- Este tópico contém 19 respostas, 2 vozes e foi atualizado pela última vez 9 anos, 11 meses atrás por Aldrin.
-
AutorPosts
-
junho 9, 2014 às 5:00 pm #48661pedrophspParticipante
Olá pessoal, tudo bem?
Estou quebrando a cabeça para configurar um aironet 1600 para autenticar os usuários via radius server. Pesquisei vários tópicos na net e não consegui "acertar" a configuração. Tenho o RADIUS funcional para 15 APs de outra marca, já o cisco apresentou esse contra tempo.
No NPS Radius – 2008, gerou o log abaixo. Sei que é algo na configuração do AP, referente ao método de autenticação.
Authentication Details:
Connection Request Policy Name: Empresa – Wireless
Network Policy Name: Empresa – Redes Wireless
Authentication Provider: Windows
Authentication Server: empresa.local
Authentication Type: EAP
EAP Type: –
Account Session Identifier: –
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
aironet# sh run
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP_1A
!
!
logging rate-limit console 9
enable secret 5 $1$XZ35$EDQxUz7oBRwWM7FO.6RZz/
!
aaa new-model
!
!
aaa group server radius rad_eap
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_acct1
!
aaa group server radius rad_acct2
server 172.16.0.32 auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap1
server 172.16.0.32 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods1 start-stop group rad_acct1
aaa accounting network acct_methods2 start-stop group rad_acct2
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name empresa.local
ip name-server 172.16.0.31
ip name-server 172.16.0.32
!
!
!
dot11 syslog
!
dot11 ssid 1A
vlan 8
band-select
authentication open eap eap_methods1
authentication key-management wpa version 2
accounting acct_methods2
dot1x eap profile NPS-RADIUS
guest-mode
mbssid guest-mode
!
dot11 ssid INT
vlan 14
band-select
authentication open
mbssid guest-mode
information-element ssidl advertisement
!
!
eap profile NPS-RADIUS
Obs.: ESTA OPÇÃO EU CRIEI E ADICIONEI O PROTOCOLO MSCHAP v2 PEAP. Testei com a opção defaul, mas também não deu certo.
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-672805014
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-672805014
revocation-check none
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 8 mode ciphers aes-ccm
!
ssid 1A
!
ssid INT
!
antenna gain 0
stbc
beamform ofdm
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0
basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m
6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.8
encapsulation dot1Q 8
no ip route-cache
no cdp enable
bridge-group 8
bridge-group 8 subscriber-loop-control
bridge-group 8 spanning-disabled
bridge-group 8 block-unknown-source
no bridge-group 8 source-learning
no bridge-group 8 unicast-flooding
!
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
no cdp enable
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 spanning-disabled
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 8 mode ciphers aes-ccm
!
ssid 1A
!
ssid INT
!
antenna gain 0
dfs band 3 block
stbc
beamform ofdm
mbssid
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48
.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m
15.
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.8
encapsulation dot1Q 8
no cdp enable
bridge-group 8
bridge-group 8 subscriber-loop-control
bridge-group 8 spanning-disabled
bridge-group 8 block-unknown-source
no bridge-group 8 source-learning
no bridge-group 8 unicast-flooding
!
interface Dot11Radio1.14
encapsulation dot1Q 14
no cdp enable
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 spanning-disabled
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
!
interface GigabitEthernet0
ip address 172.16.254.116 255.255.0.0
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.8
encapsulation dot1Q 8
no cdp enable
bridge-group 8
bridge-group 8 spanning-disabled
no bridge-group 8 source-learning
interface GigabitEthernet0.14
encapsulation dot1Q 14
no cdp enable
bridge-group 14
bridge-group 14 spanning-disabled
no bridge-group 14 source-learning
!
interface BVI1
ip address 172.16.254.116 255.255.0.0
no ip route-cache
!
ip default-gateway 172.16.0.2
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
no cdp run
snmp-server community public RO read
snmp-server community private RW
snmp-server location 1Andar
no cdp run
snmp-server community public RO read
snmp-server community private RW
snmp-server location 1Andar
snmp-server contact
snmp-server chassis-id TI
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.0.32 auth-port 1812 acct-port 1813 key 7 1141500615135
A5F47292925607A
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
password 7 08224E4F5B4904191D184C
line vty 0 4
transport input all
!
end
São duas redes, vlan 8 (Autenticação via RADIUS) e 14 (sem autenticação).
Um dos sites de pesquisa:
http://www.cisco.com/cisco/web/support/BR/8/86/86210_leapserver.html
Se alguém puder me ajudar, agradeço.
junho 10, 2014 às 8:37 am #114555AldrinParticipantePergunta boba… Adicionou o AP como cliente do RADIUS?
junho 10, 2014 às 8:41 am #114556AldrinParticipanteEu não cheguei a ler o seu script. Mas esse que vou colar logo abaixo eu apliquei em um cliente e funcionou…
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ITP-AP-P2
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.16.50.1 auth-port 1645 acct-port 1646
server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name portoitapoa.com.br
!
!
dot11 syslog
dot11 vlan-name MGMT vlan 99
dot11 vlan-name WRLS-Adm vlan 21
dot11 vlan-name WRLS-Col vlan 23
dot11 vlan-name WRLS-Guest vlan 20
!
dot11 ssid ITPa
vlan 21
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
!
dot11 ssid ITPc
vlan 23
authentication open
authentication key-management wpa version 1
mbssid guest-mode
wpa-psk ascii 7 12185542305B5A077A7C0008
!
dot11 ssid ITPv
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 070E701E1D5D4C535D
!
!
crypto pki trustpoint TP-self-signed-262959104
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-262959104
revocation-check none
rsakeypair TP-self-signed-262959104
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 21 mode ciphers aes-ccm
!
encryption vlan 23 mode ciphers tkip
!
ssid ITPa
!
ssid ITPc
!
ssid ITPv
!
mbssid
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.21
encapsulation dot1Q 21
no ip route-cache
bridge-group 21
bridge-group 21 subscriber-loop-control
bridge-group 21 block-unknown-source
no bridge-group 21 source-learning
no bridge-group 21 unicast-flooding
bridge-group 21 spanning-disabled
!
interface Dot11Radio0.23
encapsulation dot1Q 23
no ip route-cache
bridge-group 23
bridge-group 23 subscriber-loop-control
bridge-group 23 block-unknown-source
no bridge-group 23 source-learning
no bridge-group 23 unicast-flooding
bridge-group 23 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.21
encapsulation dot1Q 21
no ip route-cache
bridge-group 21
no bridge-group 21 source-learning
bridge-group 21 spanning-disabled
!
interface FastEthernet0.23
encapsulation dot1Q 23
no ip route-cache
bridge-group 23
no bridge-group 23 source-learning
bridge-group 23 spanning-disabled
!
interface FastEthernet0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.16.99.169 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.99.254
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646 key 7 0526261C35495C584B56
radius-server host 172.16.50.2 auth-port 1645 acct-port 1646 key 7 062B2F32584B1B485744
radius-server vsa send accounting
bridge 1 route ip
!
!
banner motd @
*****************************************************************
* NO UNAUTHORIZED ACCESS *
* *
* Use of the Network is restricted to authorized users. User *
* activity is recorded by system personal. Anyone using the *
* Network expressly consents to such monitoring and recording. *
* *
* BE ADVISED: if possible criminal activity is detected, system *
* records, along with certain personal information may be *
* provided to law enforcement officials. *
* *
*****************************************************************
@
!
line con 0
access-class 111 in
privilege level 15
logging synchronous
line vty 0 4
access-class 111 in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
access-class 111 in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
!
end
junho 10, 2014 às 8:42 am #114557AldrinParticipanteOutro detalhe importante, vi no seu script que está mandando na porta padrão, 1812, é essa mesma que está usando no RADIUS?
junho 10, 2014 às 10:16 am #114558pedrophspParticipanteOlá Aldrin,
Obrigado pelo retorno.
1° Adicionei o AP como cliente RADIUS – ok
2° Sim, eu alterei as portas para 1812 que são as mesmas do RADIUS Server.
junho 10, 2014 às 10:25 am #114559AldrinParticipanteNa imagem 3, deixa como está. É para autenticar o AP se tiver 802.1x na porta do switch.
Na imagem 7 a configuração é obsoleta, ela serve para autenticar o AP e não o cliente, pode deixar default. O servidor tem que ser configurado na opção Server Manager.
junho 10, 2014 às 11:05 am #114560pedrophspParticipanteImagem 3 – ok
Imagem 7 – ok
Configurado o server em Server Manager – Ok
Arquivo de configuração em anexo após as alterações.
Quando você configurou o AP para seu cliente, no NPS você alterou o Vendor Name para Cisco ou utilizou o RADIUS Standard? No meu ambiente está o RADIUS Standard, na imagem eu coloquei a opção para ver onde fica.
junho 10, 2014 às 3:21 pm #114561pedrophspParticipanteFiz o degub no ap, vou procurar na net se tem algo relacionado a isso.
ap#
Jun 10 15:11:17.626: AAA/BIND(000003AE): Bind i/f
Jun 10 15:11:17.626: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jun 10 15:11:17.626: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:17.626: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:17.670: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:17.670: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:17.670: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:17.670: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:17.734: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:17.734: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001e.58a2.ba4b
Jun 10 15:11:17.734: dot11_auth_dot1x_send_response_to_server: Sending client 001e.58a2.ba4b data to server
Jun 10 15:11:17.734: AAA/AUTHEN/PPP (000003AE): Pick method list ‘eap_methods1’
Jun 10 15:11:17.734: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Jun 10 15:11:17.734: RADIUS/ENCODE(000003AE):Orig. component type = DOT11
Jun 10 15:11:17.734: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 10 15:11:17.734: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 10 15:11:17.734: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 10 15:11:17.734: RADIUS: 33 [ 3]
Jun 10 15:11:17.734: RADIUS(000003AE): Config NAS IP: 172.16.254.116
Jun 10 15:11:17.734: RADIUS(000003AE): Config NAS IPv6:
Jun 10 15:11:17.734: RADIUS/ENCODE(000003AE): acct_session_id: 930
Jun 10 15:11:17.734: RADIUS(000003AE): Config NAS IP: 172.16.254.116
Jun 10 15:11:17.734: RADIUS(000003AE): sending
Jun 10 15:11:17.734: RADIUS(000003AE): Send Access-Request to 172.16.0.32:1812 id 1645/64, len 176
Jun 10 15:11:17.734: RADIUS: authenticator 28 49 B0 61 F5 A0 C9 CB – 09 C6 A3 74 BA 90 A4 F4
Jun 10 15:11:17.734: RADIUS: User-Name [1] 28 "host/WM-WSUS-998.empresa.local"
Jun 10 15:11:17.734: RADIUS: Framed-MTU [12] 6 1400
Jun 10 15:11:17.734: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 10 15:11:17.734: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 10 15:11:17.734: RADIUS: Service-Type [6] 6 Login [1]
Jun 10 15:11:17.734: RADIUS: Message-Authenticato[80] 18
Jun 10 15:11:17.734: RADIUS: E8 41 93 41 BF D0 5F E3 F4 F0 08 96 91 4F 32 B3 [ AA_O2]
Jun 10 15:11:17.734: RADIUS: EAP-Message [79] 33
Jun 10 15:11:17.738: RADIUS: 02 02 00 1F 01 68 6F 73 74 2F 57 4D 2D 57 53 55 53 2D 39 39 38 [host/WM-WSUS-998]
Jun 10 15:11:17.738: RADIUS: 2E 63 62 61 2E 6C 6F 63 61 6C [ .cba.local]
Jun 10 15:11:17.738: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 10 15:11:17.738: RADIUS: NAS-Port [5] 6 357
Jun 10 15:11:17.738: RADIUS: NAS-Port-Id [87] 5 "357"
Jun 10 15:11:17.738: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 10 15:11:17.738: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 10 15:11:17.738: RADIUS(000003AE): Sending a IPv4 Radius Packet
Jun 10 15:11:17.738: RADIUS(000003AE): Started 5 sec timeout
Jun 10 15:11:17.738: RADIUS: Received from id 1645/64 172.16.0.32:1812, Access-Reject, len 44
Jun 10 15:11:17.738: RADIUS: authenticator 24 C7 7C A3 D9 18 CE 9C – 18 E3 E8 4C 6B B3 F3 EB
Jun 10 15:11:17.738: RADIUS: EAP-Message [79] 6
Jun 10 15:11:17.738: RADIUS: 04 02 00 04
Jun 10 15:11:17.738: RADIUS: Message-Authenticato[80] 18
Jun 10 15:11:17.738: RADIUS: 7D D8 FD 68 DE 63 DC 5C C4 6F 0D 36 C9 D7 EE 9B [ }hco6]
Jun 10 15:11:17.742: RADIUS(000003AE): Received from id 1645/64
Jun 10 15:11:17.742: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jun 10 15:11:17.742: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
Jun 10 15:11:17.742: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Jun 10 15:11:17.742: Client 001e.58a2.ba4b failed: by EAP authentication server
Jun 10 15:11:17.742: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 001e.58a2.ba4b
Jun 10 15:11:17.742: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 001e.58a2.ba4b
Jun 10 15:11:17.742: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Jun 10 15:11:17.742: dot11_auth_dot1x_send_client_fail: Authentication failed for 001e.58a2.ba4b
Jun 10 15:11:17.742: %DOT11-7-AUTH_FAILED: Station 001e.58a2.ba4b Authentication failed
Jun 10 15:11:18.626: AAA/BIND(000003AF): Bind i/f
Jun 10 15:11:18.626: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jun 10 15:11:18.626: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:18.626: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:18.674: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:18.674: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:18.674: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:18.674: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:18.718: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:18.718: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001e.58a2.ba4b
Jun 10 15:11:18.718: dot11_auth_dot1x_send_response_to_server: Sending client 001e.58a2.ba4b data to server
Jun 10 15:11:18.718: AAA/AUTHEN/PPP (000003AF): Pick method list ‘eap_methods1’
Jun 10 15:11:18.718: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Jun 10 15:11:18.718: RADIUS/ENCODE(000003AF):Orig. component type = DOT11
Jun 10 15:11:18.718: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 10 15:11:18.718: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 10 15:11:18.718: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 10 15:11:18.718: RADIUS: 33 [ 3]
Jun 10 15:11:18.718: RADIUS(000003AF): Config NAS IP: 172.16.254.116
Jun 10 15:11:18.718: RADIUS(000003AF): Config NAS IPv6:
Jun 10 15:11:18.718: RADIUS/ENCODE(000003AF): acct_session_id: 931
Jun 10 15:11:18.718: RADIUS(000003AF): Config NAS IP: 172.16.254.116
Jun 10 15:11:18.718: RADIUS(000003AF): sending
Jun 10 15:11:18.718: RADIUS(000003AF): Send Access-Request to 172.16.0.32:1812 id 1645/65, len 158
Jun 10 15:11:18.718: RADIUS: authenticator 7E 23 58 CD B6 E3 BC 0A – 86 49 37 61 D4 DA AF 02
Jun 10 15:11:18.718: RADIUS: User-Name [1] 19 "EmpresaPedro.Almeida"
Jun 10 15:11:18.718: RADIUS: Framed-MTU [12] 6 1400
Jun 10 15:11:18.718: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 10 15:11:18.718: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 10 15:11:18.718: RADIUS: Service-Type [6] 6 Login [1]
Jun 10 15:11:18.718: RADIUS: Message-Authenticato[80] 18
Jun 10 15:11:18.718: RADIUS: 6A 0A DC DB 76 E2 DF C0 A2 69 A8 70 E8 41 6B D8 [ jvipAk]
Jun 10 15:11:18.718: RADIUS: EAP-Message [79] 24
Jun 10 15:11:18.718: RADIUS: 02 02 00 16 01 43 42 41 5C 50 65 64 72 6F 2E 41 6C 6D 65 69 64 [EmpresaPedro.Almeid]
Jun 10 15:11:18.718: RADIUS: 61 [ a]
Jun 10 15:11:18.718: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 10 15:11:18.718: RADIUS: NAS-Port [5] 6 358
Jun 10 15:11:18.718: RADIUS: NAS-Port-Id [87] 5 "358"
Jun 10 15:11:18.718: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 10 15:11:18.718: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 10 15:11:18.718: RADIUS(000003AF): Sending a IPv4 Radius Packet
Jun 10 15:11:18.718: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:18.722: RADIUS: Received from id 1645/65 172.16.0.32:1812, Access-Challenge, len 90
Jun 10 15:11:18.722: RADIUS: authenticator C1 78 11 EF 87 D5 52 8A – 01 A4 06 B5 94 4D 75 32
Jun 10 15:11:18.722: RADIUS: Session-Timeout [27] 6 30
Jun 10 15:11:18.722: RADIUS: EAP-Message [79] 8
Jun 10 15:11:18.722: RADIUS: 01 03 00 06 19 20 [ ]
Jun 10 15:11:18.722: RADIUS: State [24] 38
Jun 10 15:11:18.722: RADIUS: 20 6D 03 29 00 00 01 37 00 01 02 00 AC 10 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 7B 20 F3 53 [ m)7 0{ S]
Jun 10 15:11:18.722: RADIUS: Message-Authenticato[80] 18
Jun 10 15:11:18.726: RADIUS: 65 A4 D8 17 8F 5E 3B 33 B5 97 B6 37 82 E8 E6 76 [ e^;37v]
Jun 10 15:11:18.726: RADIUS(000003AF): Received from id 1645/65
Jun 10 15:11:18.726: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jun 10 15:11:18.726: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
Jun 10 15:11:18.726: dot11_auth_dot1x_parse_aaa_resp: found session timeout 30 sec
Jun 10 15:11:18.726: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Jun 10 15:11:18.726: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 001e.58a2.ba4b
Jun 10 15:11:18.726: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 001e.58a2.ba4b
Jun 10 15:11:18.726: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Jun 10 15:11:18.734: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:18.734: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001e.58a2.ba4b
Jun 10 15:11:18.734: dot11_auth_dot1x_send_response_to_server: Sending client 001e.58a2.ba4b data to server
Jun 10 15:11:18.734: AAA/AUTHEN/PPP (000003AF): Pick method list ‘eap_methods1’
Jun 10 15:11:18.734: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Jun 10 15:11:18.734: RADIUS/ENCODE(000003AF):Orig. component type = DOT11
Jun 10 15:11:18.734: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 10 15:11:18.734: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 10 15:11:18.734: RADIUS: AAA Unsupported Attr: interface [222] 3
Jun 10 15:11:18.734: RADIUS: 33 [ 3]
Jun 10 15:11:18.734: RADIUS(000003AF): Config NAS IP: 172.16.254.116
Jun 10 15:11:18.734: RADIUS(000003AF): Config NAS IPv6:
Jun 10 15:11:18.734: RADIUS/ENCODE(000003AF): acct_session_id: 931
Jun 10 15:11:18.738: RADIUS(000003AF): Config NAS IP: 172.16.254.116
Jun 10 15:11:18.738: RADIUS(000003AF): sending
Jun 10 15:11:18.738: RADIUS(000003AF): Send Access-Request to 172.16.0.32:1812 id 1645/66, len 279
Jun 10 15:11:18.738: RADIUS: authenticator B0 62 8C 3F 5B 6F 37 6E – 46 22 B8 8A 6F BE B5 17
Jun 10 15:11:18.738: RADIUS: User-Name [1] 19 "EmpresaPedro.Almeida"
Jun 10 15:11:18.738: RADIUS: Framed-MTU [12] 6 1400
Jun 10 15:11:18.738: RADIUS: Called-Station-Id [30] 22 "2C-3E-CF-0B-BF-60:1A"
Jun 10 15:11:18.738: RADIUS: Calling-Station-Id [31] 16 "001e.58a2.ba4b"
Jun 10 15:11:18.738: RADIUS: Service-Type [6] 6 Login [1]
Jun 10 15:11:18.738: RADIUS: Message-Authenticato[80] 18
Jun 10 15:11:18.738: RADIUS: A9 00 6C A4 2A 55 2A 19 D9 85 87 3B 6D 99 73 0A [ l*U*;ms]
Jun 10 15:11:18.738: RADIUS: EAP-Message [79] 107
Jun 10 15:11:18.738: RADIUS: 02 03 00 69 19 80 00 00 00 5F 16 03 01 00 5A 01 00 00 56 03 01 53 97 4A 5C 97 7D D0 49 A6 7B D4 14 96 7A 5B 06 A7 AF 89 EB 74 91 3B 62 CB AC 64 [i_ZVSJ}I{z[t;bd]
Jun 10 15:11:18.738: RADIUS: 8A DE D7 98 78 00 00 18 00 2F 00 35 00 05 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38 00 13 00 04 01 00 00 15 FF 01 00 01 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 [ x/528]
Jun 10 15:11:18.738: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 10 15:11:18.738: RADIUS: NAS-Port [5] 6 358
Jun 10 15:11:18.738: RADIUS: NAS-Port-Id [87] 5 "358"
Jun 10 15:11:18.738: RADIUS: State [24] 38
Jun 10 15:11:18.738: RADIUS: 20 6D 03 29 00 00 01 37 00 01 02 00 AC 10 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 7B 20 F3 53 [ m)7 0{ S]
Jun 10 15:11:18.738: RADIUS: NAS-IP-Address [4] 6 172.16.254.116
Jun 10 15:11:18.738: RADIUS: Nas-Identifier [32] 4 "ap"
Jun 10 15:11:18.738: RADIUS(000003AF): Sending a IPv4 Radius Packet
Jun 10 15:11:18.738: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:23.734: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:23.734: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:23.734: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Jun 10 15:11:23.762: RADIUS(000003AF): Request timed out
Jun 10 15:11:23.762: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:23.762: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:24.750: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:24.750: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:24.750: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Jun 10 15:11:25.762: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:25.762: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:25.762: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Jun 10 15:11:27.626: AAA/BIND(000003B0): Bind i/f
Jun 10 15:11:27.626: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jun 10 15:11:27.626: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:27.626: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:27.670: dot11_auth_parse_client_pak: Received EAPOL packet from 001e.58a2.ba4b
Jun 10 15:11:27.670: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001e.58a2.ba4b
Jun 10 15:11:27.670: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:27.670: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:28.274: RADIUS(000003AF): Request timed out
Jun 10 15:11:28.274: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:28.274: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:28.718: AAA/BIND(000003B1): Bind i/f
Jun 10 15:11:28.718: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jun 10 15:11:28.718: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001e.58a2.ba4b
Jun 10 15:11:28.718: dot11_auth_dot1x_send_id_req_to_client: Client 001e.58a2.ba4b timer started for 30 seconds
Jun 10 15:11:32.946: RADIUS(000003AF): Request timed out
Jun 10 15:11:32.946: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:32.946: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:37.242: RADIUS(000003AF): Request timed out
Jun 10 15:11:37.242: RADIUS: Retransmit to (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:37.242: RADIUS(000003AF): Started 5 sec timeout
Jun 10 15:11:41.562: RADIUS(000003AF): Request timed out
Jun 10 15:11:41.562: RADIUS: Fail-over denied to (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:41.562: RADIUS: No response from (172.16.0.32:1812,1813) for id 1645/66
Jun 10 15:11:41.562: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jun 10 15:11:41.562: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
ap#
junho 10, 2014 às 4:16 pm #114562AldrinParticipantePelo o que li nas primeiras linhas do debug parece que o servidor está rejeitando. E eu nunca uso uso Vendor, sempre coloco Standard. O que o servidor mostra no EventViewer? Chegou a testar com outro dispositivo (Smartphone ou tablet) e outro usuário?
junho 10, 2014 às 4:45 pm #114563pedrophspParticipanteSim, sempre deixei standard pois os fabricantes que usava naõ continha na lista do Vendor.
EventViewer
Authentication Details:
Connection Request Policy Name: Empresa – Wireless
Network Policy Name: Empresa – Redes Wireless
Authentication Provider: Windows
Authentication Server: empresa.local
Authentication Type: EAP
EAP Type: –
Account Session Identifier: –
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Testei em outra máquina, retorna o mesmo erro.
Li algo sobre alterar alguns atributos que no Cisco é diferente do RADIUS, também no log tem uma parte que não é suportado:
un 10 15:11:18.734: RADIUS: AAA Unsupported Attr: ssid [347] 2
Jun 10 15:11:18.734: RADIUS: AAA Unsupported Attr: service-type [345] 4 1
Jun 10 15:11:18.734: RADIUS: AAA Unsupported Attr: interface [222] 3
To pesquisando, vamos ver se encontro a solução. Não quero fazer nenhuma alteração no meu RADIUS- server pois ele está em produção e não vejo problema na configuração dele.
junho 10, 2014 às 5:05 pm #114564AldrinParticipanteEntão, pelo o que entendi a mensagem do servidor diz que o EAP não pode ser processado. Não sei o que isso quer dizer exatamente, eu imagino que o cliente pode estar usando um tipo de EAP diferente do configurado no servidor.
Desculpa a pergunta boba (o servidor deve estar configurado para PEAP) o cliente também está usando PEAP?
junho 10, 2014 às 5:56 pm #114565pedrophspParticipanteConcordo com você. O server está sim com o Microsoft Protected EAP – EAP MSCHAPv2.
O cliente (aironet) só tem a opção Methods Accepted: with EAP (imagem2).
Se tive alguma opção como na figura "metodo de autenticacao" para configurar o EAP, mas não tem….
junho 10, 2014 às 6:01 pm #114566pedrophspParticipanteNeste tutorial, fala sobre a alteração do atributo para equipamento Cisco.
http://www.networkingnut.net/configuring-radius-server-on-windows-2008-r2-for-cisco-device-logins/
junho 11, 2014 às 8:46 am #114567AldrinParticipanteQual é a versão do IOS?
junho 11, 2014 às 8:53 am #114568pedrophspParticipanteCisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 12:16 by prod_rel_team
junho 11, 2014 às 10:19 am #114569AldrinParticipanteO modelo do AP é 1160 mesmo? Procurei por esse modelo e não achei nada…
junho 11, 2014 às 10:23 am #114570AldrinParticipanteAnyway, li o release notes dessa versão e não achei nenhum bug relacionado ao problema que você está reportando… Muito estranho no mínimo :/
junho 11, 2014 às 11:11 am #114571pedrophspParticipanteAlias 1600, me desculpe srsr
junho 16, 2014 às 9:53 am #114572pedrophspParticipanteAldrin, consegui resolver.
Obrigado.
I solved this problem. I configured one more option in Connection Request Policies – My Policy:
Settings Value
Authentication Provider Local Computer
Extensible Authentication Protocol Method Microsoft: Protected EAP (PEAP)
Override Authentication Disabled
Extensible Authentication Protocol Configuration Configure
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
In Network Policies – My Policy
Settings Value
Authentication Method EAP
Access Permission Grand Access
Update Noncompliant Client True
NAP Enforcement Allow full network access
Extensible Authentication Protocol Method Microsoft: Protected EAP (PEAP)
Extensible Authentication Protocol Configuration Configure
Extended State <Blank>
BAP Percentage of Capacity ReduceMultink if server reaches 50% for 2 minutes
Encryption Basic encryption (MPPE 40-bit), Strong encryption (MPPE 56-bit), Strongest encryption (MPPE 128-bit)
Encryption Policy Enabled
NAS Port Type Wireless – IEEE 802.11
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This options ( in red ) i added in my NPS and the authentication working now.
Valeu..
junho 16, 2014 às 3:52 pm #114573AldrinParticipanteLegal, vivendo e aprendendo… Era algo no servidor mesmo 🙂
-
AutorPosts
- Você deve fazer login para responder a este tópico.