ac6605 本地802.1x认证故障

发布时间:  2014-12-27 浏览次数:  423 下载次数:  0
问题描述
客户希望对无线终端用户接入进行802.1x认证 ,没有radius服务器决定做本地的802.1x认证。 基本的无线业务测试正常,配置802.1x
认证之后终端关联不上无线。

组网拓扑的简化图如下:


 
处理过程
检查无线配置

[AC6605]
#
vlan batch 4 100 to 101 125 to 126
#
domain hnxz
#
dot1x enable
dot1x authentication-method eap
#
dhcp enable
#
diffserv domain default
#
ip pool user
gateway-list 10.197.26.254
network 10.197.26.0 mask 255.255.255.0
dns-list 61.139.2.69
#
aaa
authentication-scheme hnxz
domain hnxz 
  authentication-scheme hnxz
local-user hnxz password cipher %@%@#AXW@i^kOWZ#3c9g`nUJb"V:%@%@
local-user hnxz privilege level 15      
local-user hnxz service-type 8021x                           
// 定义认证的用户名和密码
#
interface Vlanif100
ip address 172.16.102.254 255.255.255.0
dhcp select interface
#
interface Vlanif126
ip address 10.197.26.254 255.255.255.0
dhcp select global                      
#
interface Wlan-Ess10
port hybrid pvid vlan 126
port hybrid untagged vlan 126
dot1x enable
dot1x authentication-method eap
permit-domain name hnxz
force-domain name hnxz

#
wlan
wlan ac source interface vlanif100
ap-region id 10
  country-code CN
ap-auth-mode no-auth
ap id 0 type-id 31 mac d46a-a89b-7a40 sn 2102355829W0DA000605

wmm-profile name wmm1 id 0

traffic-profile name traffic id 1

security-profile name security id 1     
  security-policy wpa
  wpa authentication-method dot1x encryption-method ccmp

service-set name hnxz id 0
  wlan-ess 10
  ssid hnxztest
  traffic-profile id 1
  security-profile id 1
  service-vlan 126

radio-profile name radio id 1
  wmm-profile id 0

ap 0 radio 0
  radio-profile id 1
  service-set id 0 wlan 1

 对比配置无问题

debugging  dot1x 信息如下:

<AC6605>debugging dot1x all 
<AC6605>debugging aaa all

Nov 30 2014 00:26:57.840.33+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CMADP Get UAInfo. UA Info ()
<AC6605>
Nov 30 2014 00:26:57.840.34+08:00 AC6605 CM/7/DEBUG:
[CM DBG]Get dhcp option info for sta(0026-c75f-7248)
<AC6605>
Nov 30 2014 00:26:57.840.35+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CMADP DebugOut Sta TypeInfo start
<AC6605>
Nov 30 2014 00:26:57.840.36+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CMADP DebugOut Sta TypeInfo. UA Info            :
<AC6605>
Nov 30 2014 00:26:57.840.37+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CMADP DebugOut Sta TypeInfo. STA Type           :
<AC6605>
Nov 30 2014 00:26:57.840.38+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CMADP DebugOut Sta TypeInfo end
<AC6605>
Nov 30 2014 00:26:57.840.39+08:00 AC6605 CM/7/DEBUG:
[CM DBG]Get dhcp option info successful, option list=1009570888
<AC6605>
Nov 30 2014 00:26:57.840.40+08:00 AC6605 AAA/7/DEBUG:
AAA receive AAA_SRV_MSG_AUTHEN_REQ message from UCM module.
<AC6605>
Nov 30 2014 00:26:57.840.41+08:00 AC6605 AAA/7/DEBUG:
    DestIndex:100 SrcIndex:100 Slot:0
    User:gavin MAC:0026-c75f-7248
    Slot:0 SubSlot:0 Port:0 VLAN:126
    IP:255.255.255.255 AccessType:eap AuthenType:EAPRELAY
    AdminLevel:0 EapSize:10 AuthenCode:1X
    ulInterface:333 ChallengeLen:0 ChapID:0
    LineType:0 LineIndex:0 PortType:19
    AcctSessionId:AC660500000000000126eeb3fd000100
<AC6605>
Nov 30 2014 00:26:57.840.42+08:00 AC6605 AAA/7/DEBUG:
AAA_MAIN initiate EapRelayAuthenReq event to AAA_AUTHEN module.
    CID:83 Result:0 Info:1009763572
<AC6605>
Nov 30 2014 00:26:57.840.43+08:00 AC6605 AAA/7/DEBUG:
[AAA INFO]AAA_EAPRelayAuthenReq1
<AC6605>
Nov 30 2014 00:26:57.840.44+08:00 AC6605 AAA/7/DEBUG:
[AAA INFO]User authentication domain name is hnxz
<AC6605>
Nov 30 2014 00:26:57.840.45+08:00 AC6605 AAA/7/DEBUG:
[AAA INFO]Author of DaaTariffLevel.(ucDaaEnableFlag=0, UpStat=0, DownStat=0, Acct=0)
<AC6605>
Nov 30 2014 00:26:57.840.46+08:00 AC6605 AAA/7/DEBUG:
AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.
<AC6605>
Nov 30 2014 00:26:57.840.47+08:00 AC6605 AAA/7/DEBUG:
    DestIndex:100 SrcIndex:100 Slot:4294967295
    Result:1 DomainIndex:2 ServiceScheme:65535
    AuthedPalace:0 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0
    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0
    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295
    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295
    RTAcctInterval:4294967295 Priority:[255,255]
    AdminLevel:255 NextHop:4294967295
    EapSize:4 ReplyMessage:Authentication fail
    TunnelType:0 MediumType:0 PrivateGroupID
:
<AC6605>
Nov 30 2014 00:26:57.840.48+08:00 AC6605 CM/7/DEBUG:
[CM DBG]CM_MsgToEvent. (ucEvent=2, eventName=CM_EVENT_AUTH_FAIL)
<AC6605>
Nov 30 2014 00:26:57.840.49+08:00 AC6605 CM/7/DEBUG:
[CM_NAC_FillAuthAckInfo] result:1,  pmk:1009711824, ulReauthTimeLen=0
<AC6605>
Nov 30 2014 00:26:57.840.50+08:00 AC6605 CM/7/DEBUG:


根因
EAP中继方式业务流程:



EAP终结方式业务流程:




EAP中继方式认证设备把eap认证报文直接封装在radius报文转发给radius服务器处理,认证设备不参与认证报文的处理 , aaa无法参与认证过程。

EAP终结方式 EAP协议报文由设备端进行终结,设备将客户端认证信息封装在标准RADIUS报文中。 第4步用来对用户密码信息进行加密处理的MD5 challenge由设备端生成,之后认证设备端会把用户名、MD5 challenge和客户端加密后的密码信息一起送给RADIUS服务器,进行相关的认证处理。可以理解为认证设备为代理了整个认证过程。

所以ac6605  dot1x认证eap方式是不支持走AAA本地认证,chap方式支持。一般情况下pc的终端不支持chap认证方式需要安装第三方客户端软件支持。
解决方案
建议配置radius服务器或者改为chap方式安装第三方客户端软件
建议与总结

在做接入控制 802.x  portal  mac认证时  建议用单独服务器来实现,这样可以避免为认证设备不必要的性能负担。

END