Cisco 3750Gを設定して、802.1xプロセスの認証機能を実行しました。サプリカントとしてテストWin7マシンを、認証サーバーとしてNPSを実行するWindows 2008サーバーを持っています。Win7マシンは正常に認証できます。
これで、Win7マシンの前にCisco 7941 IP Phoneを接続し、swtichport voice vlanコマンドを使用してスイッチを構成しました。プラグを差し込むと電源が許可されますが、ポートはすぐにダウン状態に移行します。デバッグログを確認した後、問題は、802.1xがアクセスVLANと音声VLANの両方で認証を試みていることにあると考えています。アクセスVLANでのみ802.1xを実行する方法はありますか?声じゃない?
シナリオ:
{RADIUS} <----> {3750G} <-----> {Cisco 7941 Phone} <-----> {Win7 802.1x client}
私は現在インターフェースgi1 / 0/3でテストしています、これはインターフェース設定行です:
interface GigabitEthernet1/0/3
description TestPort
switchport access vlan 100
switchport voice vlan 110
switchport mode access
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
spanning-tree portfast
auto qos voip cisco-phone
3750Gからのデバッグの一部
*Apr 21 13:44:04.045: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD
*Apr 21 13:44:04.322: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted
*Apr 21 13:44:07.811: dot1x-ev(Gi1/0/3): Interface state changed to UP
*Apr 21 13:44:07.811: dot1x_auth Gi1/0/3: initial state auth_initialize has enter
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_initialize_enter called
*Apr 21 13:44:07.811: dot1x_auth Gi1/0/3: during state auth_initialize, got event 0(cfg_auto)
*Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_disconnected
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_disconnected_enter called
*Apr 21 13:44:07.811: dot1x_auth Gi1/0/3: idle during state auth_disconnected
*Apr 21 13:44:07.811: @@@ dot1x_auth Gi1/0/3: auth_disconnected -> auth_restart
*Apr 21 13:44:07.811: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending create new context event to EAP for 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820: dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_initialize_enter called
*Apr 21 13:44:07.820: dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
*Apr 21 13:44:07.820: dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
*Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Created a client entry (0x0000003B)
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting !EAP_RESTART on Client 0x0000003B
*Apr 21 13:44:07.820: dot1x_auth Gi1/0/3: during state auth_restart, got event 6(no_eapRestart)
*Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_restart -> auth_connecting
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_enter called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_restart_connecting_action called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting RX_REQ on Client 0x0000003B
*Apr 21 13:44:07.820: dot1x_auth Gi1/0/3: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Apr 21 13:44:07.820: @@@ dot1x_auth Gi1/0/3: auth_connecting -> auth_authenticating
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_authenticating_enter called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_connecting_authenticating_action called
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): Posting AUTH_START for 0x0000003B
*Apr 21 13:44:07.820: dot1x_auth_bend Gi1/0/3: during state auth_bend_idle, got event 4(eapReq_authStart)
*Apr 21 13:44:07.820: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_idle -> auth_bend_request
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_request_enter called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Role determination not required
*Apr 21 13:44:07.820: dot1x-registry:registry:dot1x_ether_macaddr called
*Apr 21 13:44:07.820: dot1x-ev(Gi1/0/3): Sending out EAPOL packet
*Apr 21 13:44:07.820: EAPOL pak dump Tx
*Apr 21 13:44:07.820: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Apr 21 13:44:07.820: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Apr 21 13:44:07.820: dot1x-packet(Gi1/0/3): EAPOL packet sent to client 0x0000003B (0000.0000.0000)
*Apr 21 13:44:07.820: dot1x-sm(Gi1/0/3): 0x0000003B:auth_bend_idle_request_action called
*Apr 21 13:44:09.791: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
*Apr 21 13:44:10.798: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
*Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Interface state changed to DOWN
*Apr 21 13:44:36.844: dot1x-ev(Gi1/0/3): Deleting client 0x0000003B (0000.0000.0000)
*Apr 21 13:44:36.844: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3
*Apr 21 13:44:36.844: dot1x-ev:Delete auth client (0x0000003B) message
*Apr 21 13:44:36.844: dot1x-ev:Auth client ctx destroyed
*Apr 21 13:44:37.842: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
*Apr 21 13:44:38.841: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down
最新のインターフェイス構成: インターフェイスGigabitEthernet1 / 0/3スイッチポートアクセスVLAN 105スイッチポートモードアクセススイッチポート音声VLAN 110 srr-queue帯域幅共有1 30 35 5認証キューの認証制御方向認証イベントの失敗アクション次のメソッドの認証ホストモードmulti-auth authentication open authentication order dot1x mab authentication priority mab dot1x mab mls qos trust device cisco-phone mls qos trust cos auto qos voip cisco-phone dot1x pae authenticationator spanning-tree portfast service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
グローバル構成の 父
デバッグ:
show version
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24PS 15.0(2)SE6 C3750-IPSERVICESK9-M
#show authentication sessions interface gi1/0/3
Interface: GigabitEthernet1/0/3
MAC Address: Unknown
IP Address: Unknown
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6363FE0000001900347F3C
Acct Session ID: 0x00000020
Handle: 0x7A00001A
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
#show dot1x all details
Sysauthcontrol Enabled
Dot1x Protocol Version 3
Dot1x Info for GigabitEthernet1/0/3
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Dot1x Authenticator Client List Empty
show run | in dot1x
aaa authentication dot1x default group RADIUS
dot1x system-auth-control
コンソール
Oct 15 20:16:41.392: dot1x-ev(Gi1/0/3): Interface state changed to DOWN
Oct 15 20:16:41.400: dot1x-ev(Gi1/0/3): Deleting client 0x74000003 (0000.0000.0000)
Oct 15 20:16:41.400: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet1/0/3
Oct 15 20:16:41.400: dot1x-ev:Delete auth client (0x74000003) message
Oct 15 20:16:41.400: dot1x-ev:Auth client ctx destroyedshut
Oct 15 20:16:42.180: %SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Gi1/0/3, operational port trust state is now untrusted
Oct 15 20:16:43.363: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down
Oct 15 20:16:44.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state tno shut
SW1(config-if)#
Oct 15 20:16:47.801: %ILPOWER-7-DETECT: Interface Gi1/0/3: Power Device detected: IEEE PD
Oct 15 20:16:48.807: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/3: Power granted
Oct 15 20:16:48.916: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down
Oct 15 20:16:50.124: dot1x-ev(Gi1/0/3): Interface state changed to UP
Oct 15 20:16:50.133: dot1x_auth Gi1/0/3: initial state auth_initialize has enter
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_initialize_enter called
Oct 15 20:16:50.133: dot1x_auth Gi1/0/3: during state auth_initialize, got event 1(cfg_force_auth)
Oct 15 20:16:50.133: @@@ dot1x_auth Gi1/0/3: auth_initialize -> auth_force_auth
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_force_auth_enter called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending EAPOL packet to group PAE address
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Role determination not required
Oct 15 20:16:50.133: dot1x-registry:registry:dot1x_ether_macaddr called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Sending out EAPOL packet
Oct 15 20:16:50.133: EAPOL pak dump Tx
Oct 15 20:16:50.133: EAPOL Version: 0x3 type: 0x0 length: 0x0004
Oct 15 20:16:50.133: EAP code: 0x3 id: 0x1 length: 0x0004
Oct 15 20:16:50.133: dot1x-packet(Gi1/0/3): dot1x_auth_txCannedStatus: EAPOL packet sent to client 0xD8000004 (0000.0000.0000)
Oct 15 20:16:50.133: dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has enter
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_initialize_enter called
Oct 15 20:16:50.133: dot1x_auth_bend Gi1/0/3: initial state auth_bend_initialize has idle
Oct 15 20:16:50.133: dot1x_auth_bend Gi1/0/3: during state auth_bend_initialize, got event 16383(idle)
Oct 15 20:16:50.133: @@@ dot1x_auth_bend Gi1/0/3: auth_bend_initialize -> auth_bend_idle
Oct 15 20:16:50.133: dot1x-sm(Gi1/0/3): 0xD8000004:auth_bend_idle_enter called
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Created a client entry (0xD8000004)
Oct 15 20:16:50.133: dot1x-ev(Gi1/0/3): Dot1x authentication started for 0xD8000004 (0000.0000.0000)
Oct 15 20:16:50.133: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/3
Oct 15 20:16:50.141: dot1x-ev(Gi1/0/3): Sending event (2) to Auth Mgr for 0000.0000.0000
Oct 15 20:16:50.141: dot1x-redundancy: State for client 0000.0000.0000 successfully retrieved
Oct 15 20:16:52.113: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
Oct 15 20:16:53.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
Oct 15 20:17:34.542: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Gi1/0/3, port's configured trust state is now operational.
ポートはまだシャットダウン状態のままですが、電話に電力を供給しています...