S5700与Cisco ACS做802.1x认证

S5700与Cisco ACS做802.1x认证

来源 https://forum.huawei.com/enterprise/zh/thread-273549-1-1.html

S5700-52C-PWR-EI

Cisco ACS 做为Radius server

!Software Version V200R003C00SPC300
#
#
vlan batch 2 to 3 10 100 300
#
dot1x enable
dot1x authentication-method eap
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
dhcp enable
#
dhcp snooping max-user-number 1024
#
radius-server template dot1x
radius-server shared-key cipher %@%@g^m]+bAZwN1+bfY-=4',-:,{%@%@
radius-server authentication 10.24.128.126 1645 source LoopBack 0 weight 80
radius-server authentication 10.25.145.126 1645 source LoopBack 0 weight 40
radius-server accounting 10.24.128.126 1646 source LoopBack 0 weight 80
radius-server accounting 10.25.145.126 1646 source LoopBack 0 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included
#
dhcp server group dhcpgroup1
dhcp-server 10.24.188.18 0
dhcp-server 10.24.128.62 1
#
aaa
authentication-scheme default
authentication-scheme system
  authentication-mode hwtacacs local
authentication-scheme dot1x-auth
  authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme dot1x-acc
  accounting-mode radius
domain default
  authentication-scheme dot1x-auth
  accounting-scheme dot1x-acc
  radius-server dot1x
domain default_admin
domain sc.net
  authentication-scheme system
  hwtacacs-server system

#
interface Vlanif1
#
interface Vlanif100
description DATA
ip address 10.25.164.1 255.255.255.128
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Vlanif300
description VOIP
ip address 10.25.74.193 255.255.255.192
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/2
undo negotiation auto
speed 100
port link-type access
port default vlan 300
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/3
undo negotiation auto
speed 100
port link-type access
port default vlan 300
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/4
undo negotiation auto
speed 100
port link-type access
port default vlan 300
stp bpdu-filter enable
stp edged-port enable
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/5
undo negotiation auto
speed 100
voice-vlan 300 enable
port hybrid pvid vlan 100
port hybrid tagged vlan 300
port hybrid untagged vlan 100
stp bpdu-filter enable
stp edged-port enable
authentication event authen-server-down vlan 100
dot1x mac-bypass
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#
interface GigabitEthernet0/0/6
undo negotiation auto
speed 100
voice-vlan 300 enable
port hybrid pvid vlan 100
port hybrid tagged vlan 300
port hybrid untagged vlan 100
stp bpdu-filter enable
stp edged-port enable
authentication event authen-server-down vlan 100
dot1x mac-bypass
storm-control broadcast min-rate percent 20 max-rate percent 50
storm-control action block
storm-control enable log
#

其中在第5口和第6口配置了dot1x enable，但是命令不显示，1-4口没有启用dot1x.

authentication event authen-server-down vlan 100 是为了交换机与radius server链路有问题后可以让终端设备接入vlan 100继续使用

Radius server上只允许eap-md5,eap-tls，不允许pap或者chap

PC上有专门的证书来做认证，目前PC认证正常

但是端口下面连接的Avaya IP电话无法正常使用，型号：9608，电话起来后输入认证的用户名和密码后一直在连接call server，从radius server上看到的日志中发现：话机会先用pap协议发起认证，里面携带的vlan id=300,但是pap在radius server上没有启用所以认证不通过，之后发现话机认证通过了，但是里面携带的vlan id=100，不是Voice Vlan而是Data Vlan，虽然在radius server上看到了这样的认证成功消息，但是实际上话机还是无法使用，界面上一直在显示连接call server，也就是说话机没有拿到正确的Voice vlan的IP地址

查看端口的认证信息：

>display dot1x interface GigabitEthernet 0/0/5

GigabitEthernet0/0/5 status: UP  802.1x protocol is Enabled[mac-bypass]
  Port control type is Auto
  Authentication mode is MAC-based
  Authentication method is EAP
  Reauthentication is disabled
  Maximum users: 256
  Current users: 1
  Guest VLAN is disabled
  Critical VLAN is disabled
  Restrict VLAN is disabled

  Authentication Success: 421        Failure: 11
  EAPOL Packets: TX     : 1300       RX     : 1281
  Sent      EAPOL Request/Identity Packets  : 447
            EAPOL Request/Challenge Packets : 424
            Multicast Trigger Packets       : 0
            EAPOL Success Packets           : 421
            EAPOL Failure Packets           : 8
  Received  EAPOL Start Packets             : 430
            EAPOL Logoff Packets            : 3
            EAPOL Response/Identity Packets : 424
            EAPOL Response/Challenge Packets: 424

Online user(s) info:
UserId   MAC/VLAN            AccessTime              UserName
------------------------------------------------------------------------------
241      a425-1b4f-97dc/100  2015/09/14 10:09:59     12345
------------------------------------------------------------------------------
Total 1,1 printed

>display mac-address authen
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI                          Learned-From        Type
-------------------------------------------------------------------------------
a425-1b4f-96f9 100/-                             GE0/0/6             authen
a425-1b4f-97dc 100/-                             GE0/0/5             authen

-------------------------------------------------------------------------------
Total items displayed = 2

另外，MAC bypass的功能也无法实现，试着连接了一台打印机，并且在radius server上添加了打印机的mac地址，但是连接好之后没有反应，重启打印机也没效果。

============= End