我想使用我的RADIUS服务器来限制每个用户对已配置SSID的访问。

根据上面链接的文档,我向测试用户添加了以下属性:

ospite-5vh Cisco-AVPair += "ssid=Interactive_Ospiti"


因此,启用调试半径认证,我看到了:

Jun 12 08:30:08.266: RADIUS(00001A96): Send Access-Request to 212.183.164.38:1812 id 1645/128, len 177
Jun 12 08:30:08.266: RADIUS:  authenticator CC C9 63 16 B0 62 74 52 - A7 95 DF 1D 93 F3 08 37
Jun 12 08:30:08.267: RADIUS:  User-Name           [1]   12  "ospite-5vh"
Jun 12 08:30:08.267: RADIUS:  Framed-MTU          [12]  6   1400                      
Jun 12 08:30:08.267: RADIUS:  Called-Station-Id   [30]  16  "8478.acf0.9002"
Jun 12 08:30:08.267: RADIUS:  Calling-Station-Id  [31]  16  "2064.3267.44ca"
Jun 12 08:30:08.267: RADIUS:  Vendor, Cisco       [26]  29  
Jun 12 08:30:08.267: RADIUS:   Cisco AVpair       [1]   23 "ssid=Interactive_Test"
Jun 12 08:30:08.267: RADIUS:  Service-Type        [6]   6   Login                     [1]
Jun 12 08:30:08.267: RADIUS:  Message-Authenticato[80]  18  
Jun 12 08:30:08.267: RADIUS:   7D 95 ED 39 3D 12 82 9F 30 8D 1F F4 84 04 43 C9  [}??9=???0?????C?]
Jun 12 08:30:08.267: RADIUS:  EAP-Message         [79]  17  
Jun 12 08:30:08.267: RADIUS:   02 01 00 0F 01 6F 73 70 69 74 65 2D 35 76 68     [?????ospite-5vh]
Jun 12 08:30:08.267: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Jun 12 08:30:08.267: RADIUS:  NAS-Port            [5]   6   7037                      
Jun 12 08:30:08.268: RADIUS:  NAS-Port-Id         [87]  6   "7037"
Jun 12 08:30:08.268: RADIUS:  NAS-IP-Address      [4]   6   10.132.0.253              
Jun 12 08:30:08.268: RADIUS:  Nas-Identifier      [32]  13  "UFFICIO-AP1"
Jun 12 08:30:08.325: RADIUS: Received from id 1645/128 212.183.164.38:1812, Access-Challenge, len 95
Jun 12 08:30:08.325: RADIUS:  authenticator 8A C9 30 9B 1B 13 20 91 - 4C D6 FE B3 2A 1E F7 85
Jun 12 08:30:08.325: RADIUS:  Vendor, Cisco       [26]  31  
Jun 12 08:30:08.325: RADIUS:   Cisco AVpair       [1]   25  "ssid=Interactive_Ospiti"
Jun 12 08:30:08.325: RADIUS:  EAP-Message         [79]  8   
Jun 12 08:30:08.325: RADIUS:   01 02 00 06 19 20                                [????? ]
Jun 12 08:30:08.325: RADIUS:  Message-Authenticato[80]  18  
Jun 12 08:30:08.325: RADIUS:   31 7D 79 7B C3 67 7E 71 5A FA 53 D4 76 2E 9D A4  [1}y{?g~qZ?S?v.??]
Jun 12 08:30:08.326: RADIUS:  State               [24]  18  
Jun 12 08:30:08.326: RADIUS:   9E B6 71 EA 9E B4 68 7A 8E 86 18 54 AF BD AF 55  [??q???hz???T???U]
Jun 12 08:30:08.326: RADIUS(00001A96): Received from id 1645/128


所以我希望该请求被拒绝,因为“关联SSID”与RADIUS不匹配,而是被确认并且用户已连接。

相关配置如下:

aaa authentication login default group radius
aaa authentication login eap_methods group radius
aaa authorization network default if-authenticated 
aaa accounting nested
aaa accounting update periodic 5
aaa accounting network eap_methods start-stop group radius
!
dot11 ssid Interactive
   vlan 1
   authentication open 
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 01120101551F035F7324DB1194F0ABEE1C0B03175B5C51
!
dot11 ssid Interactive_Ospiti
   vlan 4
   authentication open 
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 15475E1D0725242D262D265D12730301204
!
dot11 ssid Interactive_Test
   vlan 5
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   accounting eap_methods
   mbssid guest-mode
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption vlan 4 mode ciphers aes-ccm tkip 
 encryption vlan 1 mode ciphers aes-ccm tkip 
 encryption vlan 5 mode ciphers aes-ccm tkip 
 ssid Interactive
 ssid Interactive_Ospiti
 ssid Interactive_Test
 antenna gain 0
 mbssid
 no short-slot-time
 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0
 channel 2457
 station-role root
!
interface Dot11Radio0.1
 description LAN Interactive
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.4
 description LAN Ospiti
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled
!
interface Dot11Radio0.5
 description LAN Test
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 5
 bridge-group 5 subscriber-loop-control
 bridge-group 5 block-unknown-source
 no bridge-group 5 source-learning
 no bridge-group 5 unicast-flooding
 bridge-group 5 spanning-disabled
!
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 4 10.132.0.253
radius-server host 10.132.0.99 auth-port 1812 acct-port 1813 non-standard key 7 131312061E3811242A142A7C79
radius-server vsa send accounting
radius-server vsa send authentication



这是#show versione的输出。
任何人都可以帮忙吗?

评论

您在使用ACS还是其他RADIUS服务器?

我正在将FreeRADIUS与MySQL后端配合使用

@MarcoMarzetti,您能在radius服务器主机行中添加非标准的内容,并让我知道这是否改变了您获得的结果吗?您可能必须将关键的7陈述式单独放在不同的行中才能起作用。

@MikePennington完成了,但是什么都没有改变。顺便说一句,当我将值更改为“ SSID = Interactive_Ospiti”时,出现此错误:解析未知的Cisco vsa“ SSID”-IGNORE。因此,IOS可以理解该属性并尝试对其进行解析。

接口Dot11Radio的配置是什么?

#1 楼

尝试将freeradius配置中的运算符更改为“ =〜”:

ospite-5vh Cisco-AVPair =~ "ssid=Interactive_Ospiti"

评论


不要以为这会有所帮助,因为“ =〜”用于比较,我想分配一个。请注意,SSID检查应由IOS而非FreeRADIUS进行。

– Marco Marzetti
13年6月14日在7:14