此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍如何设置具有802.1x安全性和虚拟局域网(VLAN)覆盖的无线局域网(WLAN)。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
设置具有802.1x安全和VLAN的WLAN时,可以使用受保护的可扩展身份验证协议作为可扩展身份验证协议(EAP)进行覆盖。
一般步骤如下:
为了允许RADIUS服务器和WLC之间的通信,您需要在WLC上注册RADIUS服务器,反之亦然。
GUI:
步骤1:打开WLC的GUI,导航到SECURITY > RADIUS > Authentication > New,如图所示。
第二步:输入RADIUS服务器信息,如图所示。
CLI:
> config radius auth add <index> <a.b.c.d> 1812 ascii <shared-key> > config radius auth disable <index> > config radius auth retransmit-timeout <index> <timeout-seconds> > config radius auth enable <index>
<a.b.c.d>对应于RADIUS服务器。
GUI:
步骤1:打开WLC的GUI并导航至WLANs > Create New > Go,如图所示。
第二步:选择SSID和配置文件的名称,然后单击Apply,如图所示。
CLI:
> config wlan create <id> <profile-name> <ssid-name>
第三步:将RADIUS服务器分配给WLAN。
CLI:
> config wlan radius_server auth add <wlan-id> <radius-index>
GUI:
导航到Security > AAA Servers并选择所需的RADIUS服务器,然后按图中所示的Apply。
第四步:启用Allow AAA Override,并可选择增加会话超时
CLI:
> config wlan aaa-override enable <wlan-id>
> config wlan session-timeout <wlan-id> <session-timeout-seconds>
GUI:
导航到WLANs > WLAN ID > Advanced并启用允许AAA覆盖。 或者指定会话超时(如图所示)。
第五步:启用WLAN。
CLI:
> config wlan enable <wlan-id>
GUI:
导航到WLANs > WLAN ID > General,然后启用如图所示的SSID。
步骤1:打开ISE控制台并导航到管理>网络资源>网络设备>添加,如图所示。
第二步:输入值。
或者,它可以是指定的型号名称、软件版本、说明,并根据设备类型、位置或WLC分配网络设备组。
a.b.c.d对应发送请求的身份验证的WLC接口。默认情况下,它是管理接口,如图所示。
有关网络设备组的详细信息:
步骤1:导航到管理>身份管理>身份>用户>添加,如图所示。
第二步:输入相关信息.
在本示例中,此用户属于名为ALL_ACCOUNTS的组,但可以根据需要进行调整,如图所示。
身份验证规则用于验证用户的凭证是否正确(验证用户是否真正是他们所说的用户),并限制允许其使用的身份验证方法。
步骤1:导航到Policy > Authentication,如图所示。
第二步:插入新的身份验证规则,如图所示。
第三步:输入值。
此身份验证规则允许Default Network Access列表下列出的所有协议。这适用于无线802.1x客户端的身份验证请求,使用被叫站ID,最后以ise-ssid结束,如图所示。
此外,选择与此身份验证规则匹配的客户端的身份源。此示例使用内部用户身份源列表,如图所示。
完成后,单击Done和Save,如图所示。
有关身份源的详细信息,请查阅以下链接:
授权配置文件确定您是否有权访问网络。推送访问控制列表(ACL)、VLAN覆盖或任何其他参数。本示例中显示的授权配置文件向您发送访问接受并分配VLAN 2404。
步骤1:导航到Policy > Policy Elements > Results,如图所示。
第二步:添加新的授权配置文件。导航到授权>授权配置文件>添加,如图所示。
第三步:输入如图所示的值。
授权规则负责确定哪些权限(哪个授权配置文件)结果适用于您。
步骤1:导航到Policy > Authorization,如图所示。
第二步:插入新规则,如图所示。
第三步:输入值。
首先,选择规则的名称以及存储用户的身份组(ALL_ACCOUNTS),如图所示。
之后,选择导致授权进程落入此规则之内的其他条件。在本示例中,如果授权进程使用802.1x无线且其被叫站ID以ise-ssid结尾(如图所示),则授权进程符合此规则。
最后,选择分配给您的符合该规则的授权配置文件。单击Done和Save,如图所示。
将笔记本电脑Windows 10配置为使用802.1x身份验证和PEAP/MS-CHAPv2(Microsoft版本的质询 — 握手身份验证协议)版本2连接到SSID。
在此配置示例中,ISE使用其自签名证书执行身份验证。
要在Windows计算机上创建WLAN配置文件,有两个选项:
这些选项的配置在终端设备配置 — 创建WLAN配置文件 — 步骤7中说明。
步骤1:导出自签名证书。
登录到ISE并导航到管理>系统>证书>系统证书。
然后,选择用于EAP身份验证的证书,然后单击导出,如图所示。
将证书保存在所需的位置。该证书必须安装在windows计算机上,如图所示。
第二步:在Windows计算机上安装证书。
将从ISE导出的证书复制到windows计算机,将文件扩展名从.pem更改为.crt,然后双击以按照映像所示进行安装。
第三步:选择将其安装在本地计算机中,然后单击下一步,如图所示。
第四步:选择Place all certificates in this store,然后浏览并选择Trusted Root Certification Authorities。然后,单击下一步,如图所示。
第五步:然后,单击完成,如图所示。
第六步:确认证书的安装。单击Yes,如图所示。
步骤 7.最后,单击OK,如图所示。
步骤1:右键单击开始图标,然后选择控制面板,如图所示。
第二步:导航到网络和Internet,然后导航到网络和共享中心,然后单击设置新连接或网络(如图所示)。
第三步:选择Manually connect to a wireless network,然后单击Next,如图所示。
第四步:输入SSID名称和安全类型WPA2-Enterprise的信息,然后单击Next,如图所示。
第五步:选择Change connection settings以自定义WLAN配置文件的配置,如图所示。
第六步:导航到Security选项卡,然后单击Settings,如图所示。
步骤 7. 选择是否验证了RADIUS服务器。
如果是,请启用Verify the server identity by validating the certificate,并从Trusted Root Certification Authorities:列表中选择ISE的自签名证书。
之后,选择Configure并禁用Automatically use my Windows logon name and password...,然后单击OK,如图所示。
步骤 8配置用户凭证。
返回Security选项卡后,选择Advanced settings,将身份验证模式指定为User authentication,并保存ISE上配置的凭证,以便对用户进行身份验证,如映像所示。
使用本部分可确认配置能否正常运行。
身份验证流程可以从WLC或ISE角度进行验证。
运行以下命令以监控特定用户的身份验证过程:
> debug client <mac-add-client> > debug dot1x event enable > debug dot1x aaa enable
身份验证成功的示例(省略了某些输出):
*apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Processing assoc-req station:e4:b3:18:7c:30:58 AP:00:c8:8b:26:2c:d0-00 thread:1a5cc288 *apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Reassociation received from mobile on BSSID 00:c8:8b:26:2c:d1 AP AP-1700-sniffer *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0 *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying site-specific Local Bridging override for station e4:b3:18:7c:30:58 - vapId 2, site 'default-group', interface 'management' *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Local Bridging Interface Policy for station e4:b3:18:7c:30:58 - vlan 2400, interface id 0, interface 'management' *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 RSN Capabilities: 60 *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Marking Mobile as non-e4:b3:18:7c:30:58 Received 802.11i 802.1X key management suite, enabling dot1x Authentication11w Capable *apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Received RSN IE with 1 PMKIDs from mobile e4:b3:18:7c:30:58 *apfMsConnTask_1: Nov 24 04:30:44.319: Received PMKID: (16) *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Searching for PMKID in MSCB PMKID cache for mobile e4:b3:18:7c:30:58 *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 No valid PMKID found in the MSCB PMKID cache for mobile e4:b3:18:7c:30:58 *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Initializing policy *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0) *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2) *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name: *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfMsAssoStateInc *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2 (apf_policy.c:437) Changing state for mobile e4:b3:18:7c:30:58 on AP 00:c8:8b:26:2c:d0 from Idle to Associated *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2:session timeout forstation e4:b3:18:7c:30:58 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0 *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Stopping deletion of Mobile Station: (callerId: 48) *apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0 *apfMsConnTask_1: Nov 24 04:30:44.320: e4:b3:18:7c:30:58 Sending Assoc Response to station on BSSID 00:c8:8b:26:2c:d1 (status 0) ApVapId 2 Slot 0 *spamApTask2: Nov 24 04:30:44.323: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0 *spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Received ADD_MOBILE ack - Initiating 1x to STA e4:b3:18:7c:30:58 (idx 55) *spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Sent dot1x auth initiate message for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 reauth_sm state transition 0 ---> 1 for mobile e4:b3:18:7c:30:58 at 1x_reauth_sm.c:47 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Disable re-auth, use PMK lifetime. *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Connecting state *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Sending EAP-Request/Identity to mobile e4:b3:18:7c:30:58 (EAP Id 1) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received Identity Response (count=1) from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Resetting reauth count 1 to 0 for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 EAP State update from Connecting to Authenticating for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticating state *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Created Acct-Session-ID (58366cf4/e4:b3:18:7c:30:58/367) for the mobile *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.386: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=215) for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 WARNING: updated EAP-Identifier 1 ===> 215 for STA e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 215) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Allocating EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAP Response from mobile e4:b3:18:7c:30:58 (EAP Id 215, EAP Type 3) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Resetting reauth count 0 to 0 for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=216) for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 216) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Reusing allocated memory for EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58 . . . *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Processing Access-Accept for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 acl from 255 to 255 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 Flex acl from 65535 to 65535 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Username entry (user1) created for mobile, length = 253 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 override for default ap group, marking intgrp NULL *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Re-applying interface policy for client *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Inserting AAA Override struct for mobile MAC: e4:b3:18:7c:30:58, source 4 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying override policy from source Override Summation: with value 200 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying Interface(vlan2404) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Re-applying interface policy for client *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Setting re-auth timeout to 0 seconds, got from WLAN config. *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Creating a PKC PMKID Cache entry for station e4:b3:18:7c:30:58 (RSN 2) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Resetting MSCB PMK Cache Entry 0 for station e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding BSSID 00:c8:8b:26:2c:d1 to PMKID cache at index 0 for station e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: New PMKID: (16) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 unsetting PmkIdValidatedByAp *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Updating AAA Overrides from local for station *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding Audit session ID payload in Mobility handoff *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 PMK sent to mobility group *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Disabling re-auth since PMK lifetime can take care of same. *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Sending EAP-Success to mobile e4:b3:18:7c:30:58 (EAP Id 223) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Freeing AAACB from Dot1xCB as AAA auth is done for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 key Desc Version FT - 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Found an cache entry for BSSID 00:c8:8b:26:2c:d1 in PMKID cache at index 0 of station e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: Including PMKID in M1 (16) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: M1 - Key Data: (22) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: [0000] dd 14 00 0f ac 04 cc 3a 3d 26 80 17 8b f1 2d c5 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: [0016] cd fd a0 8a c4 39 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Starting key exchange to mobile e4:b3:18:7c:30:58, data packets will be dropped *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58 state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Reusing allocated memory for EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Entering Backend Auth Success state (id=223) for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Received Auth Success while in Authenticating state for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticated state *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 key Desc Version FT - 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-key in PTK_START state (message 2) from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Successfully computed PTK from PMK!!! *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Received valid MIC in EAPOL Key Message M2!!!!! *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Not Flex client. Do not distribute PMK Key cache. *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 key Desc Version FT - 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58 state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Reusing allocated memory for EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 key Desc Version FT - 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Freeing EAP Retransmit Bufer for mobile e4:b3:18:7c:30:58 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMs1xStateInc *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqCntInc *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqSuccessCntInc *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Mobility query, PEM State: L2AUTHCOMPLETE *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Building Mobile Announce : *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Building Client Payload: *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Client Ip: 0.0.0.0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Client Vlan Ip: 172.16.0.134, Vlan mask : 255.255.255.224 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Client Vap Security: 16384 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Virtual Ip: 10.10.10.10 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 ssid: ise-ssid *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Building VlanIpPayload. *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Not Using WMM Compliance code qosCap 00 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name: *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6677, Adding TMP rule *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:c8:8b:26:2c:d0, slot 0, interface = 1, QOS = 0 IPv4 ACL ID = 255, IPv *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12 Local Bridging Vlan = 2400, Local Bridging intf id = 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successfully Plumbed PTK session Keysfor mobile e4:b3:18:7c:30:58 *spamApTask2: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0 *pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0 *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 172.16.0.3 *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6315, Adding TMP rule *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule IPv4 ACL ID = 255, *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12 Local Bridging Vlan = 2400, Local Bridging intf id = 0 *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 Sent an XID frame *dtlArpTask: Nov 24 04:30:47.932: e4:b3:18:7c:30:58 Static IP client associated to interface vlan2404 which can support client subnet. *dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 apfMsRunStateInc *dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 172.16.0.151 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
要轻松读取调试客户端输出,请使用无线调试分析器工具:
导航到操作(Operations)> RADIUS >实时日志(Live Logs),以查看分配给用户的身份验证策略、授权策略和授权配置文件。
有关详细信息,请单击Details以查看更详细的身份验证过程,如图所示。
当前没有故障排除此配置的特定可用资料。
版本 | 发布日期 | 备注 |
---|---|---|
3.0 |
17-Apr-2023 |
添加了Alt文本。
更新的PII、Gerunds、机器翻译、样式要求和格式。 |
1.0 |
10-Mar-2017 |
初始版本 |