来源:蜘蛛抓取(WebSpider)
时间:2015-04-07 16:52
标签:
洛克王国东哥辅助3.9
查看:5549|回复:18
我先说说华三交换机相关的吧:
华三交换机插上网线后,自动跳到guest-vlan,guest-vlan不能访问其他资源。在guest-vlan下面可以再次发起认证,认证通过会跳到响应的工作区vlan。
华三交换机有freeip,可以供guest-vlan内的主机访问。
guest-vlan有个重定向url。guest-vlan下的机器上网都会被重定向到这个url
现在我的问题是,思科有没有这样的功能?如果有的话,怎么设置?我用的是思科的c3750
我抓包实验的结论是:思科插上网线后,网口是橙色状态,思科发一些认证请求包,如果客户机没有响应,超过一定次数,思科默认客户机不支持802.1x,就把该网口切换到guest-vlan。
我在guest-vlan下面无法再次认证。客户机再发认证包,思科交换机也没有回应。
没找到关于重定向url相关的设置。
请问各位高手,思科交换机有没有类似的设置?如果没有的话,有没有办法实现华三交换机的重定向问题
还没人来帮忙解决啊。是不是大家都是晚上上线呢?帮帮忙啊。谢了
初级工程师
CISCO的可能需要拔插网线或者是本地连接关闭再打开,,
CISCO的重定向是根据RADIUS来输命令的,,radius-server host&&xxxx 具体什么有点忘了,按这个方向去找你应该可以查到相应的命令的,
中级工程师
路过,看看:(
谢了我查查相关内容,查到后给大家一起分享分享。
最有价值午饭
有个基于端口的设置重认证时间的命令,
设置reauthentication period?
引用:原帖由 jung_blue 于
09:56 发表
有个基于端口的设置重认证时间的命令,
设置reauthentication period? 貌似没用。切刀工作区vlan和认证失败的vlan后交换机会不断的发重认证包,但是guest-vlan下面是没有的。
引用:原帖由 jung_blue 于
09:56 发表
有个基于端口的设置重认证时间的命令,
设置reauthentication period? 这个时间默认的是3600s,我测试过,在认证端口插上网线后,等待1-2分钟,切到guest-vlan。
然后去开会了,开了一上午,回来后再认证,用wireshark抓包,还是客户端发了start包以后,交换机没有响应。
你是怎么实现的?能否详细说明下?
交换机型号 c3750
最有价值午饭
引用:原帖由 lizao2 于
12:01 发表
这个时间默认的是3600s,我测试过,在认证端口插上网线后,等待1-2分钟,切到guest-vlan。
然后去开会了,开了一上午,回来后再认证,用wireshark抓包,还是客户端发了start包以后,交换机没有响应。
你是怎么实现的?能否详细说明下?
交 ... 我做过的测试也没有解决你说的问题, 我的测试结果大体是:
1.如果电脑直接交换机,重新拔插网线即可进行再认证
2.如果电脑通过IP电话连接到交换机,(同时得到了guest vlan,)则网线插烂了也不会再进行重新认证;因为认证是基于端口的,ip phone后面的设备拔插,交换机not aware。
思科给出的解决方法是:只要IP PHONE也是Cisco的,问题就会自动解决,并且是zero configuration.
我对lz说的&客户端发了start包&很感兴趣,在网线没重拔插的情况下,客户端已得到guest vlan,它怎么会,又如何才能,
发送验证的start包捏?
引用:原帖由 jung_blue 于
14:22 发表
我做过的测试也没有解决你说的问题, 我的测试结果大体是:
1.如果电脑直接交换机,重新拔插网线即可进行再认证
2.如果电脑通过IP电话连接到交换机,(同时得到了guest vlan,)则网线插烂了也不会再进行重新认证;因为认证是基于 ... 我是这样做的:
&&客户端先禁止802.1x认证。客户端直连交换机,插上网线后,这时候,交换机会发几次request包,如果客户端不响应,交换机会认为客户端不支持802.1x,交换机会把客户端切换到guest-vlan。那时候再启用客户端的802.1x认证,抓包就能看到,客户端发起start包后交换机没有响应。不要求级联,就是直连的,能在guest-vlan下认证吗?
最有价值午饭
引用:原帖由 lizao2 于
08:37 发表
我是这样做的:
&&客户端先禁止802.1x认证。客户端直连交换机,插上网线后,这时候,交换机会发几次request包,如果客户端不响应,交换机会认为客户端不支持802.1x,交换机会把客户端切换到guest-vlan。那时候再启用客户端的802.1 ... 根据我原来做过的测试,好像必须重新拔插网线,或禁用再启动连接,才可以。
中级工程师
思科的802.1x是基于物理端口的,而不能基于session,所以必须以网口的状态变更为切换点。
在它下面接HUB就会一个PC成功,其它全都可以访问了。这个问题思科一直没有改善。
就有这么一群奇怪的人,本身是最底阶层,利益每天都在被损害,却具有统治阶级的意识,在动物世界里找这么弱智的东西都几乎不可能。
过程大致是:禁用客户端802.1x认证,插上网线,等待n秒,交换机切换网口到guest-vlan
然后开启客户端的认证功能。以下是debug信息。看看有没有用,还是希望能重新认证,不能的话也无所谓。复制内容到剪贴板代码:*Mar 1 02:44:15.347: dot1x-ev(Fa1/0/3): Interface state changed to UP
*Mar 1 02:44:15.347: dot1x_auth Fa1/0/3: initial state auth_initialize has
*Mar 1 02:44:15.347: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_initialize_enter called
*Mar 1 02:44:15.355: dot1x_auth Fa1/0/3: during state auth_initialize, got
event 0(cfg_auto)
*Mar 1 02:44:15.355: @@@ dot1x_auth Fa1/0/3: auth_initialize -& auth_disconnect
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_disconnected_enter call
*Mar 1 02:44:15.355: dot1x_auth Fa1/0/3: idle during state auth_disconnecte
*Mar 1 02:44:15.355: @@@ dot1x_auth Fa1/0/3: auth_disconnected -& auth_restart
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_restart_enter called
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Sending create new context event to EAP
for 0x8F00001C (00)
*Mar 1 02:44:15.355: dot1x_auth_bend Fa1/0/3: initial state auth_bend_initi
alize has enter
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_initialize_enter c
*Mar 1 02:44:15.355: dot1x_auth_bend Fa1/0/3: initial state auth_bend_initi
alize has idle
*Mar 1 02:44:15.355: dot1x_auth_bend Fa1/0/3: during state auth_bend_initia
lize, got event 16383(idle)
*Mar 1 02:44:15.355: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_initialize -& auth_
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_idle_enter called
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Created a client entry (0x8F00001C)
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Dot1x authentication started for 0x8F00
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): Posting !EAP_RESTART on Client 0x8F0000
*Mar 1 02:44:15.355: dot1x_auth Fa1/0/3: during state auth_restart, got eve
nt 6(no_eapRestart)
*Mar 1 02:44:15.355: @@@ dot1x_auth Fa1/0/3: auth_restart -& auth_connecting
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_connecting_enter called
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_restart_connecting_acti
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): Posting RX_REQ on Client 0x8F00001C
*Mar 1 02:44:15.355: dot1x_auth Fa1/0/3: during state auth_connecting, got
event 10(eapReq_no_reAuthMax)
*Mar 1 02:44:15.355: @@@ dot1x_auth Fa1/0/3: auth_connecting -& auth_authentica
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_authenticating_enter ca
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_connecting_authenticati
ng_action called
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): Posting AUTH_START for 0x8F00001C
*Mar 1 02:44:15.355: dot1x_auth_bend Fa1/0/3: during state auth_bend_idle,
got event 4(eapReq_authStart)
*Mar 1 02:44:15.355: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_idle -& auth_bend_r
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_enter call
*Mar 1 02:44:15.355: dot1x-packet(Fa1/0/3): EAP code: 0x1 id: 0x1 length: 0x0
005 type: 0x1 data:
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Sending EAPOL packet to group PAE addre
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:44:15.355: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 02:44:15.355: dot1x-ev(Fa1/0/3): Sending out EAPOL packet
*Mar 1 02:44:15.355: EAPOL pak dump Tx
*Mar 1 02:44:15.355: EAPOL Version: 0x2 type: 0x0 length: 0x0005
*Mar 1 02:44:15.355: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 02:44:15.355: dot1x-packet(Fa1/0/3): EAPOL packet sent to client 0x8F000
*Mar 1 02:44:15.355: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_idle_request_actio
*Mar 1 02:44:17.352: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state
*Mar 1 02:44:46.225: dot1x-sm(Fa1/0/3): Posting EAP_REQ for 0x8F00001C
*Mar 1 02:44:46.225: dot1x_auth_bend Fa1/0/3: during state auth_bend_reques
t, got event 7(eapReq)
*Mar 1 02:44:46.225: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_request -& auth_ben
*Mar 1 02:44:46.225: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_request_ac
tion called
*Mar 1 02:44:46.225: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_enter call
*Mar 1 02:44:46.225: dot1x-packet(Fa1/0/3): EAP code: 0x1 id: 0x1 length: 0x0
005 type: 0x1 data:
*Mar 1 02:44:46.225: dot1x-ev(Fa1/0/3): Sending EAPOL packet to group PAE addre
*Mar 1 02:44:46.225: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:44:46.225: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 02:44:46.225: dot1x-ev(Fa1/0/3): Sending out EAPOL packet
*Mar 1 02:44:46.225: EAPOL pak dump Tx
*Mar 1 02:44:46.225: EAPOL Version: 0x2 type: 0x0 length: 0x0005
*Mar 1 02:44:46.225: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 02:44:46.225: dot1x-packet(Fa1/0/3): EAPOL packet sent to client 0x8F000
*Mar 1 02:45:17.112: dot1x-sm(Fa1/0/3): Posting EAP_REQ for 0x8F00001C
*Mar 1 02:45:17.112: dot1x_auth_bend Fa1/0/3: during state auth_bend_reques
t, got event 7(eapReq)
*Mar 1 02:45:17.112: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_request -& auth_ben
*Mar 1 02:45:17.112: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_request_ac
tion called
*Mar 1 02:45:17.112: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_enter call
*Mar 1 02:45:17.112: dot1x-packet(Fa1/0/3): EAP code: 0x1 id: 0x1 length: 0x0
005 type: 0x1 data:
*Mar 1 02:45:17.112: dot1x-ev(Fa1/0/3): Sending EAPOL packet to group PAE addre
*Mar 1 02:45:17.112: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:45:17.112: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 02:45:17.112: dot1x-ev(Fa1/0/3): Sending out EAPOL packet
*Mar 1 02:45:17.112: EAPOL pak dump Tx
*Mar 1 02:45:17.112: EAPOL Version: 0x2 type: 0x0 length: 0x0005
*Mar 1 02:45:17.112: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 02:45:17.112: dot1x-packet(Fa1/0/3): EAPOL packet sent to client 0x8F000
*Mar 1 02:45:48.008: dot1x-ev(Fa1/0/3): Received an EAP Timeout
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): Posting EAP_TIMEOUT for 0x8F00001C
*Mar 1 02:45:48.008: dot1x_auth_bend Fa1/0/3: during state auth_bend_reques
t, got event 12(eapTimeout)
*Mar 1 02:45:48.008: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_request -& auth_ben
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_timeout_enter call
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_request_timeout_ac
tion called
*Mar 1 02:45:48.008: dot1x_auth_bend Fa1/0/3: idle during state auth_bend_t
*Mar 1 02:45:48.008: @@@ dot1x_auth_bend Fa1/0/3: auth_bend_timeout -& auth_ben
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_bend_idle_enter called
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): Posting AUTH_TIMEOUT on Client 0x8F0000
*Mar 1 02:45:48.008: dot1x_auth Fa1/0/3: during state auth_authenticating,
got event 14(authTimeout)
*Mar 1 02:45:48.008: @@@ dot1x_auth Fa1/0/3: auth_authenticating -& auth_authc_
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_authenticating_exit cal
*Mar 1 02:45:48.008: dot1x-sm(Fa1/0/3): 0x8F00001C:auth_authc_result_enter call
*Mar 1 02:45:48.008: %DOT1X-5-FAIL: Authentication failed for client (Unknown M
AC) on Interface Fa1/0/3
*Mar 1 02:45:48.008: dot1x-ev(Fa1/0/3): Sending event (2) to Auth Mgr for 0000.
*Mar 1 02:45:48.008: %AUTHMGR-7-RESULT: Authentication result 'no-response' fro
m 'dot1x' for client (Unknown MAC) on Interface Fa1/0/3
*Mar 1 02:45:48.008: dot1x-ev(Fa1/0/3): Deleting client 0x8F00001C (
*Mar 1 02:45:48.008: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client
(Unknown MAC) on Interface Fa1/0/3
*Mar 1 02:45:48.008: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication met
hods for client (Unknown MAC) on Interface Fa1/0/3
*Mar 1 02:45:48.024: dot1x-evelete auth client (0x8F00001C) message
*Mar 1 02:45:48.024: dot1x-ev:Auth client ctx destroyed
*Mar 1 02:45:48.033: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et1/0/3, changed state to up
*Mar 1 02:45:48.033: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, cha
nged state to up
*Mar 1 02:45:49.056: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Un
known MAC) on Interface Fa1/0/3
//////往下是开启了客户端的认证功能
*Mar 1 02:46:10.363: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:46:10.363: dot1x-packet(Fa1/0/3): queuing an EAPOL pkt on Auth Q
*Mar 1 02:46:10.363: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 02:46:10.363: EAPOL pak dump rx
*Mar 1 02:46:10.363: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 1 02:46:10.363: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/3 CODE= 0,TYPE= 0,LEN= 0
*Mar 1 02:46:10.363: dot1x-packet(Fa1/0/3): Received an EAPOL frame
*Mar 1 02:46:10.363: dot1x-ev(Fa1/0/3): Received pkt saddr =00f1.f307.3642 , da
pae-ether-type = 888e.
*Mar 1 02:46:10.363: dot1x-ev(Fa1/0/3): Couldn't find the supplicant in the lis
*Mar 1 02:46:10.363: dot1x-ev(Fa1/0/3): New client detected, issuing Start Requ
est to AuthMgr
*Mar 1 02:46:15.346: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:46:15.346: dot1x-packet(Fa1/0/3): queuing an EAPOL pkt on Auth Q
*Mar 1 02:46:15.354: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 02:46:15.354: EAPOL pak dump rx
*Mar 1 02:46:15.354: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 1 02:46:15.354: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/3 CODE= 0,TYPE= 0,LEN= 0
*Mar 1 02:46:15.354: dot1x-packet(Fa1/0/3): Received an EAPOL frame
*Mar 1 02:46:15.354: dot1x-ev(Fa1/0/3): Received pkt saddr =00f1.f307.3642 , da
pae-ether-type = 888e.
*Mar 1 02:46:15.354: dot1x-ev(Fa1/0/3): Couldn't find the supplicant in the lis
*Mar 1 02:46:15.354: dot1x-ev(Fa1/0/3): New client detected, issuing Start Requ
est to AuthMgr
*Mar 1 02:46:20.362: dot1x-ev(Fa1/0/3): Role determination not required
*Mar 1 02:46:20.362: dot1x-packet(Fa1/0/3): queuing an EAPOL pkt on Auth Q
*Mar 1 02:46:20.362: dot1x-ev:Enqueued the eapol packet to the global authentic
ator queue
*Mar 1 02:46:20.362: EAPOL pak dump rx
*Mar 1 02:46:20.362: EAPOL Version: 0x1 type: 0x1 length: 0x0000
*Mar 1 02:46:20.362: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/3 CODE= 0,TYPE= 0,LEN= 0
*Mar 1 02:46:20.362: dot1x-packet(Fa1/0/3): Received an EAPOL frame
*Mar 1 02:46:20.362: dot1x-ev(Fa1/0/3): Received pkt saddr =00f1.f307.3642 , da
pae-ether-type = 888e.
*Mar 1 02:46:20.362: dot1x-ev(Fa1/0/3): Couldn't find the supplicant in the lis
*Mar 1 02:46:20.362: dot1x-ev(Fa1/0/3): New client detected, issuing Start Requ
est to AuthMgr
最有价值午饭
引用:原帖由 shen_xu 于
10:54 发表
思科的802.1x是基于物理端口的,而不能基于session,所以必须以网口的状态变更为切换点。
在它下面接HUB就会一个PC成功,其它全都可以访问了。这个问题思科一直没有改善。 ... 不是完全同意
在IOS升级到12.2(50)以上后,Cisco的Switch可以设置authentication-mode 为 multi-auth,这样就可支持一个端口接HUB,多个session分别验证;
Cisco的问题是,如果使用了multi-auth,就不能支持guest-vlan,因为对于non-trunking 模式的端口,只能属于一个vlan
积极跟进解答
本帖最后由 jung_blue 于
15:35 编辑
中级工程师
引用:原帖由 jung_blue 于
15:33 发表
不是完全同意
在IOS升级到12.2(50)以上后,Cisco的Switch可以设置authentication-mode 为 multi-auth,这样就可支持一个端口接HUB,多个session分别验证;
Cisco的问题是,如果使用了multi-auth,就不能支持guest-vlan,因为对于n ... 你亲自验证过没,我用12.2(53)都没搞成功multi-auth。
就有这么一群奇怪的人,本身是最底阶层,利益每天都在被损害,却具有统治阶级的意识,在动物世界里找这么弱智的东西都几乎不可能。
最有价值午饭
引用:原帖由 shen_xu 于
15:56 发表
你亲自验证过没,我用12.2(53)都没搞成功multi-auth。 验过啦,2960,IOS直接升到了15.0
中级工程师
15没用过。
就有这么一群奇怪的人,本身是最底阶层,利益每天都在被损害,却具有统治阶级的意识,在动物世界里找这么弱智的东西都几乎不可能。
楼主,你的问题解决了没?我也遇到了类似的情况,在锐捷交换机上开启了认证,但是有的用户不用认证也能上网,交换机的提示就是Failing over from 'dot1x' for client,请问怎么解决?
优秀技术经理
引用:原帖由 jung_blue 于
15:33 发表
不是完全同意
在IOS升级到12.2(50)以上后,Cisco的Switch可以设置authentication-mode 为 multi-auth,这样就可支持一个端口接HUB,多个session分别验证;
Cisco的问题是,如果使用了multi-auth,就不能支持guest-vlan,因为对于n ... 你好,非常赞同!
