↑ Retornar para CCNP

Autenticação 802.1x

Home Fórum CCNP Autenticação 802.1x

Este tópico contém respostas, possui 2 vozes e foi atualizado pela última vez por  rpedrosa1979 2 anos, 1 mês atrás.

Visualizando 4 posts - 1 até 4 (de 4 do total)
  • Autor
    Posts
  • #188982

    rpedrosa1979
    Participante

    Fala pessoal tudo bem?
    Surgiu um POC aqui no meu trabalho para configurar 802.1x em nosso ambiente.
    A ideia inicial é bloquear as maquinas que não estão no DC do banco.
    Hoje em dia, a pessoa chega conecta na rede e ganha IP , se tiver usuario e senhha , acessa os sistemas.

    Gostaria de um norte na configuração do 802.1x.

    A ideia é configurar um novo switch no ambiente da POC e configurar o 802.1x para bloquear todas maquinas que logam em nosso ambiente fora do dominio.

    Deixei a topologia em anexo e a ideia é usar o NPS para esse controle.

    Penso em configurar o novo switch dessa forma:

    configuração Interface de teste:

    interface FastEthernet0/1
    switchport access vlan 216
    switchport mode access
    switchport voice vlan 228
    authentication event no-response action authorize vlan 171
    authentication port-control auto
    dot1x pae authenticator
    no keepalive
    no cdp enable
    spanning-tree portfast

    Configuração AAA :
    aaa new-model
    aaa authentication dot1x default group radius
    aaa session-id common

    radius-server host x.x.x.x auth-port 1812 acct-port 1813 key secret
    radius-server host y.y.y.y auth-port 1812 acct-port 1813 key secret
    radius-server key 7 035D1E4E15202C43440B2E5044063A280C22280402392F0C25342750036418486143

    0

    0
    #188986

    zekkerj
    Participante

    Muito interessante. Dê retorno do POC…

    0

    0

    -----------------------------------------------------------------------------
    Receba Johrei e purifique seu Espírito.
    http://www.messianica.org.br/o-johrei.jsp

    #188992

    rpedrosa1979
    Participante

    Zekkerj, qual o seu gtalk?

    0

    0
    #188993

    rpedrosa1979
    Participante

    SWBHEJPA55#sh authentication sessions interface fastEthernet 0/1
    Interface: FastEthernet0/1
    MAC Address: 5cff.3508.f16d
    IP Address: Unknown
    User-Name: UNRESPONSIVE
    Status: Authz Failed
    Domain: DATA
    Oper host mode: multi-domain
    Oper control dir: both
    Session timeout: N/A
    Idle timeout: N/A
    Common Session ID: AC1D00370000008606628B5C
    Acct Session ID: 0x000000A2
    Handle: 0xA5000087

    Runnable methods list:
    Method State
    dot1x Failed over

    SWBHEJPA55#
    Aug 17 17:59:07 BRA: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
    Aug 17 17:59:08 BRA: %SYS-5-CONFIG_I: Configured from console by TESTE on vty0 (172.29.2.4)
    1d05h: dot1x-ev(Fa0/1): Interface state changed to UP
    1d05h: dot1x_auth Fa0/1: initial state auth_initialize has enter
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_initialize_enter called
    1d05h: dot1x_auth Fa0/1: during state auth_initialize, got event 0(cfg_auto)
    1d05h: @@@ dot1x_auth Fa0/1: auth_initialize -> auth_disconnected
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_disconnected_enter called
    1d05h: dot1x_auth Fa0/1: idle during state auth_disconnected
    1d05h: @@@ dot1x_auth Fa0/1: auth_disconnected -> auth_restart
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_enter called
    1d05h: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x65000152 (0000.0000.0000)
    1d05h: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has enter
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_initialize_enter called
    1d05h: dot1x_auth_bend Fa0/1: initial state auth_bend_initialize has idle
    1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_initialize, got event 16383(idle)
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_enter called
    1d05h: dot1x-ev(Fa0/1): Created a client entry (0x65000152)
    1d05h: dot1x-ev(Fa0/1): Dot1x authentication started for 0x65000152 (0000.0000.0000)
    1d05h: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
    1d05h: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
    1d05h: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_enter called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_connecting_action called
    1d05h: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
    1d05h: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_enter called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_authenticating_action called
    1d05h: dot1x-sm(Fa0/1): Posting AUTH_START for 0x65000152
    1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
    1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to group PAE address
    1d05h: dot1x-ev(Fa0/1): Role determination not required
    1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
    1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
    1d05h: EAPOL pak dump Tx
    1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
    1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
    1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (0000.0000.0000)
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_request_action called
    1d05h: dot1x-ev(Fa0/1): New client notification from AuthMgr for 0x65000152 – 5cff.3508.f16d
    Aug 17 17:59:09 BRA: %AUTHMGR-5-START: Starting ‘dot1x’ for client (5cff.3508.f16d) on Interface Fa0/1 AuditSessionID AC1D003700000089066797ED
    1d05h: dot1x-sm(Fa0/1): Posting RESTART on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_authenticating, got event 13(restart)
    1d05h: @@@ dot1x_auth Fa0/1: auth_authenticating -> auth_aborting
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_exit called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_enter called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_aborting_action called
    1d05h: dot1x-sm(Fa0/1): Posting AUTH_ABORT for 0x65000152
    1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 1(authAbort)
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_initialize
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_initialize_enter called
    1d05h: dot1x_auth_bend Fa0/1: idle during state auth_bend_initialize
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_initialize -> auth_bend_idle
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_enter called
    1d05h: dot1x-sm(Fa0/1): Posting !AUTH_ABORT on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
    1d05h: @@@ dot1x_auth Fa0/1: auth_aborting -> auth_restart
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_exit called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_enter called
    1d05h: dot1x-ev(Fa0/1): Resetting the client 0x65000152 (5cff.3508.f16d)
    1d05h: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x65000152 (5cff.3508.f16d)
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_aborting_restart_action called
    1d05h: dot1x-sm(Fa0/1): Posting !EAP_RESTART on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_restart, got event 6(no_eapRestart)
    1d05h: @@@ dot1x_auth Fa0/1: auth_restart -> auth_connecting
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_enter called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_restart_connecting_action called
    1d05h: dot1x-sm(Fa0/1): Posting RX_REQ on Client 0x65000152
    1d05h: dot1x_auth Fa0/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
    1d05h: @@@ dot1x_auth Fa0/1: auth_connecting -> auth_authenticating
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_authenticating_enter called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_connecting_authenticating_action called
    1d05h: dot1x-sm(Fa0/1): Posting AUTH_START for 0x65000152
    1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_idle, got event 4(eapReq_authStart)
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_idle -> auth_bend_request
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
    1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to 5cff.3508.f16d
    1d05h: dot1x-ev(Fa0/1): Role determination not required
    1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
    1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
    1d05h: EAPOL pak dump Tx
    1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
    1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
    1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (5cff.3508.f16d)
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_idle_request_action called
    Aug 17 17:59:10 BRA: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
    1d05h: dot1x-sm(Fa0/1): Posting EAP_REQ for 0x65000152
    1d05h: dot1x_auth_bend Fa0/1: during state auth_bend_request, got event 7(eapReq)
    1d05h: @@@ dot1x_auth_bend Fa0/1: auth_bend_request -> auth_bend_request
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_request_action called
    1d05h: dot1x-sm(Fa0/1): 0x65000152:auth_bend_request_enter called
    1d05h: dot1x-ev(Fa0/1): Sending EAPOL packet to 5cff.3508.f16d
    1d05h: dot1x-ev(Fa0/1): Role determination not required
    1d05h: dot1x-registry:registry:dot1x_ether_macaddr called
    1d05h: dot1x-ev(Fa0/1): Sending out EAPOL packet
    1d05h: EAPOL pak dump Tx
    1d05h: EAPOL Version: 0x3 type: 0x0 length: 0x0005
    1d05h: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
    1d05h: dot1x-packet(Fa0/1): EAPOL packet sent to client 0x65000152 (5cff.3508.f16d)

    0

    0
Visualizando 4 posts - 1 até 4 (de 4 do total)

Você deve fazer login para responder a este tópico.