1, problem description
Group net summarizes:
Net environment is configured inside, portal server and Radius server are in same network paragraph, attestation dot is on S5720
Group net develop attacks graph:
Configuration script:
Vlan Batch 10 20
#
Radius-server Template Rd1
Radius-server Shared-key Cipher %^%#Z@zO.2xp4(+yc`):z! %)C8A;65zdKB'Hby;eNcU-%^%#
Radius-server Authentication 192.168.0.26 1812 Weight 80
Radius-server Accounting 192.168.0.26 1813 Weight 80
Radius-server Retransmit 2
#
Web-auth-server Abc
Server-ip 192.168.0.155
Port 50100
Shared-key Cipher %^%#=wsVO5qaZ1XUO(:M#[JAw/D<*]c3T~('% | Wi6 | =$%^%#
Url Http://192.168.0.155:8088
Server-detect Action Log
#
Aaa
Authentication-scheme Abc
Authentication-mode Radius
Accounting-scheme Abc
Accounting-mode Radius
Accounting Start-fail Online
Domain Daxia
Authentication-scheme Abc
Accounting-scheme Abc
Radius-server Rd1
Local-user Admin Password Irreversible-cipher %^%# ! 3ZsEK~6qA6dw]:G80L"lP+ ! 9! 'Qa%cMzDU)mKhB["(`EOqge:rKbY<<qgLB%^%#
Local-user Admin Service-type Http
#
Interface Vlanif1
Ip Address 192.168.0.33 255.255.255.0
Web-auth-server Abc Direct
#
Interface GigabitEthernet0/0/5
Port Link-type Access
Port Default Vlan 1
#
Portal Max-user 100
Portal Timer Offline-detect 500
Portal Free-rule 0 Destination Ip 192.168.0.155 Mask 255.255.255.255
Portal Free-rule 1 Destination Ip 192.168.0.26 Mask 255.255.255.255
Portal Free-rule 2 Destination Ip 192.168.0.1 Mask 255.255.255.255
Breakdown phenomenon:
The user can log onto Portal page, and input user name password, but after attestation is finished, cannot get online
2, handle a process
It is OK that 1. judges terminal above all attestation is successful, use command Display Access-user can affirm user terminal attestation is successful
Outer net of Ping of terminal of success of 2. use attestation cannot Ping connects outer net, suspect public network by the problem
3. receives terminal test on 192.168.0.100 equipment, can go up outer net, can decide public network does not have a problem
4. affirms a grade by implement had configured pair of 192.168.5.0 nets paragraph NAT, cancel S5720 attestation, terminal can get online
Can judge on 5. put together, phase of problem occurrence attestation, but the first pace has affirmed attestation is already successful, examination configuration discovers attestation configuration is below Vlanif10
Interface Vlanif10
Ip Address 192.168.0.33 255.255.255.0
Web-auth-server Abc Direct
6. and superstratum road by implement want to join interface also is configured fall in Vlanif10, bring about S5720 to be opposite from superstratum road by implement arrive at data to do attestation, and superstratum data not attestation brings about a bag to be illogical, to going up discharge is done avoid attestation
Portal Free-rule 3 Source Interface G0/0/5
3, the root because
Mouth of the first line of a couplet on a scroll and mouth of the second line of a couplet are put in same VLAN, when attestation is done below VLAN, the data that answer a bag cannot pass attestation, bring about terminal to cannot get online
4, solution
To going up discharge is done avoid attestation
Portal Free-rule 3 Source Interface G0/0/5
5, proposal and summary
Go up when 1. attestation and go up interface had better use different VLAN, avoid to appear this kind of problem
When 2. platoon examines an issue, can decide through replacing a method breakdown is nodded, affirmatory breakdown centers attention processing again after bit
