服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Cisco 3750交换机不会传输半径请求到服务器
Intereting Posts
有没有可能改变IIS的W3C时区? IBM BladeCenter S中的刀片报告“固件进度错误” Apache 2.4用“403 Forbidden”回复CGI脚本,我的configuration看起来不错 电子邮件系统应该虚拟化吗? 即时签名证书和中级证书有什么区别? LDAPvalidation与检查组用户属于? networkingstream量监测 tomcat webapp部署失败 在CentOS + Apache中启用好的URL /永久链接 在Windows 7虚拟PC中禁用F1键 NXlog无法写入/读取caching“savePos” 非常具有挑战性的networking访问问题:无法浏览,但可以ping通。 其他电脑可以浏览和ping osx,apache24分割故障:如何查找原因 在单个静态IP上运行所有服务时有什么限制? 上传任何文件时,Apache会发生段错误

Cisco 3750交换机不会传输半径请求到服务器

我们有一个radius服务器运行在我们的局域网上,我可以通过直接连接到服务器进行身份validation。

但是,当我们希望我们的客户端通过我们的交换机连接(cisco 3750 12.2(55)SE7)时,我们的服务器不会收到任何请求。

当我们想validation我们的用户“bob”时,我们只得到以下debugging(在交换机上): 

*Mar 1 04:02:53.847: %AUTHMGR-5-START: Starting 'dot1x' for client (5404.a631.e7dc) on Interface Gi1/0/11 AuditSessionID C0A802020000001C00DE6117 *Mar 1 04:02:53.855: RADIUS/ENCODE(00000028):Orig. component type = DOT1X *Mar 1 04:02:53.855: RADIUS(00000028): Config NAS IP: 192.168.1.2 *Mar 1 04:02:53.855: RADIUS/ENCODE(00000028): acct_session_id: 39 *Mar 1 04:02:53.855: RADIUS(00000028): sending *Mar 1 04:02:53.855: RADIUS(00000028): Send Access-Request to 192.168.69.201:1812 id 1645/57, len 195 *Mar 1 04:02:53.855: RADIUS: authenticator D7 81 62 F3 A3 9D 05 9E - 98 F5 F4 48 4A 05 3F 99 *Mar 1 04:02:53.855: RADIUS: User-Name [1] 5 "bob" *Mar 1 04:02:53.855: RADIUS: Service-Type [6] 6 Framed [2] *Mar 1 04:02:53.855: RADIUS: Framed-MTU [12] 6 1500 *Mar 1 04:02:53.855: RADIUS: Called-Station-Id [30] 19 "00-0F-23-01-DA-8B" *Mar 1 04:02:53.855: RADIUS: Calling-Station-Id [31] 19 "54-04-A6-31-E7-DC" *Mar 1 04:02:53.855: RADIUS: EAP-Message [79] 10 *Mar 1 04:02:53.855: RADIUS: 02 01 00 08 01 62 6F 62 [ bob] *Mar 1 04:02:53.855: RADIUS: Message-Authenticato[80] 18 *Mar 1 04:02:53.855: RADIUS: 92 DE CA B6 10 03 8C 0F 00 70 4D 3C 8C FA FC 68 [ pM<h] *Mar 1 04:02:53.855: RADIUS: EAP-Key-Name [102] 2 * *Mar 1 04:02:53.855: RADIUS: Vendor, Cisco [26] 49 *Mar 1 04:02:53.855: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802020000001C00DE6117" *Mar 1 04:02:53.855: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Mar 1 04:02:53.855: RADIUS: NAS-Port [5] 6 50111 *Mar 1 04:02:53.855: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/11" *Mar 1 04:02:53.855: RADIUS: NAS-IP-Address [4] 6 192.168.1.2 *Mar 1 04:02:53.855: RADIUS(00000028): Started 30 sec timeout *Mar 1 04:03:15.724: RADIUS(00000027): Request timed out *Mar 1 04:03:15.724: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/56 *Mar 1 04:03:15.724: RADIUS(00000027): Started 30 sec timeout *Mar 1 04:03:23.374: RADIUS(00000028): Request timed out *Mar 1 04:03:23.374: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/57 *Mar 1 04:03:23.374: RADIUS(00000028): Started 30 sec timeout *Mar 1 04:03:44.069: RADIUS(00000027): Request timed out *Mar 1 04:03:44.069: RADIUS: No response from (192.168.69.201:1812,1813) for id 1645/56 *Mar 1 04:03:44.069: RADIUS/DECODE: parse response no app start; FAIL *Mar 1 04:03:44.069: RADIUS/DECODE: parse response; FAIL listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:38:19.392110 IP 192.168.69.75.60075 > 192.168.69.201.radius: RADIUS, Access Request (1), id: 0x5e length: 55 13:38:19.407249 IP 192.168.69.201.radius > 192.168.69.75.60075: RADIUS, Access Accept (2), id: 0x5e length: 20

服务器端没有收到数据包,也没有设置iptables。 我们的交换机configuration如下: 

  Current configuration : 9050 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname S1 ! boot-start-marker boot-end-marker ! ! username cisco password 0 cisco ! ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting update periodic 30 aaa accounting dot1x default start-stop group radius ! ! ! aaa session-id common switch 1 provision ws-c3750g-24t system mtu routing 1500 no ip domain-lookup ! ip dhcp pool 1 network 192.168.1.0 255.255.255.0 default-router 192.168.1.5 domain-name example.com dns-server 192.168.1.5 ! ! ! ! crypto pki trustpoint TP-self-signed-587324032 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-587324032 revocation-check none ! ! crypto pki certificate chain TP-self-signed-587324032 certificate self-signed 01 0239 308201A2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35383733 32343033 32301E17 0D393330 33303130 30303230 325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 37333234 30333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 AA357059 E5EAF5DF B9B393C5 4B38FECD 00850272 5991B279 859BDD2C AE5DACF0 F839D226 06A737F2 769D8910 EEC82E45 3686245A BCCFAEEA 77F140DF CF19E289 CFD1F9AB 6D5701C8 08E03854 9D0A2C0C 7ADE596E 9EE2178E 29E60792 789EBBD5 F44221FB 42D4A664 C9DE1C31 404FAFF5 B576A6D6 011A764A E3CFBDEF C07E718F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 11040730 05820353 312E301F 0603551D 23041830 16801468 CC5707C3 5211381F F9636305 48BD339F D9D47730 1D060355 1D0E0416 041468CC 5707C352 11381FF9 63630548 BD339FD9 D477300D 06092A86 4886F70D 01010405 00038181 000349FD CEB74D48 5B92FFF1 FE60506C 9C5D3925 B65EFC09 FB20904B DCEC61D1 CBD10DA7 130E21F3 C7BBCB79 4E1FAAD7 44AEE7D2 B857F7D3 BCD3742D E99F1F8C 16E342A6 2C1D6EF3 93! end F48DBD 2CE4201D A01551F8 49BFD583 C0BE800B 5721DF6F 6D4F859D A3C0EAEF 6D39FAC2 918FED6C C035A883 ED27FFA5 34C6FA15 58D89BD5 BC quit dot1x system-auth-control dot1x guest-vlan supplicant dot1x critical eapol ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/2 switchport mode access authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator ! interface GigabitEthernet1/0/3 switchport mode access authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator ! [...] ! interface Vlan1 ip address 192.168.1.2 255.255.255.0 ! interface Vlan2 ip address 192.168.2.2 255.255.255.0 ! interface Vlan3 ip address 192.168.3.2 255.255.255.0 ! interface Vlan5 ip address 192.168.5.2 255.255.255.0 ! ip classless ip http server ip http secure-server ! ! ip radius source-interface Vlan1 ! radius-server attribute 8 include-in-access-req radius-server host 192.168.69.201 auth-port 1812 acct-port 1813 radius-server timeout 30 radius-server key pf radius-server vsa send authentication ! ! line con 0 ! end

您需要在交换机的半径主机configuration上设置“秘密”。 你应该也可以包含你的半径configuration的更多细节。