根据上面链接的文档,我向测试用户添加了以下属性:
ospite-5vh Cisco-AVPair += "ssid=Interactive_Ospiti"
因此,启用调试半径认证,我看到了:
Jun 12 08:30:08.266: RADIUS(00001A96): Send Access-Request to 212.183.164.38:1812 id 1645/128, len 177
Jun 12 08:30:08.266: RADIUS: authenticator CC C9 63 16 B0 62 74 52 - A7 95 DF 1D 93 F3 08 37
Jun 12 08:30:08.267: RADIUS: User-Name [1] 12 "ospite-5vh"
Jun 12 08:30:08.267: RADIUS: Framed-MTU [12] 6 1400
Jun 12 08:30:08.267: RADIUS: Called-Station-Id [30] 16 "8478.acf0.9002"
Jun 12 08:30:08.267: RADIUS: Calling-Station-Id [31] 16 "2064.3267.44ca"
Jun 12 08:30:08.267: RADIUS: Vendor, Cisco [26] 29
Jun 12 08:30:08.267: RADIUS: Cisco AVpair [1] 23 "ssid=Interactive_Test"
Jun 12 08:30:08.267: RADIUS: Service-Type [6] 6 Login [1]
Jun 12 08:30:08.267: RADIUS: Message-Authenticato[80] 18
Jun 12 08:30:08.267: RADIUS: 7D 95 ED 39 3D 12 82 9F 30 8D 1F F4 84 04 43 C9 [}??9=???0?????C?]
Jun 12 08:30:08.267: RADIUS: EAP-Message [79] 17
Jun 12 08:30:08.267: RADIUS: 02 01 00 0F 01 6F 73 70 69 74 65 2D 35 76 68 [?????ospite-5vh]
Jun 12 08:30:08.267: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 12 08:30:08.267: RADIUS: NAS-Port [5] 6 7037
Jun 12 08:30:08.268: RADIUS: NAS-Port-Id [87] 6 "7037"
Jun 12 08:30:08.268: RADIUS: NAS-IP-Address [4] 6 10.132.0.253
Jun 12 08:30:08.268: RADIUS: Nas-Identifier [32] 13 "UFFICIO-AP1"
Jun 12 08:30:08.325: RADIUS: Received from id 1645/128 212.183.164.38:1812, Access-Challenge, len 95
Jun 12 08:30:08.325: RADIUS: authenticator 8A C9 30 9B 1B 13 20 91 - 4C D6 FE B3 2A 1E F7 85
Jun 12 08:30:08.325: RADIUS: Vendor, Cisco [26] 31
Jun 12 08:30:08.325: RADIUS: Cisco AVpair [1] 25 "ssid=Interactive_Ospiti"
Jun 12 08:30:08.325: RADIUS: EAP-Message [79] 8
Jun 12 08:30:08.325: RADIUS: 01 02 00 06 19 20 [????? ]
Jun 12 08:30:08.325: RADIUS: Message-Authenticato[80] 18
Jun 12 08:30:08.325: RADIUS: 31 7D 79 7B C3 67 7E 71 5A FA 53 D4 76 2E 9D A4 [1}y{?g~qZ?S?v.??]
Jun 12 08:30:08.326: RADIUS: State [24] 18
Jun 12 08:30:08.326: RADIUS: 9E B6 71 EA 9E B4 68 7A 8E 86 18 54 AF BD AF 55 [??q???hz???T???U]
Jun 12 08:30:08.326: RADIUS(00001A96): Received from id 1645/128
所以我希望该请求被拒绝,因为“关联SSID”与RADIUS不匹配,而是被确认并且用户已连接。
相关配置如下:
aaa authentication login default group radius aaa authentication login eap_methods group radius aaa authorization network default if-authenticated aaa accounting nested aaa accounting update periodic 5 aaa accounting network eap_methods start-stop group radius ! dot11 ssid Interactive vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 01120101551F035F7324DB1194F0ABEE1C0B03175B5C51 ! dot11 ssid Interactive_Ospiti vlan 4 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 15475E1D0725242D262D265D12730301204 ! dot11 ssid Interactive_Test vlan 5 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 accounting eap_methods mbssid guest-mode ! interface Dot11Radio0 no ip address no ip route-cache encryption vlan 4 mode ciphers aes-ccm tkip encryption vlan 1 mode ciphers aes-ccm tkip encryption vlan 5 mode ciphers aes-ccm tkip ssid Interactive ssid Interactive_Ospiti ssid Interactive_Test antenna gain 0 mbssid no short-slot-time speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 channel 2457 station-role root ! interface Dot11Radio0.1 description LAN Interactive encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.4 description LAN Ospiti encapsulation dot1Q 4 no ip route-cache bridge-group 4 bridge-group 4 subscriber-loop-control bridge-group 4 block-unknown-source no bridge-group 4 source-learning no bridge-group 4 unicast-flooding bridge-group 4 spanning-disabled ! interface Dot11Radio0.5 description LAN Test encapsulation dot1Q 5 no ip route-cache bridge-group 5 bridge-group 5 subscriber-loop-control bridge-group 5 block-unknown-source no bridge-group 5 source-learning no bridge-group 5 unicast-flooding bridge-group 5 spanning-disabled ! radius-server attribute 32 include-in-access-req format %h radius-server attribute 4 10.132.0.253 radius-server host 10.132.0.99 auth-port 1812 acct-port 1813 non-standard key 7 131312061E3811242A142A7C79 radius-server vsa send accounting radius-server vsa send authentication
这是#show versione的输出。
任何人都可以帮忙吗?
#1 楼
尝试将freeradius配置中的运算符更改为“ =〜”:ospite-5vh Cisco-AVPair =~ "ssid=Interactive_Ospiti" 评论
不要以为这会有所帮助,因为“ =〜”用于比较,我想分配一个。请注意,SSID检查应由IOS而非FreeRADIUS进行。
– Marco Marzetti
13年6月14日在7:14
评论
您在使用ACS还是其他RADIUS服务器?我正在将FreeRADIUS与MySQL后端配合使用
@MarcoMarzetti,您能在radius服务器主机行中添加非标准的内容,并让我知道这是否改变了您获得的结果吗?您可能必须将关键的7陈述式单独放在不同的行中才能起作用。
@MikePennington完成了,但是什么都没有改变。顺便说一句,当我将值更改为“ SSID = Interactive_Ospiti”时,出现此错误:解析未知的Cisco vsa“ SSID”-IGNORE。因此,IOS可以理解该属性并尝试对其进行解析。
接口Dot11Radio的配置是什么?