADIUS: NAS-Port [5] 6 60000 RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet3/0/48" RADIUS: NAS-Port-Type [61] 6 Ethernet [15] RADIUS(00000000): Sending a IPv4 Radius Packet //More information is being requested by the AAA Server RADIUS: Received from id 1645/57 10.106.73.143:1812, Access-Challenge, len 120 RADIUS: authenticator A7 2A 6E 8C 75 9C 28 6F - 32 85 B9 87 5B D2 E4 FB RADIUS: State [24] 74 RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D [37CPMSessionID=0] RADIUS: 41 36 41 32 35 38 45 33 36 [A6A258E000000360] RADIUS: 43 43 43 33 37 3B 32 39 53 65 73 73 69 6F [0CCC037;29Sessio] RADIUS: 6E 49 44 3D 69 73 65 31 34 2F 32 35 35 38 35 37 [nID=ise14/255857] RADIUS: 38 34 2F 36 34 38 3B [ 804/648;] RADIUS: EAP-Message [79] 8 RADIUS: 01 0A 00 06 0D 20 [ ] RADIUS: Message-Authenticato[80] 18 RADIUS: E2 7C 2B 0E CA AB E3 21 B8 CD 04 8A 7F 23 7A D2 [ |+!#z] || || || || As mentioned before, the excess logs of Access-Requestes and Access-Challenges come here || || || //Authentication and Authorization succeeds for dot1x
RADIUS: Received from id 1645/66 10.106.73.143:1812, Access-Accept, len 325 RADIUS: authenticator F0 CF EE 59 3A 26 25 8F - F7 0E E4 03 E1 11 7E 86 RADIUS: User-Name [1] 7 "cisco" RADIUS: State [24] 40 RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 41 [ReauthSession:0A] RADIUS: 36 41 32 35 38 45 33 36 [6A258E0000003600] RADIUS: 43 43 43 33 37 [ CCC037] RADIUS: Class [25] 51 RADIUS: 43 41 43 53 3A 41 36 41 32 35 38 45 [CACS:0A6A258E000] RADIUS: 33 36 43 43 43 33 37 3A 69 73 [0003600CCC037:is] RADIUS: 65 31 34 2F 32 35 35 38 35 37 38 34 2F 36 34 [e14/255857804/64] RADIUS: 38 [ 8] RADIUS: EAP-Message [79] 6 RADIUS: 03 12 00 04 RADIUS: Message-Authenticato[80] 18 RADIUS: 3F 7A DA 59 F7 8A DE 1D 33 4B 07 88 62 F3 3B 71 [ ?zY3Kb;q] RADIUS: EAP-Key-Name [102] 67 * RADIUS: Vendor, Microsoft [26] 58 RADIUS: MS-MPPE-Send-Key [16] 52 * RADIUS: Vendor, Microsoft [26] 58 RADIUS: MS-MPPE-Recv-Key [17] 52 * RADIUS(00000000): Received from id 1645/66 RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes //Dot1x succeeds
%DOT1X-5-SUCCESS: Authentication successful for client (28d2.4496.5376) on Interface Gi3/0/48 AuditSessionID 0A6A258E0000003600CCC03
debug aaa authentication/authorization
debug aaa authentication和debug aaa authorization显示了各种身份验证/授权方法期间的有用信息。在这种情况下,它只是指定所使用方法列表的一行。
AAA/AUTHEN/8021X (00000000): Pick method list 'default'
这显示是否有任何身份验证方法不可用/未启用。
排除CWA/状态/DACL等故障的步骤与传统IOS交换机相同。配置验证是故障排除的第一步。确保配置符合要求。如果配置策略映射,则类映射达到标记,则调试问题(如果有)非常容易。有关使用IBNS 2.0进行配置的更多详细信息,请参阅“相关信息”部分。
反馈