收集AC配置,配置中客户未开启radius计费服务,只使用认证服务,查看AC配置发现服务模板下配置的1x认证密钥加密套件还配置了密钥,但实际1x认证时是不需要配置psk密钥的,删除PSK密钥配置:
wlan service-template lattebank
ssid XXXX
vlan 72
akm mode dot1x
preshared-key pass-phrase cipher $c$3$B6eoJ/L7cCmhXaRWNnQ6quKr3BtYlzSM+u9vLzohkw==
cipher-suite ccmp
cipher-suite tkip
security-ie rsn
security-ie wpa
client-security authentication-mode dot1x
dot1x domain dataseed
service-template enable
bonjour apply policy 1
PSK密钥配置删除后,认证依然失败,尝试收集debug信息和抓包信息分析,发现在认证时,radius恢复的access-accept报文中携带授权vlan信息,但实际设备上并没有配置该vlan,并且该授权vlan并不是客户需要使用的业务vlan,信息如下:
debug信息:
*Mar 6 17:17:38:635 2019 H3C RADIUS/7/PACKET:
Tunnel-Private-Group-Id:0="201" //radius回复的access-accept报文中携带授权vlan下发,vlan id为201
EAP-Message=0x030d0004
Class=0xc04e0b0200000137000102000a64019d0000000028fc5ff7f4f8697401d3a19a0e8d11b000000000015e9b12
Microsoft-Attr-10=0x014f41
MSCHAPv2_Success=0x01533d32414536413733324533343142443143343536434230363537434136313839374638343045354246
MS-MPPE-Send-Key=******
MS-MPPE-Receive-Key=******
Message-Authenticator=0x319c262f1d45d894ea7b781f5389e208
抓包信息: