ruffy1984
Goto Top

Netzwerk Zugangskontrolle mit 802.1x Zertifikat and Cisco ACS 4.2 mit Cisco Switch

Hallo Community,

ich habe mal wieder eine Frage an euch und hoffe das mich einer auf den richtigen Weg bringt.

Ich habe einen Cisco ACS Server 4.2 und einen Cisco Switch und möchte auf diesem Switch 802.1x Authentifizierung mit Zertifikaten einrichten.

Ich habe den Switch folgendermaßen eingerichtet im Globalen Modus:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting commands 15 default start-stop group tacacs+
dot1x system-auth-control
tacacs-server host 192.168.10.10
tacacs-server directed-request
tacacs-server key cisco
radius-server host 192.168.10.10 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication

meinen Accessport habe ich folgendermaßen konfiguriert:
interface GigabitEthernet2/1
description PEAP
switchport access vlan 5
switchport mode access
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 50
spanning-tree portfast
spanning-tree bpduguard enable


Meinen Client habe ich genau so konfiguriert wie es aqui in seinem Artikel zeigt:
Netzwerk Zugangskontrolle mit 802.1x und FreeRadius am LAN Switch


Ich habe ein Root Ca auf meinem Domainen Controller erstellt und dann im Cisco ACS ein generate self signing request angestoßen und das Zertifikat dann auch sauber von http://server/cersrv heruntergeladen und installiert.
Danach habe ich diese zertifikat in die Trust List rein genommen und in den Globalenkonfigurations modus PEAP aktiviert.


Jetzt habe ich eine Allgemeine Frage.
Wenn ich einen Windows Xp Client durch dieses Zertifikat authentifizieren lassen möchte, muss ich für jeden Client einen User anlegen ? unter User Setup ? oder reicht es wenn die Clients das Zertifikat besitzen ? Muss ich das zertifikat manuell installieren ?
Ich habe das Zertifikat per Gruppenrichtlinie in die Vertrauenwürdigen Zertifizirungsstellen hinzugefügt und der CLient sieht auch die Zertifizierungssstelle.


Das sagt die Log auf meinem Cisco Switch:
07:26:39: AUTH-EVENT (Gi2/32): 'restart' timer expired for client 0000.0000.0000
07:26:39: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
07:26:39: AUTH-EVENT (Gi2/32): Adding method dot1x to runnable list for Auth Mgr context 0xE200002F
07:26:39: AUTH-EVENT (Gi2/32): Sending START to dot1x (handle 0xE200002F)
07:26:39: dot1x_auth Gi2/32: initial state auth_initialize has enter
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_initialize_enter called
07:26:39: dot1x_auth Gi2/32: during state auth_initialize, got event 0(cfg_auto)
07:26:39: @@@ dot1x_auth Gi2/32: auth_initialize -> auth_disconnected
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_disconnected_enter called
07:26:39: dot1x_auth Gi2/32: idle during state auth_disconnected
07:26:39: @@@ dot1x_auth Gi2/32: auth_disconnected -> auth_restart
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_restart_enter called
07:26:39: dot1x-ev(Gi2/32): Sending create new context event to EAP for 0xEB000032 (0000.0000.0000)
07:26:39: dot1x_auth_bend Gi2/32: initial state auth_bend_initialize has enter
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_bend_initialize_enter called
07:26:39: dot1x_auth_bend Gi2/32: initial state auth_bend_initialize has idle
07:26:39: dot1x_auth_bend Gi2/32: during state auth_bend_initialize, got event 16383(idle)
07:26:39: @@@ dot1x_auth_bend Gi2/32: auth_bend_initialize -> auth_bend_idle
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_bend_idle_enter called
07:26:39: dot1x-ev(Gi2/32): Created a client entry (0xEB000032)
07:26:39: dot1x-ev(Gi2/32): Dot1x authentication started for 0xEB000032 (0000.0000.0000)
07:26:39: AUTH-EVENT (Gi2/32): Received handle 0xEB000032 from method
07:26:39: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Context changing state from 'Authz Failed' to 'Running'
07:26:39: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
07:26:39: dot1x-sm(Gi2/32): Posting !EAP_RESTART on Client 0xEB000032
07:26:39: dot1x_auth Gi2/32: during state auth_restart, got event 6(no_eapRestart)
07:26:39: @@@ dot1x_auth Gi2/32: auth_restart -> auth_connecting
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_connecting_enter called
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_restart_connecting_action called
07:26:39: dot1x-sm(Gi2/32): Posting RX_REQ on Client 0xEB000032
07:26:39: dot1x_auth Gi2/32: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
07:26:39: @@@ dot1x_auth Gi2/32: auth_connecting -> auth_authenticating
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_authenticating_enter called
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_connecting_authenticating_action called
07:26:39: dot1x-sm(Gi2/32): Posting AUTH_START for 0xEB000032
07:26:39: dot1x_auth_bend Gi2/32: during state auth_bend_idle, got event 4(eapReq_authStart)
07:26:39: @@@ dot1x_auth_bend Gi2/32: auth_bend_idle -> auth_bend_request
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_bend_request_enter called
07:26:39: dot1x-ev(Gi2/32): Sending EAPOL packet to group PAE address
07:26:39: dot1x-ev(Gi2/32): Role determination not required
07:26:39: dot1x-registry:registry:dot1x_ether_macaddr called
07:26:39: dot1x-ev(Gi2/32): Sending out EAPOL packet
07:26:39: EAPOL pak dump Tx
07:26:39: EAPOL Version: 0x3 type: 0x0 length: 0x0005
07:26:39: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
07:26:39: dot1x-packet(Gi2/32): EAPOL packet sent to client 0xEB000032 (0000.0000.0000)
07:26:39: dot1x-sm(Gi2/32): 0xEB000032:auth_bend_idle_request_action called
07:26:40: AUTH-EVENT: Stopped Auth Manager tick timer
07:27:03: dot1x-ev(Gi2/32): Interface state changed to DOWN
07:27:03: AUTH-EVENT (Gi2/32): Link DOWN
07:27:03: AUTH-EVENT (Gi2/32): Signalling "pre" delete for client 0000.0000.0000
07:27:03: AUTH-EVENT: Enter auth_mgr_idc_client_deleted
07:27:03: AUTH-EVENT: Enter auth_mgr_idc_remove_record
07:27:03: AUTH-SYNC (Gi2/32): Syncing delete for context (0000.0000.0000)
07:27:03: AUTH-EVENT (Gi2/32): Sending DELETE to dot1x (handle 0xE200002F)
07:27:03: dot1x-ev(Gi2/32): Deleting client 0xEB000032 (0000.0000.0000)
07:27:03: AUTH-EVENT (Gi2/32): Signalling "post" delete for client 0000.0000.0000 in domain DATA
07:27:03: AUTH-EVENT (Gi2/32): Authorized client count: 0
07:27:03: AUTH-EVENT (Gi2/32): Authorized client count: 0
07:27:03: AUTH-EVENT (Gi2/32): Setting vlan to 0 on DATA Vlan
07:27:03: AUTH-EVENT (Gi2/32): Unauthorizing interface in shim
07:27:03: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): Authorized client count: 0
07:27:03: AUTH-EVENT (Gi2/32): Setting vlan to 0 on DATA Vlan
07:27:03: AUTH-EVENT (Gi2/32): Unauthorizing interface in shim
07:27:03: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:27:03: AUTH-EVENT (Gi2/32): Queued START
07:27:03: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on GigabitEthernet2/32
07:27:03: dot1x-ev:Delete auth client (0xEB000032) message
07:27:03: dot1x-ev:Auth client ctx destroyed
07:27:03: AUTH-EVENT (Gi2/32): Freed Auth Manager context
07:27:03: AUTH-EVENT (Gi2/32): Received internal event START
07:31:41: AUTH-EVENT (Gi2/32): dot1x_pm_mda_port_link_linkcomingup: voice VLAN 4096, data VLAN 198
07:31:41: dot1x-ev(Gi2/32): Interface state changed to UP
07:31:41: AUTH-EVENT (Gi2/32): Enabling dot1x in switch shim
07:31:41: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:31:41: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:31:41: AUTH-EVENT (Gi2/32): dot1x_switch_get_default_host_access: Host access set to deny GigabitEthernet2/32
07:31:41: AUTH-EVENT (Gi2/32): host access set to 2 on GigabitEthernet2/32
07:31:41: AUTH-EVENT (Gi2/32): Link UP
07:31:41: AUTH-EVENT (Gi2/32): Assigned AAA ID 0x0000004A
07:31:41: AUTH-EVENT (Gi2/32): Retrieved Accounting Session ID 0x0000012C
07:31:41: AUTH-EVENT (Gi2/32): Allocated new Auth Manager context (handle 0xFE000030)
07:31:41: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
07:31:41: AUTH-EVENT (Gi2/32): Adding method dot1x to runnable list for Auth Mgr context 0xFE000030
07:31:41: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=C0A8C6C90000002F019D87A3
07:31:41: AUTH-EVENT (Gi2/32): Sending START to dot1x (handle 0xFE000030)
07:31:41: dot1x_auth Gi2/32: initial state auth_initialize has enter
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_initialize_enter called
07:31:41: dot1x_auth Gi2/32: during state auth_initialize, got event 0(cfg_auto)
07:31:41: @@@ dot1x_auth Gi2/32: auth_initialize -> auth_disconnected
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_disconnected_enter called
07:31:41: dot1x_auth Gi2/32: idle during state auth_disconnected
07:31:41: @@@ dot1x_auth Gi2/32: auth_disconnected -> auth_restart
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_restart_enter called
07:31:41: dot1x-ev(Gi2/32): Sending create new context event to EAP for 0x2F000033 (0000.0000.0000)
07:31:41: dot1x_auth_bend Gi2/32: initial state auth_bend_initialize has enter
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_bend_initialize_enter called
07:31:41: dot1x_auth_bend Gi2/32: initial state auth_bend_initialize has idle
07:31:41: dot1x_auth_bend Gi2/32: during state auth_bend_initialize, got event 16383(idle)
07:31:41: @@@ dot1x_auth_bend Gi2/32: auth_bend_initialize -> auth_bend_idle
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_bend_idle_enter called
07:31:41: dot1x-ev(Gi2/32): Created a client entry (0x2F000033)
07:31:41: dot1x-ev(Gi2/32): Dot1x authentication started for 0x2F000033 (0000.0000.0000)
07:31:41: AUTH-EVENT (Gi2/32): Received handle 0x2F000033 from method
07:31:41: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
07:31:41: AUTH-EVENT (Gi2/32): Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
07:31:41: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet2/32
07:31:41: dot1x-sm(Gi2/32): Posting !EAP_RESTART on Client 0x2F000033
07:31:41: dot1x_auth Gi2/32: during state auth_restart, got event 6(no_eapRestart)
07:31:41: @@@ dot1x_auth Gi2/32: auth_restart -> auth_connecting
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_connecting_enter called
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_restart_connecting_action called
07:31:41: dot1x-sm(Gi2/32): Posting RX_REQ on Client 0x2F000033
07:31:41: dot1x_auth Gi2/32: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
07:31:41: @@@ dot1x_auth Gi2/32: auth_connecting -> auth_authenticating
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_authenticating_enter called
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_connecting_authenticating_action called
07:31:41: dot1x-sm(Gi2/32): Posting AUTH_START for 0x2F000033
07:31:41: dot1x_auth_bend Gi2/32: during state auth_bend_idle, got event 4(eapReq_authStart)
07:31:41: @@@ dot1x_auth_bend Gi2/32: auth_bend_idle -> auth_bend_request
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_bend_request_enter called
07:31:41: dot1x-ev(Gi2/32): Sending EAPOL packet to group PAE address
07:31:41: dot1x-ev(Gi2/32): Role determination not required
07:31:41: dot1x-registry:registry:dot1x_ether_macaddr called
07:31:41: dot1x-ev(Gi2/32): Sending out EAPOL packet
07:31:41: EAPOL pak dump Tx
07:31:41: EAPOL Version: 0x3 type: 0x0 length: 0x0005
07:31:41: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
07:31:41: dot1x-packet(Gi2/32): EAPOL packet sent to client 0x2F000033 (0000.0000.0000)
07:31:41: dot1x-sm(Gi2/32): 0x2F000033:auth_bend_idle_request_action called
07:31:52: dot1x-ev(Gi2/32): Role determination not required
07:31:52: dot1x-packet(Gi2/32): queuing an EAPOL pkt on Auth Q
07:31:52: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
07:31:52: EAPOL pak dump rx
07:31:52: EAPOL Version: 0x1 type: 0x1 length: 0x0000
07:31:52: dot1x-ev:
dot1x_auth_queue_event: Int Gi2/32 CODE= 0,TYPE= 0,LEN= 0


Mein Windows Xp Client will sich einfach nicht Authentifizieren und ich bekomme Authentifizierung Fehlgeschlagen.

Ich kann leider mit der Logg nichts anfangen.

Könnte mir vielleicht auf den Weg helfen wo ich noch schauen könnte um das Problem zu lösen.

Vielen Dank

Content-ID: 186359

Url: https://administrator.de/contentid/186359

Ausgedruckt am: 22.11.2024 um 05:11 Uhr

Ruffy1984
Ruffy1984 13.06.2012 um 13:31:41 Uhr
Goto Top
Aqui hast du noch nicht mal einen Tipp für mich face-smile
aqui
Lösung aqui 13.06.2012, aktualisiert am 23.10.2015 um 12:22:26 Uhr
Goto Top
Halte dich erstmal grundlegend ans Tutorial:
Netzwerk Zugangskontrolle mit 802.1x und FreeRadius am LAN Switch
Dort findest du auch eine passende Cisco Switch Konfig.
Bevor du mit Zertifikaten arbeitest solltest du zuallererst wasserdicht prüfen ob die Port Authentisierung normal mit Username /Passwort klappt um überhaupt zu verifizieren das .1x generell funktioniert. Dann macht man den Step aufs Zertifikat !
Das Zertifikats Handling macht rein der .1x Client, damit hat der Switch nix zu tun !
Ruffy1984
Ruffy1984 13.06.2012 um 13:57:43 Uhr
Goto Top
Okay.. ich danke dir.. das werde ich erst mal so machen. Danke