RADIUS实验(802.1x)

实验拓扑结构

准备工作

检查ACS服务器的状态

一、基本配置概览

1、acs上定义用户

2、授权用户使用网络

3、添加接入nas，使用radius协议，设置共享密钥

4、交换机上启用802.1x

5、pc上启用eap认证

二、具体配置如下：

1、ACS服务器配置->定义1个用户组-8021x组

2、ACS服务器配置->定义1个用户(配置用户名、密码)，划分到前面创建的8021x用户组

用户名8021x，密码cisco

3、配置授权策略，授权8021x用户组的用户可以使用网络资源

4、ACS服务器配置->添加radius客户端-vIOS交换机，同时设置客户端与服务器之间的共享密钥为cisco。

5、交换机上启用AAA及802.1x

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius server RS

address ipv4 10.1.1.1 auth-port 1645 acct-port 1646

key cisco

dot1x system-auth-control

interface GigabitEthernet0/0

switchport mode access

media-type rj45

negotiation auto

authentication event fail retry 3 action next-method

authentication host-mode multi-host

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast edge

6、pc上启用eap认证

EAP-PEAP和EAP-MSCHAPv2

802.1x认证/授权

1、实验过程及结果

2、debug(中间有TLS协商，协商完成后，加密所有MSCHAPv2认证消息，所有debug看起来费劲)

NAS#

*Sep 20 10:20:17.680: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:17.682: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:17.683: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:17.685: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:17.686: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:17.686: RADIUS(00000000): sending

*Sep 20 10:20:17.691: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:17.692: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/28, len 249

*Sep 20 10:20:17.693: RADIUS: authenticator 8A 61 81 D9 93 22 53 79 - 54 4F 18 52 1B E3 F7 E5

*Sep 20 10:20:17.694: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:17.696: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:17.697: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:17.699: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:17.700: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:17.702: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:17.703: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:17.704: RADIUS: EAP-Message [79] 12

*Sep 20 10:20:17.705: RADIUS: 02 DA 00 0A 01 38 30 32 31 78 [ 8021x]

*Sep 20 10:20:17.706: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:17.707: RADIUS: 29 C5 76 6F 0F C2 6F B9 B4 E2 5B F7 2F 4C 84 45 [ )voo[/LE]

*Sep 20 10:20:17.708: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:17.709: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:17.709: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:17.710: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:17.710: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:17.712: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:17.713: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:17.714: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:17.715: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:17.716: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:17.718: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:17.726: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:17.922: RADIUS: Received from id 1645/28 10.1.1.1:1645, Access-Challenge, len 79

*Sep 20 10:20:17.922: RADIUS: authenticator 72 96 96 B7 AA 1D 19 45 - 85 D0 63 84 57 3C 2C 39

*Sep 20 10:20:17.923: RADIUS: State [24] 33

*Sep 20 10:20:17.923: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:17.924: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:17.924: RADIUS: EAP-Message [79] 8

*Sep 20 10:20:17.925: RADIUS: 01 AD 00 06 0D 20 [ ]

*Sep 20 10:20:17.925: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:17.926: RADIUS: 6A 96 27 76 C2 17 B6 95 0E 95 2A 99 AA 69 3A 31 [ j'v*i:1]

*Sep 20 10:20:17.926: RADIUS(00000000): Received from id 1645/28

*Sep 20 10:20:17.927: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes

*Sep 20 10:20:17.939: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:17.941: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:17.942: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:17.942: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:17.943: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:17.943: RADIUS(00000000): sending

*Sep 20 10:20:17.946: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:17.948: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/29, len 278

*Sep 20 10:20:17.949: RADIUS: authenticator D1 B9 1B 4F B1 BA CA 18 - D7 0E 08 5C 95 66 1E B8

*Sep 20 10:20:17.949: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:17.950: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:17.951: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:17.952: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:17.953: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:17.954: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:17.955: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:17.956: RADIUS: EAP-Message [79] 8

*Sep 20 10:20:17.956: RADIUS: 02 AD 00 06 03 19

*Sep 20 10:20:17.957: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:17.958: RADIUS: 90 39 E1 6B F5 D3 38 00 74 13 3F F1 0D 0B D4 D7 [ 9k8t?]

*Sep 20 10:20:17.959: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:17.960: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:17.960: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:17.962: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:17.963: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:17.965: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:17.967: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:17.968: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:17.969: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:17.970: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:17.971: RADIUS: State [24] 33

*Sep 20 10:20:17.972: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:17.973: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:17.973: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:17.977: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:17.997: RADIUS: Received from id 1645/29 10.1.1.1:1645, Access-Challenge, len 79

*Sep 20 10:20:17.997: RADIUS: authenticator 61 7F 7F A1 4D D2 EF 2D - 1D 5E FE 10 1A B7 CD 23

*Sep 20 10:20:17.998: RADIUS: State [24] 33

*Sep 20 10:20:17.998: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:17.999: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:18.000: RADIUS: EAP-Message [79] 8

*Sep 20 10:20:18.000: RADIUS: 01 AE 00 06 19 21 [ !]

*Sep 20 10:20:18.001: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:18.001: RADIUS: 95 43 04 B9 F1 84 CA 9E A0 25 96 7C 05 73 F9 0B [ C?|s]

*Sep 20 10:20:18.002: RADIUS(00000000): Received from id 1645/29

*Sep 20 10:20:18.003: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes

*Sep 20 10:20:19.011: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:19.012: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:19.012: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:19.013: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:19.013: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:19.014: RADIUS(00000000): sending

*Sep 20 10:20:19.018: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:19.019: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/30, len 417

*Sep 20 10:20:19.020: RADIUS: authenticator 45 FA 30 C6 14 44 3F 89 - 3A 76 67 30 4F 92 96 34

*Sep 20 10:20:19.020: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:19.021: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:19.022: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:19.023: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:19.024: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:19.025: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:19.026: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:19.027: RADIUS: EAP-Message [79] 147

*Sep 20 10:20:19.027: RADIUS: 02 AE 00 91 19 80 00 00 00 87 16 03 01 00 82 01 00 00 7E 03 01 63 29 26 E3 23 83 B7 0D 53 DD 1A 1C EB 92 1A 13 DA 9A 4D 81 17 DB D5 50 F9 F1 8F F4 27 0F 07 DD 20 97 B1 9A 8A EE 6F 6E EB 49 91 A3 65 42 D1 2D [~c)&#SMP' onIeB-]

*Sep 20 10:20:19.027: RADIUS: 05 F5 50 C8 6B F6 8E F5 1C 6E 36 99 EF 3D AC 99 D8 00 1C C0 14 C0 13 00 39 00 33 00 35 00 2F C0 0A C0 09 00 38 00 32 00 0A 00 13 00 05 00 04 01 00 00 19 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 00 17 00 00 FF 01 00 01 00 [ Pkn6=935/82]

*Sep 20 10:20:19.027: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.027: RADIUS: A0 17 5E AD 95 EF 8A 3E D3 6D C3 FB AC 0C B1 D4 [ ^>m]

*Sep 20 10:20:19.027: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:19.027: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:19.028: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:19.030: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:19.031: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:19.032: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:19.033: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:19.034: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:19.035: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:19.037: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:19.039: RADIUS: State [24] 33

*Sep 20 10:20:19.040: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.041: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.041: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:19.048: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:19.569: RADIUS: Received from id 1645/30 10.1.1.1:1645, Access-Challenge, len 942

*Sep 20 10:20:19.569: RADIUS: authenticator A8 CD 94 55 04 41 B6 EF - 9E 52 35 06 07 8E 7B CB

*Sep 20 10:20:19.570: RADIUS: State [24] 33

*Sep 20 10:20:19.571: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.571: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.572: RADIUS: EAP-Message [79] 255

*Sep 20 10:20:19.572: RADIUS: 01 AF 03 5F 19 00 16 03 01 00 51 02 00 00 4D 03 01 4C 8C 3F 4A C7 FB AB 2C 09 89 45 0A 9B 54 80 70 79 71 37 9D 73 D9 88 3E 65 [_QML?J,ETpyq7s>e]

*Sep 20 10:20:19.573: RADIUS: 47 B7 0B 32 44 88 9F 20 E2 0E 02 FA D1 D7 45 1E FC A0 76 45 11 CC EB DC 01 38 27 F8 32 55 15 E8 38 2B 37 97 A4 9B 12 20 00 35 [G2D EvE8'2U8+7 5]

*Sep 20 10:20:19.573: RADIUS: 00 00 05 FF 01 00 01 00 16 03 01 02 F5 0B 00 02 F1 00 02 EE 00 02 EB 30 82 02 E7 30 82 01 CF A0 03 02 01 02 02 05 00 A8 BF 76 8F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 35 31 10 30 0E 06 03 55 04 0A 13 07 55 6E 6B 6E 6F [00v0*H0510UUnkno]

*Sep 20 10:20:19.574: RADIUS: 77 6E 31 10 30 0E 06 03 55 04 0B 13 07 55 6E 6B 6E 6F 77 6E 31 0F 30 0D 06 03 55 04 03 13 06 61 [wn10UUnknown10Ua]

*Sep 20 10:20:19.574: RADIUS: 63 73 35 2D 38 30 1E 17 0D 31 37 30 31 31 33 31 35 34 34 [cs5-801701131544]

*Sep 20 10:20:19.575: RADIUS: 31 31 5A 17 0D 31 37 30 34 31 33 31 35 34 34 31 31 5A [11Z170413154411Z]

*Sep 20 10:20:19.575: RADIUS: 30 35 31 10 30 0E 06 03 55 04 0A 13 07 55 6E 6B 6E 6F 77 6E 31 10 30 0E [ 0510UUnknown10]

*Sep 20 10:20:19.576: RADIUS: EAP-Message [79] 255

*Sep 20 10:20:19.576: RADIUS: 06 03 55 04 0B 13 07 55 6E 6B 6E 6F 77 6E 31 0F 30 0D 06 03 55 04 03 13 06 61 63 73 35 2D [UUnknown10Uacs5-]

*Sep 20 10:20:19.577: RADIUS: 38 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 BE 24 7F FF 8C 99 36 BD C5 EA 44 13 8B 2D 0D 38 15 32 4F 99 09 5E BA 5E [80"0*H0$6D-82O^^]

*Sep 20 10:20:19.578: RADIUS: 1E 99 F6 E9 60 B9 1B A2 B8 62 F6 97 4D 08 98 3E DC AD B5 3E 81 F5 06 0C AF 20 2C 56 65 E3 3F 14 1A 2A 72 AE C5 C4 0C 29 0D 47 B5 B9 E7 D4 45 9D 54 [`bM>> ,Ve?*r)GET]

*Sep 20 10:20:19.578: RADIUS: BA CB 15 6A 3D 3A 53 5A FA D5 CD 94 18 E7 CB 62 F9 8E 9D 79 9C 8C 16 1E 60 1C 7E 16 CE A5 D6 6D 49 05 CA 4D 83 72 50 20 2F [j=:SZby`~mIMrP /]

*Sep 20 10:20:19.579: RADIUS: 37 CF 1B 8A 60 3B 9C 93 AB 0D 01 5A 40 BE 83 C7 FC A5 84 9B 1D 4A A7 B5 9B 9F F4 73 5C 91 83 64 02 C5 0A D8 4C 2E BA 55 94 DD 3C DF 3D C2 B3 3D 24 [7`;Z@Js\dL.U<==$]

*Sep 20 10:20:19.579: RADIUS: 5E 18 A3 02 12 F6 12 62 8C 4D 83 DA F4 4F 9A 6F 56 E0 B3 00 4F E8 A8 D9 B9 9F [ ^bMOoVO]

*Sep 20 10:20:19.579: RADIUS: EAP-Message [79] 255

*Sep 20 10:20:19.580: RADIUS: 50 05 89 08 C8 39 AD 9E F7 EE F5 B8 93 08 DE C3 23 58 9E 05 08 52 D0 97 90 DD 02 AB DF 58 74 FC 75 3A 73 2A 20 F0 04 E7 80 30 20 F0 3E 9A 2A [P9#XRXtu:s* 0 >*]

*Sep 20 10:20:19.581: RADIUS: D3 D8 90 F9 66 0A 5B D8 5A 5A F7 B7 64 20 7D 12 03 CD D4 0F 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 7B DA FB C4 80 6C 99 13 B2 6A 0E 17 6D 1F 97 CF 3B 3D [f[ZZd }0*H{ljm;=]

*Sep 20 10:20:19.581: RADIUS: 33 C8 0A 95 C0 E5 4E C4 D5 5B 3E 52 9A 25 1B 3A 80 D1 3F D8 71 9C 06 EB 86 16 FD 69 69 07 81 00 DB B2 E4 DB A9 93 1D A0 6F 4C E2 A9 EB 7A DD 87 08 BC F8 84 F9 B6 E8 AD 9B D7 A8 67 07 31 [3N[>R?:?qiioLzg1]

*Sep 20 10:20:19.582: RADIUS: FD 79 AB 4C DA AB F6 6F 41 55 A6 F3 3E 31 0D D2 B6 A4 C3 C6 05 D9 A9 3B D2 E5 89 41 7C F0 47 6A F1 E7 44 16 99 42 3F B1 7D [yLoAU>1;A|GjDB?}]

*Sep 20 10:20:19.582: RADIUS: E5 BD A7 02 7E F0 E5 EB 96 66 03 8C 5C 05 90 B8 06 B6 9E 2F 30 A4 EC A5 84 84 30 71 90 BD 95 16 9E EB 2B 1A 7E 0B 29 BB [ ~f\/00q+~)]

*Sep 20 10:20:19.583: RADIUS: EAP-Message [79] 106

*Sep 20 10:20:19.583: RADIUS: B6 E0 39 3E 8C 1F E3 58 23 65 4B A0 6C 14 E2 C4 5A 86 A7 16 1D 3E C7 46 B5 73 B6 47 41 6B F5 30 15 EE F2 F3 BC D4 E6 7A [9>X#eKlZ>FsGAk0z]

*Sep 20 10:20:19.584: RADIUS: 94 AA C8 6E 31 8B 52 89 6D B1 30 1C 5D 16 A6 C9 74 8B DC A5 33 7A F8 7F CF 72 C8 60 D8 A4 D7 EA FF B2 00 D8 29 4E 07 4F 8E 39 65 [n1Rm0]t3zr`)NO9e]

*Sep 20 10:20:19.585: RADIUS: 36 10 2D 0A D9 3F CA FD 20 45 3F C6 16 03 01 00 04 0E 00 00 00 [ 6-? E?]

*Sep 20 10:20:19.585: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.586: RADIUS: 3D ED F4 D0 5F E4 B3 76 24 89 CE F7 BD 89 F5 0A [ =_v$]

*Sep 20 10:20:19.587: RADIUS(00000000): Received from id 1645/30

*Sep 20 10:20:19.587: RADIUS/DECODE: EAP-Message fragments, 253+253+253+104, total 863 bytes

*Sep 20 10:20:19.685: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:19.687: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:19.687: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:19.688: RADIUS/ENCODE: EAP-Message fragment 336 into 253+83, total 336 bytes

*Sep 20 10:20:19.689: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:19.689: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:19.691: RADIUS(00000000): sending

*Sep 20 10:20:19.697: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:19.698: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/31, len 610

*Sep 20 10:20:19.699: RADIUS: authenticator 16 63 02 B8 78 63 EE 12 - 4E 04 D76B 5B 70 2B 15

*Sep 20 10:20:19.699: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:19.701: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:19.702: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:19.703: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:19.704: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:19.705: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:19.707: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:19.708: RADIUS: EAP-Message [79] 255

*Sep 20 10:20:19.709: RADIUS: 02 AF 01 50 19 80 00 00 01 46 16 03 01 01 06 10 00 01 02 01 00 B3 3F EB 97 29 A5 E8 EB 95 32 5B 0B EA 56 F3 BD 54 97 5E 2B 8A 87 E8 D0 E0 C0 C6 28 15 F9 41 7F 16 C3 25 7D 40 11 5F [PF?)2[VT^+(A?}@_]

*Sep 20 10:20:19.709: RADIUS: 65 17 D4 0A B6 64 0E 58 2C A6 10 95 3E C4 BE 55 C4 9A 59 9F 61 79 69 14 FA CF D7 2F 43 16 36 72 4F 31 [edX,>UYayi/C6rO1]

*Sep 20 10:20:19.710: RADIUS: C9 24 DD E6 56 6F 62 64 96 3F AB 6B 15 A0 33 95 54 28 07 F5 4F 47 8B 59 2B 75 E9 57 [$Vobd?k3T(OGY+uW]

*Sep 20 10:20:19.711: RADIUS: FF 46 B4 1D 3B A3 A9 A6 26 6B D3 2C D1 D5 76 DF E4 EC 6E E6 DE 4B 33 25 BE FF 5F 7A EB 92 37 EB D6 C8 79 C4 47 14 5C [F;&k,vnK3?_z7yG\]

*Sep 20 10:20:19.711: RADIUS: 0B A9 F3 AC 27 8B 83 0A A9 D1 0B 84 72 A3 F7 9E FD EE BA 71 AD BA 21 A3 78 2D 00 31 5B 9F A8 14 6A EA 88 2D 74 F3 29 A0 0E 0C 80 74 78 2D E8 F3 8B F7 D2 48 ['rq!x-1[j-t)tx-H]

*Sep 20 10:20:19.712: RADIUS: 88 82 EA 63 3C F6 55 4A A4 E5 E3 9D CB 80 81 42 6C 5D D5 59 DC AE 8A 81 09 E7 B0 F8 C5 71 17 06 BD 8E 28 BE 99 F6 9C 21 [ c<UJBl]Yq(!]

*Sep 20 10:20:19.713: RADIUS: EAP-Message [79] 85

*Sep 20 10:20:19.714: RADIUS: 99 83 A5 77 07 17 95 95 B1 E9 D4 58 35 A6 2A E7 5B 41 C2 B5 3C 36 96 40 14 03 01 00 01 01 16 03 01 00 30 8F 09 75 71 17 7E C8 57 B2 52 DC 2D [wX5*[A<6@0uq~WR-]

*Sep 20 10:20:19.715: RADIUS: 28 02 CA 6E 78 96 37 67 76 F8 4F F0 CD 1B 00 E1 00 55 4B 28 DA 99 57 CF 93 61 FD 6B B5 FB AE 83 8A 76 9C C1 [ (nx7gvOUK(Wakv]

*Sep 20 10:20:19.716: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.716: RADIUS: 2A EC 27 D7 04 49 AA E9 9B 5F 57 26 6C FD D2 75 [ *'I_W&lu]

*Sep 20 10:20:19.717: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:19.718: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:19.719: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:19.720: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:19.721: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:19.722: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:19.723: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:19.725: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:19.726: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:19.727: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:19.729: RADIUS: State [24] 33

*Sep 20 10:20:19.730: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.731: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.732: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:19.742: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:19.803: RADIUS: Received from id 1645/31 10.1.1.1:1645, Access-Challenge, len 138

*Sep 20 10:20:19.804: RADIUS: authenticator 18 BA 19 CB 12 F4 4D 18 - DE 8C 8A CC 1C 45 3E 55

*Sep 20 10:20:19.805: RADIUS: State [24] 33

*Sep 20 10:20:19.805: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.807: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.808: RADIUS: EAP-Message [79] 67

*Sep 20 10:20:19.810: RADIUS: 01 B0 00 41 19 00 14 03 01 00 01 01 16 03 01 00 30 5F 36 92 D8 8B 9C E7 D9 8B FD B8 1D 23 21 33 E6 5D A7 81 1A 98 A5 5E 19 80 33 77 02 19 DF F9 42 3C 28 0A 2D 06 54 [A0_6#!3]^3wB<(-T]

*Sep 20 10:20:19.810: RADIUS: D4 B9 C0 C4 DB 4A 73 88 B4 EE [ Js]

*Sep 20 10:20:19.811: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.812: RADIUS: 0A 3E 88 94 98 7D 47 71 1A CC 61 6D 81 C0 AF 55 [ >}GqamU]

*Sep 20 10:20:19.813: RADIUS(00000000): Received from id 1645/31

*Sep 20 10:20:19.813: RADIUS/DECODE: EAP-Message fragments, 65, total 65 bytes

*Sep 20 10:20:19.857: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:19.860: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:19.860: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:19.861: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:19.862: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:19.864: RADIUS(00000000): sending

*Sep 20 10:20:19.869: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:19.871: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/32, len 278

*Sep 20 10:20:19.873: RADIUS: authenticator F8 C8 6A 56 98 2D BF BE - 1D 00 50 67 91 58 23 D5

*Sep 20 10:20:19.874: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:19.876: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:19.879: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:19.880: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:19.882: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:19.884: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:19.885: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:19.886: RADIUS: EAP-Message [79] 8

*Sep 20 10:20:19.886: RADIUS: 02 B0 00 06 19 00

*Sep 20 10:20:19.887: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.888: RADIUS: 49 1F 7E 05 E4 3F 5F 99 99 49 BF 4F A3 21 D5 32 [ I~?_IO!2]

*Sep 20 10:20:19.889: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:19.890: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:19.891: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:19.893: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:19.894: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:19.897: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:19.900: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:19.901: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:19.902: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:19.904: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:19.905: RADIUS: State [24] 33

*Sep 20 10:20:19.906: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.906: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.907: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:19.911: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:19.939: RADIUS: Received from id 1645/32 10.1.1.1:1645, Access-Challenge, len 116

*Sep 20 10:20:19.940: RADIUS: authenticator 7C 61 5D CA A5 2A B9 96 - 0F 11 CB 64 6A 22 B6 13

*Sep 20 10:20:19.940: RADIUS: State [24] 33

*Sep 20 10:20:19.941: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:19.941: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:19.942: RADIUS: EAP-Message [79] 45

*Sep 20 10:20:19.943: RADIUS: 01 B1 00 2B 19 00 17 03 01 00 20 19 F1 B0 5B B1 3B 7C C3 35 DF 5B F0 E6 F3 E8 CF 5D A8 B5 FB 86 68 89 0A 2C FD F9 B7 33 ED 9B D5 [ + [;|5[]h,3]

*Sep 20 10:20:19.943: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.944: RADIUS: 68 F3 EF 6B CD 9B 60 30 50 67 8A 0F CA 54 A5 02 [ hk`0PgT]

*Sep 20 10:20:19.944: RADIUS(00000000): Received from id 1645/32

*Sep 20 10:20:19.945: RADIUS/DECODE: EAP-Message fragments, 43, total 43 bytes

*Sep 20 10:20:19.968: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:19.971: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:19.972: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:19.973: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:19.973: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:19.975: RADIUS(00000000): sending

*Sep 20 10:20:19.981: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:19.981: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/33, len 315

*Sep 20 10:20:19.983: RADIUS: authenticator 26 A8 81 D2 A4 20 19 86 - 16 2E 0A 96 6F 52 E9 27

*Sep 20 10:20:19.983: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:19.985: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:19.986: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:19.987: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:19.988: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:19.989: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:19.990: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:19.991: RADIUS: EAP-Message [79] 45

*Sep 20 10:20:19.992: RADIUS: 02 B1 00 2B 19 00 17 03 01 00 20 C2 FC 33 A8 BE 01 B2 80 CC F2 35 27 19 3D 77 35 EB 29 3D E9 85 7E F1 85 8D 1F 62 2C 33 06 84 18 [ + 35'=w5)=~b,3]

*Sep 20 10:20:19.993: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:19.993: RADIUS: C2 D4 A4 2B BB 18 BB F8 79 AC 3D 55 CD 89 77 C1 [ +y=Uw]

*Sep 20 10:20:19.995: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:19.996: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:19.997: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:19.998: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:19.999: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:20.000: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:20.002: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:20.003: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:20.003: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:20.007: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:20.008: RADIUS: State [24] 33

*Sep 20 10:20:20.009: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:20.009: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:20.010: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:20.012: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:20.967: RADIUS: Received from id 1645/33 10.1.1.1:1645, Access-Challenge, len 148

*Sep 20 10:20:20.968: RADIUS: authenticator 7A A1 8C BA 4C 12 DA 5E - FC 55 BD 22 F7 97 71 A1

*Sep 20 10:20:20.968: RADIUS: State [24] 33

*Sep 20 10:20:20.969: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:20.969: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:20.970: RADIUS: EAP-Message [79] 77

*Sep 20 10:20:20.970: RADIUS: 01 B2 00 4B 19 00 17 03 01 00 40 2D 14 D8 4F BC AA 03 88 F0 67 0D DB 5B BA C7 3A 34 4C 15 15 85 97 23 C3 EA 53 3F A5 5C A7 9C 6F A4 C1 66 A4 BC 75 [K@-Og[:4L#S?\ofu]

*Sep 20 10:20:20.971: RADIUS: D6 CC DC B3 84 A6 CB C8 CE 45 5A 1C 6A 8C 87 F2 27 DD 30 6C 6C 13 CF DB 69 02 [ EZj'0lli]

*Sep 20 10:20:20.971: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:20.971: RADIUS: D6 3F B4 A5 3C A2 01 78 AF 69 75 CD CB 6D D3 EC [ ?<xium]

*Sep 20 10:20:20.972: RADIUS(00000000): Received from id 1645/33

*Sep 20 10:20:20.973: RADIUS/DECODE: EAP-Message fragments, 75, total 75 bytes

*Sep 20 10:20:20.992: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:20.993: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:20.994: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:20.995: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:20.995: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:20.996: RADIUS(00000000): sending

*Sep 20 10:20:20.998: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:20.999: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/34, len 379

*Sep 20 10:20:20.999: RADIUS: authenticator 90 40 67 4C BF 29 1F D5 - A4 A4 DF 64 E3 FF 57 AF

*Sep 20 10:20:21.000: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:21.001: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:21.002: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:21.002: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:21.003: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:21.004: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:21.005: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:21.006: RADIUS: EAP-Message [79] 109

*Sep 20 10:20:21.006: RADIUS: 02 B2 00 6B 19 00 17 03 01 00 60 7B F7 C8 48 F4 1E 5B F5 D5 E6 B3 2D BC 53 81 D8 97 7A 52 26 DA 4A 66 0D E1 93 9E FA 31 86 17 47 33 18 FC C3 D7 13 5F [k`{H[-SzR&Jf1G3_]

*Sep 20 10:20:21.007: RADIUS: 21 A0 8C 1B 2F BE D9 CE 91 26 39 46 65 C1 1E F7 1A C8 B5 8C AA 33 CC 29 54 BE A1 5F 06 42 88 C7 A8 BA B6 66 09 0A A2 24 96 60 A5 D2 DF C6 83 1E 84 82 BC 29 A4 8B AB BF 90 [ !/&9Fe3)T_Bf$`)]

*Sep 20 10:20:21.007: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:21.008: RADIUS: 25 7F 2D CC 6E 83 FB AB CF E5 80 8A 9E EF AF 32 [ ?-n2]

*Sep 20 10:20:21.008: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:21.009: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:21.010: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:21.011: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:21.011: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:21.012: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:21.013: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:21.014: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:21.015: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:21.015: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:21.016: RADIUS: State [24] 33

*Sep 20 10:20:21.017: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:21.017: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:21.017: RADIUS(00000000): Sending a IPv4 Radius Packet

*Sep 20 10:20:21.019: RADIUS(00000000): Started 5 sec timeout

*Sep 20 10:20:21.568: RADIUS: Received from id 1645/34 10.1.1.1:1645, Access-Challenge, len 164

*Sep 20 10:20:21.568: RADIUS: authenticator 49 C9 FA AC 86 87 8F BF - DE 6F CE 63 42 3C F2 90

*Sep 20 10:20:21.569: RADIUS: State [24] 33

*Sep 20 10:20:21.569: RADIUS: 32 38 53 65 73 73 69 6F 6E 49 44 3D 61 63 73 35 [28SessionID=acs5]

*Sep 20 10:20:21.570: RADIUS: 2D 38 2F 34 35 33 30 32 37 39 33 30 2F 39 3B [ -8/453027930/9;]

*Sep 20 10:20:21.570: RADIUS: EAP-Message [79] 93

*Sep 20 10:20:21.571: RADIUS: 01 B3 00 5B 19 00 17 03 01 00 50 BC 96 42 EC 06 73 8A 83 5F 0C CD D1 B9 7A B9 87 8E 45 95 88 79 E4 DB FD C7 64 82 9A 3B 78 51 D2 BA 17 6D D4 DD 34 26 CC 26 [[PBs_zEyd;xQm4&&]

*Sep 20 10:20:21.571: RADIUS: 47 47 AE B0 44 AE CE 0D 36 C9 E3 90 9E FC 93 EE E3 BA 22 11 29 D6 07 98 68 D4 9F AA 90 5F 18 9A F4 FF 3E 12 AD 80 9E [ GGD6")h_>]

*Sep 20 10:20:21.572: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:21.572: RADIUS: C5 FF 5E 47 D7 17 40 F4 52 A5 6F 99 10 29 59 41 [ ^G@Ro)YA]

*Sep 20 10:20:21.573: RADIUS(00000000): Received from id 1645/34

*Sep 20 10:20:21.573: RADIUS/DECODE: EAP-Message fragments, 91, total 91 bytes

*Sep 20 10:20:21.589: AAA/AUTHEN/8021X (00000000): Pick method list 'default'

*Sep 20 10:20:21.590: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

*Sep 20 10:20:21.591: RADIUS/ENCODE(00000000):Orig. component type = Invalid

*Sep 20 10:20:21.591: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Sep 20 10:20:21.592: RADIUS(00000000): Config NAS IPv6: ::

*Sep 20 10:20:21.592: RADIUS(00000000): sending

*Sep 20 10:20:21.596: RADIUS/ENCODE: Best Local IP-Address 10.1.1.254 for Radius-Server 10.1.1.1

*Sep 20 10:20:21.597: RADIUS(00000000): Send Access-Request to 10.1.1.1:1645 id 1645/35, len 315

*Sep 20 10:20:21.597: RADIUS: authenticator 42 38 45 AD 08 97 2A BA - AB 65 55 F8 58 D4 0B D2

*Sep 20 10:20:21.598: RADIUS: User-Name [1] 7 "8021x"

*Sep 20 10:20:21.598: RADIUS: Service-Type [6] 6 Framed [2]

*Sep 20 10:20:21.600: RADIUS: Vendor, Cisco [26] 27

*Sep 20 10:20:21.600: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"

*Sep 20 10:20:21.604: RADIUS: Framed-MTU [12] 6 1500

*Sep 20 10:20:21.604: RADIUS: Called-Station-Id [30] 19 "50-00-00-04-00-00"

*Sep 20 10:20:21.605: RADIUS: Calling-Station-Id [31] 19 "50-00-00-03-00-00"

*Sep 20 10:20:21.606: RADIUS: EAP-Message [79] 45

*Sep 20 10:20:21.607: RADIUS: 02 B3 00 2B 19 00 17 03 01 00 20 F5 D4 85 6F 02 6B 74 CF 62 8A 8C CB 6A 7B 1A A5 7F 39 0F 18 46 AE DA 8A B2 63 33 7E B5 83 ED D4 [ + oktbj{9Fc3~]

*Sep 20 10:20:21.607: RADIUS: Message-Authenticato[80] 18

*Sep 20 10:20:21.608: RADIUS: CD 9E 47 57 7E 70 A4 AD CB A6 DB 04 C6 8F 4B 5E [ GW~pK^]

*Sep 20 10:20:21.608: RADIUS: EAP-Key-Name [102] 2 *

*Sep 20 10:20:21.609: RADIUS: Vendor, Cisco [26] 49

*Sep 20 10:20:21.610: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A0101FE0000000D004DAE61"

*Sep 20 10:20:21.611: RADIUS: Vendor, Cisco [26] 20

*Sep 20 10:20:21.611: RADIUS: Cisco AVpair [1] 14 "method=dot1x"

*Sep 20 10:20:21.612: RADIUS: Framed-IP-Address [8] 6 10.1.1.102

*Sep 20 10:20:21.613: RADIUS: NAS-IP-Address [4] 6 10.1.1.254

*Sep 20 10:20:21.614: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/0"

*Sep 20 10:20:21.615: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 20 10:20:21.616: RADIUS: NAS-Port [5] 6 50000

*Sep 20 10:20:21.617: RADIUS: State [24] 33

*Sep 20 10:20:21.729: RADIUS: Vendor, Microsoft [26] 58

*Sep 20 10:20:21.729: RADIUS: MS-MPPE-Recv-Key [17] 52 *

*Sep 20 10:20:21.730: RADIUS(00000000): Received from id 1645/36

*Sep 20 10:20:21.731: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

NAS#no debug all

All possible debugging has been turned off

3、抓包

A、EAP Over lan包(接入用户和radius客户端之间的交互消息)

vIOS_SW(NAS)设备(radius客户端)将EAPOL报文，解析后，使用radius avp属性封装解析后的EAP报文---两种属性

1、EAP-Message(78号属性)

2、Message-Authenticator(80号属性)

EAPOL各个包的解释参考下面的Radius包，不另做分析。

B、EAP over radius包(radius客户端与radius服务器之间的交互消息)：

❶

NAS->RADIUS:

Access-Request认证请求报文, NAS将EAP报文重新封装成radius AVP

Access-Request认证请求报文封装的是EAP-response报文，里面包含用户ID：8021x即用户名

❷

RADIUS->NAS:

Access-Challenge认证挑战报文，产生新的EAP报文，然后封装，作为radius报文的AVP

Access-Challenge认证挑战报文封装的是EAP-request报文，此报文告诉客户端使用EAP-TLS作为认证方法

❸

NAS->RADIUS:

Access-Request认证请求报文

Access-Request认证请求报文封装的是EAP-response报文，response拒绝了服务器的提议，期望使用EAP-PEAP作为认证方法.

❹

RADIUS->NAS:

Access-Challenge认证挑战报文，产生新的EAP报文，然后封装，作为radius报文的AVP

Access-Challenge认证挑战报文封装的是EAP-request报文，此报文告诉客户端，服务器端使用EAP-PEAP作为认证方法

❺

NAS->RADIUS:

Access-Request认证请求报文

Access-Request认证请求报文封装的是EAP-response报文

服务器同意使用EAP-PEAP作为认证方法后，客户端开始和服务器协商TLS。

客户端发送的信息ClientHello包含有:

可用的版本号

客户端随机数random_C

会话ID

可用的密码套件清单

可用的压缩方式清单

所有信息作为TLS参数封装在EAP-response报文中。EAP-response报文又被封装成radius报文的avp

❻

RADIUS->NAS:

Access-Challenge认证挑战报文，产生新的EAP报文，然后封装，作为radius报文的AVP

被封装的是EAP-request报文。报文里面是TLS报文。

TLS握手报文，服务器发送给客户端的信息ServerHello包含有：

使用的版本号

服务器随机数random_S

会话ID

选定的密码套件

选定的压缩方式

服务器证书

❼

NAS->RADIUS:

Access-Request认证请求报文

Access-Request认证请求报文封装EAP-response，继续TLS协商；

客户端使用服务器证书携带的公钥，加密PreMaster sercret(客户端产生的随机数，然后使用上一步确定使用的RAS算法生成)。

之后，客户端使用ChangeCipher Spec协议告诉服务器，下面的交互信息开始使用密文了，使用约定好的算法，和双方计算出来的共享会话密钥

同时使用加密算法、新的会话密钥加密握手消息，发送给服务器。

❽

RADIUS->NAS:

Access-Challenge认证挑战报文，产生新的EAP报文，然后封装，作为radius报文的AVP

封装报文为EAP-request报文，里面包含TLS报文

服务器使用ChangeCipher Spec协议报文，告诉客户端，服务器端开始使用新的密码规则了

同时加密一段握手信息给客户端

❾

NAS->RADIUS:

Access-Request认证请求报文

EAP-response报文，TLS隧道建立成功，客户端回应服务器-报文❹EAP-request的回应。

下面的报文都是使用TLS协商好的加密方式加密后，封装在EAP报文中的-无法解密。

❿

RADIUS->NAS:Access-Challenge认证挑战报文

服务器和客户端协商内部使用的认证方法-可能的有:

EAP-Mschapv2,EAP-TLS,EAP-GTC

NAS->RADIUS:Access-Request认证请求报文

客户端使用的认证方法：EAP-Mschapv2

RADIUS->NAS:Access-Challenge认证挑战报文

开始使用EAP-Mschapv2相互认证.

服务器要求客户端提供用户名

NAS->RADIUS:Access-Request认证请求报文

客户端发送用户名

RADIUS->NAS:Access-Challenge认证挑战报文

服务器发送挑战AuthChallenge

NAS->RADIUS:Access-Request认证请求报文

客户端计算hash值: GenerateNTResponse(AuthChallenge, PeerChallenge, UserName, Password)

PeerChallenge为客户端自己生成的挑战

客户端将PeerChallenge和hash值NTResponse发送给服务器。

RADIUS->NAS:Access-Challenge认证挑战报文

服务器端根据用户名、密码、PeerChallenge和AuthChallenge进行hash计算，如果得到的结果和接收的NTResponse一致，则证明客户端认证通过。

同时，服务器也做hash计算：

GenerateNTResponse(用户密码，用户名，Peer-Challenge，AuthChallenge以及NT-Response)

然后发送给客户端

NAS->RADIUS:Access-Request认证请求报文

客户端同样执行hash计算：GenerateNTResponse(用户密码，用户名，Peer-Challenge，AuthChallenge以及NT-Response)，如果一致，表明服务器端认证成功。向服务器发送EAP-Request/EAP-MSCHAPv2(Success-Response)报文

Access-Accept认证接受报文

服务器收到EAP-Request/EAP-MSCHAPv2(Success-Response)报文后，则说明验证成功。然后给NAS发送access-accept(EAP-success)。至此认证结束。

4、802.1x认证/授权过程

1、接入用户(PC端)首先通过客户端软件(支持EAP)向radius客户端发送一个EAPoL-Start报文，开始802.1x接入的开始

2、radius客户端向接入用户发送EAP-Request/Identity请求帧，要求提供身份标识-用户名。

3、接入用户接收到radius客户端的请求后，向其发送EAP-Response/Identity响应帧，提供身份标识-用户名。

4、radius客户端将EAP-Response/Identity响应帧封装成RADIUS Access-Request帧的AVP属性，然后发给认证服务器。

5、认证服务器通过用户身份标识检索认证数据库，开启认证方法协商。服务器端推荐使用EAP-TLS认证方法。封装成RADIUS Access-challenge(EAP-Request)包，返回给radius客户端

6、radius客户端，将RADIUS Access-challenge(EAP-Request)包还原成EAP-Request帧，返回给接入用户

7、接入用户不支持EAP-TLS认证方法，拒绝，同时将自己支持的认证方法EAP-PEAP，封装成EAP-Response后，发给radius客户端

8、radius客户端将EAP-Response封装成RADIUS Access-Request，发送给radius服务器

9、radius服务器同意使用EAP-PEAP，将RADIUS Access-challenge(EAP-Request(EAP-PEAP))回复给radius客户端

10、radius客户端将EAP-Request(EAP-PEAP)回复给接入用户

下面开始TLS协商了：

11、接入用户发送clienthello----含随机数C、加密套件、压缩套件等，radius客户端收到后封装RADIUS Access-Request发送给radius服务器

12、radius服务器从接入用户发来的加密套件、压缩套件中，选择自己支持的加密方法和压缩方法，连同自己产生的随机数S和服务器的证书一起发送给接入用户serverhello(封装成RADIUS Access-challenge(EAP-Request))。

注：

A、服务器不要求接入用户提供证书，所有没有CertificateRequest消息

B、服务器证书提供信息足够，所有没有ServerKeyExchange消息

13、接入用户收到EAP-Request后，生产随机数M，使用RSA算法生成Pre-master secret，使用服务器证书提供的公钥加密，加密后的密文使用ClientKeyExchange消息发送给radius服务器，同时使用ChangeCipherSpec消息告诉服务器下面开始使用协商好的加密方法和密钥加密通信了

注：

A、接入用户使用三个随机数-接入用户随机数C、服务器随机数S和Pre-master计算出主密码master secret。然后根据master secret生成:

对称密码的密钥

消息认证码的密钥

对称密码的CBC模式中使用的初始化向量（IV）

B、服务器不要求接入用户提供证书，所以没有Certificate消息和CertificateVerify消息

C、接入用户没有验证服务器证书的真伪

14、radius服务器接收到报文后，使用私钥解密出来Pre-master，使用ChangeCipherSpec消息告诉接入用户下面开始使用协商好的加密方法和密钥加密通信了

注：

服务器使用三个随机数-接入用户随机数C、服务器随机数S和Pre-master计算出主密码master secret。然后根据master secret生成:

对称密码的密钥

消息认证码的密钥

对称密码的CBC模式中使用的初始化向量（IV）

至此，接入用户和服务器就加密算法、压缩算法、hash算法、密钥等达成一致。

15、接入用户发送EAP-response(EAP-PEAP),预示PEAP TLS协商成功

下面开始隧道内部认证协商了，使用TLS协商的算法和密钥加密整个协商过程。

16、服务器Access-challenge(EAP-Request(TLS(Mschapv2)))，服务器端使用的认证方法有EAP-mschapv2、EAP-TLS或者EAP-GTC

17、接入用户使用EAP-mschapv2，拒绝其他认证方法

18、服务器接受EAP-mschapv2

下面开始mschapv2认证了

19、服务器发送Access-challenge(EAP-Request(TLS(Mschapv2-request)))，要求提供身份信息

20、接入用户EAP-Response(TLS(Mschapv2-response)提供用户名

21、服务器生成挑战server-Challenge，发送接入用户

22、接入用户根据挑战计算响应:

响应=MD4+DES(用户名+密码+server-Challenge+peer-Challenge)

peer-Challenge为接入用户自己产生的挑战

将响应和peer-Challenge一起发送给服务器

23、服务器计算: MD4+DES(用户名+密码+server-Challenge+peer-Challenge)，，如果结果和接收的响应一致，则客户端验证成功。

同时服务器还计算：将接收到的响应作为计算的输入

message= MD4+DES(用户名+密码+server-Challenge+peer-Challenge+响应)

将message发送给接入用户

24、接入用户同样计算MD4+DES(用户名+密码+server-Challenge+peer-Challenge+响应)

如果结果和接收的一致，则服务器验证成功。

接入用户回应一个EAP-Response/EAP-MS-CHAPV2的ACK消息，指示Radius服务器的回应消息是正确的。

MSCHAPv2认证结束

TLS会话结束

25、Radius服务器发送一个access-accept(EAP-Success)消息给radius客户端-明文

26、radius客户端将EAP-Success发送给接入用户-明文

先EAP-PEAP协商---->TLS协商(加密算法和密钥用于第二阶段)---->隧道内部认证方法协商---->使用协商好的认证方法相互认证

accounting计费

哪些行为需要审计：

aaa accounting network default start-stop group radius//在radius记录network相关信息日志从登陆到结束

前提条件：配置了dot1x认证。

1、【NAS(交换机)配置】

aaa authentication dot1x default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

2、【radius服务器配置】------无

3、实验过程及结果

A、NAS设备开启debug

B、使用8021x用户名访问网络

C、查看debug信息

略

RADIUS实验(802.1x)相关推荐

AAA、RADIUS、TACACS+、HWTACACS、802.1X
一.前言在介绍AAA之前,先举一个生活的例子: 一天,某个人来到一个公司的门岗,他想进入这家公司,门岗在查验此人的身份之前,不允许他进入公司.门岗通过后台系统,查询此人的身份,有以下几种情况: 1. ...
Windows Server 2008 R2Cisco2960 配置Radius服务实现802.1x认证实战
实战配置Windows Server 2008 R2 Radius服务与Cisco 2960 实现 802.1x认证实验拓扑 1.Radius服务器安装 dc 域名 wjl.com ,和ca ...
802.1X和NAP整合实验手册
实验描述公司内部有多个部门,创建了域的架构,并搭建了DHCP服务器和Radius服务器,要求每个部门都独享一个网段,实现每位用户插上网线后,跳出窗体进行身份验证,如果用户通过验证,根据用户所在的部门 ...
无线802.1x认证服务器,TP-Link无线路由器+Radius认证服务器实现无线终端802.1X认证...
本文档详细介绍了如何在windows 2008上安装CA.NPS并配置NPS为radius服务器,实现无线客户端基于802.1X认证的步骤,其中还介绍了家用无线路由器Radius相关一些配置方法. 实 ...
【实验】配置802.1x远端认证
拓扑图规格适用于所有版本.所有形态的AR路由器. 组网需求 PC通过Router访问网络.为了保证网络的安全性,要求在用户接入网络时进行802.1x认证.认证服务器为两台Radius服务器,IP为 ...
server2012 AD域 radius 802.1x认证
server2012 AD域 radius 802.1x认证原创泠泠七弦2020-11-25 17:40:06 保姆级教程:WINserver2012 AD域 radius 802.1x认证. 觉得 ...
华为ac配置radius认证服务器_华为无线控制器启用802.1X认证配置
第一步.配置基础配置 system-view [AC6005]vlan batch 10 to 14 [AC6005]int vlan 10 [AC6005-Vlanif10]ip address 1 ...
简单对比H3C/Huawei 802.1x+Radius/AAA配置差异
1 802.1X基本概念 802.1x属于准入控制技术,又称EAPoE(Extensible Authentication Protocol Over Ethernet) 本地验证(交换机本地建立用户 ...
802.1X Radius 服务器搭建
802.1X Radius 服务器搭建设备需求: l 安装Microsoft Windows 2003 Enterprise Edition Service Pack 1的PC一台 l Wirel ...
无线AP配服务器,胖AP结合远程radius服务器做802.1X认证的典型配置
(1)胖AP配置 #和三层交换机互联地址 interface Vlan-interface1 ip address 192.168.0.50 255.255.255.0 #缺省路由,下一跳指向三层交换 ...

RADIUS实验(802.1x)

RADIUS实验(802.1x)相关推荐

最新文章

热门文章