web-dev-qa-db-ja.com

Cisco3750スイッチはRADIUS要求をサーバに送信しません

LAN上でRADIUSサーバーを実行しており、サーバーへの直接リンクを介してそれに対して認証することができます。

ただし、クライアントをスイッチ(Cisco 3750バージョン12.2(55)SE7)を介して接続する場合、サーバーは要求を受信しません。

ユーザー「bob」を認証する場合にのみ、(スイッチで)次のデバッグを取得します。

*Mar  1 04:02:53.847: %AUTHMGR-5-START: Starting 'dot1x' for client (5404.a631.e7dc) on Interface Gi1/0/11 AuditSessionID C0A802020000001C00DE6117
*Mar  1 04:02:53.855: RADIUS/ENCODE(00000028):Orig. component type = DOT1X
*Mar  1 04:02:53.855: RADIUS(00000028): Config NAS IP: 192.168.1.2
*Mar  1 04:02:53.855: RADIUS/ENCODE(00000028): acct_session_id: 39
*Mar  1 04:02:53.855: RADIUS(00000028): sending
*Mar  1 04:02:53.855: RADIUS(00000028): Send Access-Request to 192.168.69.201:1812 id 1645/57, len 195
*Mar  1 04:02:53.855: RADIUS:  authenticator D7 81 62 F3 A3 9D 05 9E - 98 F5 F4 48 4A 05 3F 99
*Mar  1 04:02:53.855: RADIUS:  User-Name           [1]   5   "bob"
*Mar  1 04:02:53.855: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Mar  1 04:02:53.855: RADIUS:  Framed-MTU          [12]  6   1500                      
*Mar  1 04:02:53.855: RADIUS:  Called-Station-Id   [30]  19  "00-0F-23-01-DA-8B"
*Mar  1 04:02:53.855: RADIUS:  Calling-Station-Id  [31]  19  "54-04-A6-31-E7-DC"
*Mar  1 04:02:53.855: RADIUS:  EAP-Message         [79]  10  
*Mar  1 04:02:53.855: RADIUS:   02 01 00 08 01 62 6F 62               [ bob]
*Mar  1 04:02:53.855: RADIUS:  Message-Authenticato[80]  18  
*Mar  1 04:02:53.855: RADIUS:   92 DE CA B6 10 03 8C 0F 00 70 4D 3C 8C FA FC 68              [ pM<h]
*Mar  1 04:02:53.855: RADIUS:  EAP-Key-Name        [102] 2   *
*Mar  1 04:02:53.855: RADIUS:  Vendor, Cisco       [26]  49  
*Mar  1 04:02:53.855: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802020000001C00DE6117"
*Mar  1 04:02:53.855: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
*Mar  1 04:02:53.855: RADIUS:  NAS-Port            [5]   6   50111                     
*Mar  1 04:02:53.855: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/11"
*Mar  1 04:02:53.855: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.2               
*Mar  1 04:02:53.855: RADIUS(00000028): Started 30 sec timeout
*Mar  1 04:03:15.724: RADIUS(00000027): Request timed out 
*Mar  1 04:03:15.724: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/56
*Mar  1 04:03:15.724: RADIUS(00000027): Started 30 sec timeout
*Mar  1 04:03:23.374: RADIUS(00000028): Request timed out 
*Mar  1 04:03:23.374: RADIUS: Retransmit to (192.168.69.201:1812,1813) for id 1645/57
*Mar  1 04:03:23.374: RADIUS(00000028): Started 30 sec timeout
*Mar  1 04:03:44.069: RADIUS(00000027): Request timed out 
*Mar  1 04:03:44.069: RADIUS: No response from (192.168.69.201:1812,1813) for id 1645/56
*Mar  1 04:03:44.069: RADIUS/DECODE: parse response no app start; FAIL
*Mar  1 04:03:44.069: RADIUS/DECODE: parse response; FAIL




listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:38:19.392110 IP 192.168.69.75.60075 > 192.168.69.201.radius: RADIUS, Access Request (1), id: 0x5e length: 55
13:38:19.407249 IP 192.168.69.201.radius > 192.168.69.75.60075: RADIUS, Access Accept (2), id: 0x5e length: 20

サーバー側でパケットが受信されず、iptablesが設定されていません。スイッチの構成は次のとおりです。

    Current configuration : 9050 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
!
username Cisco password 0 Cisco
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa accounting update periodic 30
aaa accounting dot1x default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-24t
system mtu routing 1500
no ip domain-lookup
!
ip dhcp pool 1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.5 
   domain-name example.com
   dns-server 192.168.1.5 
!
!
!
!
crypto pki trustpoint TP-self-signed-587324032
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-587324032
 revocation-check none
!
!
crypto pki certificate chain TP-self-signed-587324032
 certificate self-signed 01
0239 308201A2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 35383733 32343033 32301E17 0D393330 33303130 30303230 
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 37333234 
  30333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  AA357059 E5EAF5DF B9B393C5 4B38FECD 00850272 5991B279 859BDD2C AE5DACF0 
  F839D226 06A737F2 769D8910 EEC82E45 3686245A BCCFAEEA 77F140DF CF19E289 
  CFD1F9AB 6D5701C8 08E03854 9D0A2C0C 7ADE596E 9EE2178E 29E60792 789EBBD5 
  F44221FB 42D4A664 C9DE1C31 404FAFF5 B576A6D6 011A764A E3CFBDEF C07E718F 
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 
  11040730 05820353 312E301F 0603551D 23041830 16801468 CC5707C3 5211381F 
  F9636305 48BD339F D9D47730 1D060355 1D0E0416 041468CC 5707C352 11381FF9 
  63630548 BD339FD9 D477300D 06092A86 4886F70D 01010405 00038181 000349FD 
  CEB74D48 5B92FFF1 FE60506C 9C5D3925 B65EFC09 FB20904B DCEC61D1 CBD10DA7 
  130E21F3 C7BBCB79 4E1FAAD7 44AEE7D2 B857F7D3 BCD3742D E99F1F8C 16E342A6 
  2C1D6EF3 93!
end

F48DBD 2CE4201D A01551F8 49BFD583 C0BE800B 5721DF6F 6D4F859D 
  A3C0EAEF 6D39FAC2 918FED6C C035A883 ED27FFA5 34C6FA15 58D89BD5 BC
  quit    
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
!     
!     
!     
spanning-tree mode pvst
spanning-tree extend system-id
!     
vlan internal allocation policy ascending
!     
!     
!     
!     
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!     
interface GigabitEthernet1/0/2
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
!
interface GigabitEthernet1/0/3
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
!
[...]
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan3
 ip address 192.168.3.2 255.255.255.0
!
interface Vlan5
 ip address 192.168.5.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan1 
!
radius-server attribute 8 include-in-access-req
radius-server Host 192.168.69.201 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key pf
radius-server vsa send authentication
!
!
line con 0
!
end
1
timmeyh

スイッチのradiusホスト構成に「シークレット」を設定する必要があります。おそらく、半径構成の詳細も含める必要があります。

1
ETL