配置PEAP、ISE 2.1和WLC 8.3的802.1X身份驗證

下載選項

  • PDF     (1.5 MB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (1.1 MB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (2.1 MB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2024 年 8 月 26 日
文件 ID:201044

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文說明如何設定具有802.1x安全性的「無線區域網路(WLAN)」和虛擬區域網路(VLAN)覆寫。

    必要條件

    需求

    思科建議您瞭解以下主題:

    • 802.1x
    • 受保護的可延伸驗證通訊協定(PEAP)
    • 憑證授權單位(CA)
    • 憑證

    採用元件

    本文中的資訊係根據以下軟體和硬體版本:

    • WLC v8.3.102.0
    • 身分辨識服務引擎(ISE) v2.1
    • Windows 10筆記型電腦 

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    背景資訊

    設定具有802.1x安全和VLAN的WLAN時,您可以使用受保護的可延伸驗證通訊協定覆寫為可延伸驗證通訊協定(EAP)。

    設定

    網路圖表

    Topology diagram

    組態

    一般步驟如下:

    1. 在WLC上宣告RADIUS伺服器,反之亦然,以允許彼此通訊。
    2. 在WLC中建立服務組辨識碼(SSID)。
    3. 在ISE上建立身份驗證規則。
    4. 在ISE上建立授權配置檔案。
    5. 在ISE上建立授權規則。
    6. 配置終端。

    在WLC上宣告RADIUS伺服器

    若要允許RADIUS伺服器和WLC之間的通訊,您需要在WLC上註冊RADIUS伺服器,反之亦然。

    GUI:

    步驟 1.開啟WLC的GUI,然後導覽至SECURITY > RADIUS > Authentication > New,如下圖所示。

    Radius Authentication page on the WLC

    步驟 2.輸入RADIUS伺服器資訊,如下圖所示。

    Create a new RADIUS server on the WLC

    CLI:

    > config radius auth add <index> <a.b.c.d> 1812 ascii <shared-key>
> config radius auth disable <index>
> config radius auth retransmit-timeout <index> <timeout-seconds>
> config radius auth enable <index>

    <a.b.c.d>對應於RADIUS伺服器。

    建立SSID

    GUI:

    步驟 1.開啟WLC的GUI,然後導覽至WLANs > Create New > Go,如下圖所示。

    Create a new WLAN

    步驟 2.選擇SSID和配置檔案的名稱,然後按一下Apply,如下圖所示。

    Enter new SSID profile details

    CLI:

    > config wlan create <id> <profile-name> <ssid-name>

    步驟 3.將RADIUS伺服器分配給WLAN。

    CLI:

    > config wlan radius_server auth add <wlan-id> <radius-index>

    GUI:

    導覽至Security > AAA Servers,選擇所需的RADIUS伺服器,然後按一下Apply,如下圖所示。

    Set a AAA server for the WLAN

      

    步驟 4.啟用Allow AAA Override並選擇性地增加會話超時

    CLI:

    > config wlan aaa-override enable <wlan-id> 
    > config wlan session-timeout <wlan-id> <session-timeout-seconds>

    GUI:

    導航到WLANs > WLAN ID > Advanced,然後啟用Allow AAA Override 或者指定會話超時,如圖所示。

    Set the session timeout

    步驟 5.啟用WLAN。

    CLI:

    > config wlan enable <wlan-id>

    GUI:

    導覽至WLANs > WLAN ID > General,然後啟用SSID,如下圖所示。

    Enable the WLAN

    在ISE上宣告WLC

    步驟 1.打開ISE控制檯並導航到管理>網路資源>網路裝置>增加,如圖所示。

    Add a network ressource device

    步驟 2.輸入值。

    或者,它可以是指定的型號名稱、軟體版本、說明,並根據裝置型別、位置或WLC分配網路裝置組。

    a.b.c.d對應於傳送請求的身份驗證的WLC介面。預設情況下,其為管理介面,如下圖所示。

    Set the RADIUS shared secret

    有關網路裝置組的詳細資訊:

    ISE – 網路裝置群組

    在 ISE 上建立新使用者

    步驟 1.導航到管理>身份管理>身份>使用者>增加(如圖所示)。

    Add a User on ISE

    步驟 2.輸入資訊。

    在此範例中,此使用者屬於名為ALL_ACCOUNTS的群組,但可視需要加以調整,如下圖所示。

    Define user credentials

    建立驗證規則

    身份驗證規則用於驗證使用者的憑證是否正確(驗證使用者是否真正是他們所說的使用者),並限制允許其使用的身份驗證方法。

    步驟 1.導覽至Policy > Authentication,如下圖所示。

    ISE policy authentication menu

    步驟 2.插入新的驗證規則,如圖所示。

    Insert a new authentication policy

    步驟 3.輸入值。

    此驗證規則允許Default Network Access清單下列出的所有協定。這適用於無線802.1x客戶端的身份驗證請求,且帶有被叫站ID,以ise-ssid結束,如圖所示。

    Define the policy details

    同時,為與此身份驗證規則匹配的客戶端選擇身份源。此示例使用內部使用者身份源清單,如圖所示。

    Chose internal users

    完成後,按一下DoneSave,如下圖所示。

    Save policy

    有關身份源的詳細資訊,請參閱以下連結:

    建立使用者身份組

    建立授權設定檔

    授權配置檔案確定您是否有權訪問網路。植入存取控制清單(ACL)、VLAN覆寫或任何其他引數。本示例中顯示的授權配置檔案向您傳送訪問接受並分配VLAN 2404。

    步驟 1.導覽至Policy > Policy Elements > Results,如下圖所示。

    Authorization results

    步驟 2.增加新的授權配置檔案。導覽至Authorization > Authorization Profiles > Add,如下圖所示。

    Add authorization profile

    步驟 3.輸入如圖所示的值。

    Define the VLAN

    建立授權規則

    授權規則是負責確定將哪些許可權(哪個授權配置檔案)結果應用於您的規則。

    步驟 1.導覽至Policy > Authorization,如下圖所示。

    ISE authorization policy page

    步驟 2.插入新規則,如下圖所示。

    Insert a new authorization policy

    步驟 3.輸入值。

    首先,選取規則的名稱,以及儲存使用者的辨識群組(ALL_ACCOUNTS),如下圖所示。

    Chose identity group

    然後,選擇導致授權過程落入此規則的其他條件。在本示例中,如果授權進程使用802.1x無線且其被叫站ID以ise-ssid結尾,則授權進程符合此規則,如圖所示。

    Set the condition

    最後,選擇分配給您的符合該規則的授權配置檔案。點選完成儲存,如圖所示。

    Chose an authorization result

    終端裝置配置

    將膝上型電腦Windows 10電腦設定為使用802.1x驗證和PEAP/MS-CHAPv2 (Microsoft版的Challenge-Handshake驗證通訊協定)第2版連線到SSID。

    在此配置示例中,ISE使用其自簽名證書執行身份驗證。

    要在Windows電腦上建立WLAN配置檔案,請選擇兩個選項:

    1. 在電腦上安裝自簽名證書以進行驗證,並信任ISE伺服器以完成身份驗證。
    2. 略過RADIUS伺服器的驗證,並信任任何用於執行驗證的RADIUS伺服器(不建議使用,因為這可能成為安全性問題)。

    這些選項的設定詳見終端裝置組態-建立WLAN設定檔-步驟7。

    終端裝置配置-安裝ISE自簽名證書

    步驟 1.導出自簽名證書。

    登入ISE並導航到管理>系統>證書>系統證書

    然後選擇EAP身份驗證使用的證書,然後按一下導出,如圖所示。

    Export ISE certificate

    將憑證儲存在所需的位置。該證書必須安裝在windows電腦上,如圖所示。

    Export certificate

    步驟 2.在Windows電腦上安裝證書。

    將從ISE導出的證書複製到windows電腦,將檔案的副檔名從.pem更改為.crt,然後按兩下以安裝它,如圖所示。

    Install certificate

    步驟 3.選擇將其安裝在本地電腦中,然後按一下下一步,如圖所示。

    Certificate import wizard

    步驟 4.選擇將所有的證書放入此儲存,然後瀏覽並選擇受信任的根證書頒發機構。然後,按一下Next(如圖所示)。

    Chose certificate store

    步驟 5.然後按一下Finish,如圖所示。

    Complete the import wizard

    步驟 6.確認安裝憑證。按一下Yes(如圖所示)。

    PEAP Security warning

    步驟 7.最後,按一下確定(如圖所示)。

    Import successful

    終端裝置配置-建立WLAN配置檔案

    步驟 1.按一下右鍵開始圖示並選擇控制台,如下圖所示。

    Windows control panel

    步驟 2.導覽至Network and Internet,然後導覽至Network and Sharing Center,並按一下Set up a new connection or network,如下圖所示。

    Setup network connection

    步驟 3.選擇手動連線到無線網路,然後按一下下一步(如圖所示)。

    Chose manual connection

    步驟 4.輸入SSID名稱和安全型別WPA2-Enterprise的資訊,然後按一下Next,如圖所示。

    Enter SSID information

    步驟 5.選擇Change connection settings 以自定義WLAN配置檔案的配置,如下圖所示。

    Successfully added SSID

    步驟 6.導覽至Security索引標籤,然後按一下Settings,如下圖所示。

    PEAP settings

    步驟 7. 選取是否驗證RADIUS伺服器。

    如果是,請啟用Verify the server identity by validating the certificate,並從Trusted Root Certification Authorities:清單選擇ISE的自簽名證書。

    之後,選擇Configure並停用Automatically use my Windows logon name and password...,然後按一下OK,如圖所示。

    Verify the service certificate

    EAP MSCHAPv2 properties pop up

    步驟 8.設定使用者身份證明。

    返回安全頁籤後,選擇高級設定,將身份驗證模式指定為使用者身份驗證,並儲存在ISE上配置的憑證以對使用者進行身份驗證,如圖所示。 

    PEAP advanced settings

    Chose user or machine authentication

    Enter credentials

    驗證

    使用本節內容,確認您的組態是否正常運作。

    身份驗證流可以從WLC或ISE角度進行驗證。

    WLC上的身份驗證過程

    執行下列命令,以監控特定使用者的驗證程式:

    > debug client <mac-add-client>
> debug dot1x event enable
> debug dot1x aaa enable

    身份驗證成功的示例(某些輸出被省略):

    *apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Processing assoc-req station:e4:b3:18:7c:30:58 AP:00:c8:8b:26:2c:d0-00 thread:1a5cc288
*apfMsConnTask_1: Nov 24 04:30:44.317: e4:b3:18:7c:30:58 Reassociation received from mobile on BSSID 00:c8:8b:26:2c:d1 AP AP-1700-sniffer
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying site-specific Local Bridging override for station e4:b3:18:7c:30:58 - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Applying Local Bridging Interface Policy for station e4:b3:18:7c:30:58 - vlan 2400, interface id 0, interface 'management'
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 RSN Capabilities:  60
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Marking Mobile as non-e4:b3:18:7c:30:58 Received 802.11i 802.1X key management suite, enabling dot1x Authentication11w Capable
*apfMsConnTask_1: Nov 24 04:30:44.318: e4:b3:18:7c:30:58 Received RSN IE with 1 PMKIDs from mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: Received PMKID:  (16)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Searching for PMKID in MSCB PMKID cache for mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 No valid PMKID found in the MSCB PMKID cache for mobile e4:b3:18:7c:30:58
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfMsAssoStateInc
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2 (apf_policy.c:437) Changing state for mobile e4:b3:18:7c:30:58 on AP 00:c8:8b:26:2c:d0 from Idle to Associated
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 apfPemAddUser2:session timeout forstation e4:b3:18:7c:30:58 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Nov 24 04:30:44.319: e4:b3:18:7c:30:58 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_1: Nov 24 04:30:44.320: e4:b3:18:7c:30:58 Sending Assoc Response to station on BSSID 00:c8:8b:26:2c:d1 (status 0) ApVapId 2 Slot 0
*spamApTask2: Nov 24 04:30:44.323: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0
*spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Received ADD_MOBILE ack - Initiating 1x to STA e4:b3:18:7c:30:58 (idx 55)
*spamApTask2: Nov 24 04:30:44.325: e4:b3:18:7c:30:58 Sent dot1x auth initiate message for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 reauth_sm state transition 0 ---> 1 for mobile e4:b3:18:7c:30:58 at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Connecting state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.326: e4:b3:18:7c:30:58 Sending EAP-Request/Identity to mobile e4:b3:18:7c:30:58 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Received Identity Response (count=1) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Resetting reauth count 1 to 0 for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 EAP State update from Connecting to Authenticating for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticating state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.380: e4:b3:18:7c:30:58 Created Acct-Session-ID (58366cf4/e4:b3:18:7c:30:58/367) for the mobile
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.386: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=215) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 WARNING: updated EAP-Identifier 1 ===> 215 for STA e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 215)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.387: e4:b3:18:7c:30:58 Allocating EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAPOL EAPPKT from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Received EAP Response from mobile e4:b3:18:7c:30:58 (EAP Id 215, EAP Type 3)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Resetting reauth count 0 to 0 for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.390: e4:b3:18:7c:30:58 Entering Backend Auth Response state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Processing Access-Challenge for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Entering Backend Auth Req state (id=216) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Sending EAP Request from AAA to mobile e4:b3:18:7c:30:58 (EAP Id 216)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.393: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
.
.
.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Processing Access-Accept for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Username entry (user1) created for mobile, length = 253
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 override for default ap group, marking intgrp NULL
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.530: e4:b3:18:7c:30:58 Re-applying interface policy for client
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Inserting AAA Override struct for mobile
        MAC: e4:b3:18:7c:30:58, source 4
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying override policy from source Override Summation: with value 200
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Found an interface name:'vlan2404' corresponds to interface name received: vlan2404
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Applying Interface(vlan2404) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 2400
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Re-applying interface policy for client
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Setting re-auth timeout to 0 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Station e4:b3:18:7c:30:58 setting dot1x reauth timeout = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Stopping reauth timeout for e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Creating a PKC PMKID Cache entry for station e4:b3:18:7c:30:58 (RSN 2)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Resetting MSCB PMK Cache Entry 0 for station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding BSSID 00:c8:8b:26:2c:d1 to PMKID cache at index 0 for station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531:      [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Updating AAA Overrides from local for station
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Adding Audit session ID payload in Mobility handoff
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 0 PMK-update groupcast messages sent
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.531: e4:b3:18:7c:30:58 Sending EAP-Success to mobile e4:b3:18:7c:30:58 (EAP Id 223)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Freeing AAACB from Dot1xCB as AAA auth is done for  mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Found an cache entry for BSSID 00:c8:8b:26:2c:d1 in PMKID cache at index 0 of station e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: Including PMKID in M1  (16)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0000] cc 3a 3d 26 80 17 8b f1 2d c5 cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: M1 - Key Data: (22)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0000] dd 14 00 0f ac 04 cc 3a 3d 26 80 17 8b f1 2d c5
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532:      [0016] cd fd a0 8a c4 39
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Starting key exchange to mobile e4:b3:18:7c:30:58, data packets will be dropped
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Entering Backend Auth Success state (id=223) for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 Received Auth Success while in Authenticating state for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.532: e4:b3:18:7c:30:58 dot1x - moving mobile e4:b3:18:7c:30:58 into Authenticated state
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.547: e4:b3:18:7c:30:58 Received EAPOL-key in PTK_START state (message 2) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Successfully computed PTK from PMK!!!
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Received valid MIC in EAPOL Key Message M2!!!!!
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Not Flex client. Do not distribute PMK Key cache.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Sending EAPOL-Key Message to mobile e4:b3:18:7c:30:58
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.548: e4:b3:18:7c:30:58 Reusing allocated memory for  EAP Pkt for retransmission to mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-Key from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 key Desc Version FT - 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Stopping retransmission timer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Freeing EAP Retransmit Bufer for mobile e4:b3:18:7c:30:58
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqCntInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 apfMsPeapSimReqSuccessCntInc
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Mobility query, PEM State: L2AUTHCOMPLETE
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.555: e4:b3:18:7c:30:58 Building Mobile Announce :
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58   Building Client Payload:
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Ip: 0.0.0.0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Vlan Ip: 172.16.0.134, Vlan mask : 255.255.255.224
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Client Vap Security: 16384
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     Virtual Ip: 10.10.10.10
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58     ssid: ise-ssid
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58   Building VlanIpPayload.
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:c8:8b:26:2c:d0 vapId 2 apVapId 2 flex-acl-name:
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6677, Adding TMP rule
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:c8:8b:26:2c:d0, slot 0, interface = 1, QOS = 0
  IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12  Local Bridging Vlan = 2400, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*Dot1x_NW_MsgTask_0: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successfully Plumbed PTK session Keysfor mobile e4:b3:18:7c:30:58
*spamApTask2: Nov 24 04:30:44.556: e4:b3:18:7c:30:58 Successful transmission of LWAPP Add-Mobile to AP 00:c8:8b:26:2c:d0
*pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local
  Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 172.16.0.3
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6315, Adding TMP rule
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  IPv4 ACL ID = 255,
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 12  Local Bridging Vlan = 2400, Local Bridging intf id = 0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0
*apfReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*pemReceiveTask: Nov 24 04:30:44.557: e4:b3:18:7c:30:58 Sent an XID frame
*dtlArpTask: Nov 24 04:30:47.932: e4:b3:18:7c:30:58 Static IP client associated to interface vlan2404 which can support client subnet.
*dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 apfMsRunStateInc
*dtlArpTask: Nov 24 04:30:47.933: e4:b3:18:7c:30:58 172.16.0.151 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

    要輕鬆讀取調試客戶端輸出,請使用無線調試分析器工具:

    無線偵錯分析器

    ISE上的身份驗證過程

    導航到操作> RADIUS > Live Logs以檢視為使用者分配的身份驗證策略、授權策略和授權配置檔案。 

    有關詳細資訊,請按一下Details以檢視更詳細的身份驗證過程(如圖所示)。

    ISE live logs details

    疑難排解

    目前沒有特定資訊可用於對此組態進行疑難排解。

    修訂記錄

    修訂 發佈日期 意見
    4.0
    26-Aug-2024
    已更新兩個中斷的URL。
    3.0
    17-Apr-2023
    增加了Alt文本。 更新的PII、Gerunds、機器翻譯、樣式要求和格式。
    1.0
    10-Mar-2017
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Karla Cisneros Galvan
      Cisco TAC Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品