dot1x点滴
在网络上看到一篇关于802.1x的文章,特别是对time方面的解释还是相当有趣的,于是转了过来。(原文地址:http://hi.baidu.com/zzlyzq/blog/item/112abc1b6c8cf9128718bf45.html/cmtid/fd5a8a35f4faad1f90ef3909)
dot1x timeout tx-period 30 我发送,客户不回应,我30s后再发送
dot1x max-req 2 1-10 你不回应,我总会发2次
====================================================
dot1x timeout quiet-period 60 我发两次你还不验证,我30s后再开始吧
====================================================
dot1x reauthentication
dot1x timeout reauth-period 4000 虽然我上次验证成功了,可是我还是要巡检的呦
dot1x re-authenticate interface fastethernet0/1
=====================================================
交换机运行EI enhance image
配置了guestvlan
客户不是dot1x模式,当我收不到客户对我的eapol回复时就放到guestvlan里
=====================================================
客户是dot1x模式,但是验证失败,不会放到guestvlan里
=====================================================
aaa new-model
aaa authentication dot1x default group radius
//如果需要下发属性的话,比如vlan啥的就需要使用下面的命令
aaa authorization network default group radius
======================================================
dot1x system-auth-control全局打开dot1x验证
======================================================
inerface fastethernet0/1
switchport mode access
dot1x port-control auto
spanning-tree portfast
=======================================================
radius-server host x.X.X.X key X.x
radius-server vsa send authentication
=======================================================
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
========================================================
wired configuration 服务启动
http://www.colasoft.com.cn/teaching/protocol_analysis_002.doc
==================================================================================
20091229更新
不再使用默认的radius,这样可以更好的扩展。
rad_dot1x 指定一个radius组
aaa new-model
aaa group server radius
server 172.16.6.246
radius-server host 172.16.6.246 key P@ssw0rd
radius-server vsa send authentication
rad_dot1x 使用指定组中的radius服务器
aaa authentication dot1x default group
rad_dot1
aaa authorization network default group
=================================================================================
关于使用了aaa之后,telnet也要使用radius的问题
aaa authentication login none_login line ///新建一个使用line验证的aaa策略
line vty 0 15
login authentication none_login //////使用哪个新建的策略
password XXXXXX /////line 怕ssword
=================================================================================
当cisco发送request identiy时,默认发送两次,每次间隔时间由dot1x timeout tx-period来计算。不要忘了,当一个端口从shutdown到 noshutdown时,中间还有4~5s的延迟。
端口配置模式下开启周期重新验证客户端
dot1x re-authentication
重新验证的时间配置默认3600s
dot1x timeout re-authperiod
全局模式下
dot1x re-authenticate interface fa0/7
手动重新验证端口
如果验证失败后,我保持沉默一会,再验证,默认60s
dot1x timeout quiet-period
cisco向client发送request,但是client不回复,我等待一个时间再发送,默认30s
dot1x timeout tx-period xx
我重复发送request的时间
dot1x max-req
默认2
http://docs.us.dell.com/support/edocs/network/pc6024/en/cli/html/802.htm
================================================================================
20100106
收到一个来自 RADIUS 客户端 172.16.5.1 的 Access-Request 消息,它含有不正确的消息验证者属性。
radius-server host XXXX key XXXX (forget to write the key)
用户 bs1 被拒绝访问。
Fully-Qualified-User-Name = jinjing.cn/金晶集团/集团总部/管理人员/bs1
NAS-IP-Address = 172.16.5.1
NAS-Identifier = <不存在>
Called-Station-Identifier = <不存在>
Calling-Station-Identifier = 00-1a-a0-36-c0-4f
Client-Friendly-Name = 172.16.5.1
Client-IP-Address = 172.16.5.1
NAS-Port-Type = Async
NAS-Port = <不存在>
Proxy-Policy-Name = 对所有用户使用
Authentication-Provider = Windows
Authentication-Server = <未确定>
Policy-Name = vlan 管理人员
Authentication-Type = EAP
EAP-Type = <未确定>
Reason-Code = 65
Reason = 连接企图失败,因为用户帐户的远程访问许可被拒绝。要允许远程访问,请启用用户帐户的远程访问许可,或者,如果用户帐户指出访问被匹配的远程访问策略控制,就请启用那个远程访问策略的远程访问许可。
用户 bs1 被拒绝访问。
Fully-Qualified-User-Name = jinjing.cn/金晶集团/集团总部/管理人员/bs1
NAS-IP-Address = 172.16.5.1
NAS-Identifier = <不存在>
Called-Station-Identifier = <不存在>
Calling-Station-Identifier = 00-1a-a0-36-c0-4f
Client-Friendly-Name = 172.16.5.1
Client-IP-Address = 172.16.5.1
NAS-Port-Type = Async
NAS-Port = <不存在>
Proxy-Policy-Name = 对所有用户使用
Authentication-Provider = Windows
Authentication-Server = <未确定>
Policy-Name = vlan 管理人员
Authentication-Type = EAP
EAP-Type = <未确定>
Reason-Code = 66
Reason = 用户尝试使用匹配的远程访问策略上未启用的身份验证方法。
计算机加域后才可以使用陷阱策略,所谓的陷阱vlan就是只要日期符合就可以使用远程访问策略的vlan。
==================================================================================
操作步骤
1.改计算机名
2.加域
1)确保wired autoconfig已经启动
2)确保802.1X身份认证已经启动
3)确保 选择身份验证方法“受保护的EAP(PEAP)”
4)确保不使用windows登录名和密码
5)网卡禁用再启动,会弹出一个黄色的泡泡,点击后,输入账户密码就可以进入相应的网络
3.处理后续工作
1)加域等
4.确保使用域上的用户名和密码
==================================================================================
dot1x协议分析
211 160.917339 Dell_36:c0:4f Nearest EAPOL Start
212 160.918564 Cisco_8f:dd:84 Nearest EAP Request, Identity [RFC3748]
213 160.925455 Dell_36:c0:4f Nearest EAP Response, Identity [RFC3748]
219 165.926587 Cisco_8f:dd:84 Nearest EAP Failure
上面这个165-160是由 dot1x timeout server-timeout 决定的
243 178.746478 Dell_36:c0:4f Nearest EAP Response, Identity [RFC3748]
244 178.751108 Cisco_8f:dd:84 Nearest EAP Request, Identity [RFC3748]
246 181.746795 Cisco_8f:dd:84 Nearest EAP Request, Identity [RFC3748]
247 184.394283 Dell_36:c0:4f Nearest EAP Response, Identity [RFC3748]
248 184.404136 Cisco_8f:dd:84 Nearest EAP Request, Unknown type (0x19)
249 184.405962 Dell_36:c0:4f Nearest TLSv1 Client Hello
250 184.416541 Cisco_8f:dd:84 Nearest TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
251 184.417166 Dell_36:c0:4f Nearest EAP Response, Unknown type (0x19)
252 184.424529 Cisco_8f:dd:84 Nearest TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
253 184.425084 Dell_36:c0:4f Nearest EAP Response, Unknown type (0x19)
254 184.433674 Cisco_8f:dd:84 Nearest TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
255 184.434206 Dell_36:c0:4f Nearest EAP Response, Unknown type (0x19)
256 184.438391 Cisco_8f:dd:84 Nearest TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
257 184.440159 Dell_36:c0:4f Nearest TLSv1 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
258 184.447217 Cisco_8f:dd:84 Nearest TLSv1 Change Cipher Spec, Encrypted Handshake Message
259 184.448919 Dell_36:c0:4f Nearest EAP Response, Unknown type (0x19)
260 184.453968 Cisco_8f:dd:84 Nearest TLSv1 Application Data
261 184.454681 Dell_36:c0:4f Nearest TLSv1 Application Data
262 184.458953 Cisco_8f:dd:84 Nearest TLSv1 Application Data
263 184.460798 Dell_36:c0:4f Nearest TLSv1 Application Data
264 184.465668 Cisco_8f:dd:84 Nearest TLSv1 Application Data
265 184.466338 Dell_36:c0:4f Nearest TLSv1 Application Data
266 184.470297 Cisco_8f:dd:84 Nearest TLSv1 Application Data
267 184.472513 Dell_36:c0:4f Nearest TLSv1 Application Data
268 184.478098 Cisco_8f:dd:84 Nearest EAP Success
一个完整的验证过程