<原文翻译>基于mac地址的IEEE 802.1x免认证

时间:2022-07-25 06:08:13

         以下内容,是《Catalyst 3560 Switch SoftwareConfiguration Guide》——思科3560交换机配置指南的一个小小小小段落。
         原书1179页,可以把人看到吐血而死。 
         之所以翻译这个,是因为目前国内介绍到思科交换机的这个功能的中文文献(指公开文献)为0.000???。可以说,基本无人翻译介绍过。
         而思科的IEEE 802.1x协议的实现,又与目前国内华为、锐捷、神州数码等厂商实现的细节有很大不同。自己之前做某些配置的时候,完全被误导。以至于。。。。。。。

大家看看吧,内行看门道,外行人也看看人行道。呵呵



Using IEEE 802.1x Authentication with MAC Authentication Bypass
基于mac地址的IEEE 802.1x免认证

You can configure the switch to authorize clients based on the client MAC address (see Figure 9-2 onpage 9-4) by using the MAC authentication bypass feature. For example, you can enable this feature on IEEE 802.1x ports connected to devices such as printers.
你可以配置交换机使用基于客户端mac地址的免认证特性(参考图9-2)。当启用IEEE 802.1x认证的端口连接的设备是打印机(或者其他无法进行交互认证的设备)时,应当使用此特性。

If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass.
如果交换机等待客户端返回一个IEEE 802.1x认证的EAPOL响应超时,交换机就会尝试使用基于mac地址的免认证特性来识别客户端。

When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the MAC address as the client identity.
当某个IEEE 802.1x认证端口启用mac地址的免认证特性时,交换机就会使用mac地址作为客户端的身份标记。

The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured.
交换机检测到某个客户端连接到IEEE 802.1x认证端口后,(参考前面,需要超时)当客户端发送以太网数据包时,交换机就把客户端的mac地址作为用户名和密码发送给认证服务器一个RADIUS-access/request帧。认证服务器有一个允许使用网络的客户端MAC地址数据库。如果认证通过,交换机就会让客户端使用网络;如果认证失败,则交换机把端口分配到一个预先指定的guest vlan

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.
如果在端口连接过程中,(mac认证之前)出现EAPOL认证数据包,则交换机会认为该端口所连接的客户端是一个能够实现IEEE 802.1x认证交互的客户端,因而采用IEEE 802.1x认证来授权端口(而不是采用基于mac地址的免认证)。如果端口连接中断,则清空之前识别到的EAPOL认证数据包,(端口恢复采用基于mac地址的免认证,并处于等待认证状态)

If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs, the switch uses IEEE 802.1x authentication as the preferred re-authentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.
使用基于mac地址的免认证特性的某个端口,如果已经通过了服务器的认证授权之后,又出现了一个具有IEEE 802.1x认证能力的客户端,则交换机会拒绝该客户端连接网络。当后一个连接会话中断后,因为RADIUS的一个默认属性是Termination-Action,因此重新认证开始,这时交换机会采用IEEE 802.1x认证作为首选的认证方式。

Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication process is the same as that for clients that were authenticated with IEEE 802.1x.  During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.
采用基于mac地址免认证特性的时候,也可以实现客户端的重认证。这个与采用普通的IEEE 802.1x认证时的情形一样。在重认证过程中,交换机端口仍然会保留在之前认证后指定/设定的vlan。认证成功,vlan不变;如果认证失败,则交换机会把端口划分到已经配置的guest VLAN里。

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”
如果配置重认证的发起是基于RADIUSSession-Timeout(连接超时),以及RADIUS的默认属性是Termination-Action,那么当RADIUS Termination-Action启动时,基于mac地址免认证客户端,在整个重认证的时间段都会连接中断。
重认证发起后,同样需要一个IEEE 802.1x认证超时等待,然后交换机才会使用基于mac地址的免认证特性来识别客户端(发起认证),以最终实现一个重认证流程。


MAC authentication bypass interacts with the features:
基于mac地址的免认证特性受以下条件限制:
●你只能够在一个已经启用了IEEE 802.1x认证的端口使用基于mac地址的免认证特性。
●如果配置了Guest VLAN,当客户端属于一个非法的mac时,交换机会把客户端分配到Guest VLAN
●基于mac地址的免认证特性的端口,不支持Restricted VLAN配置。
●关于端口安全的相关内容,请参考“Using IEEE 802.1x Authentication with Port Security”一节。
●关于Voice VLAN的相关内容,请参考“Using IEEE 802.1x Authentication with Voice VLAN Ports” 一节。
●配置了基于mac地址的免认证特性后,你可以分配客户端到某个私有vlan
IEEE802.1x VMPS 是互斥的,配置了IEEE802.1x就不能配置VMPS,反之亦然。
●配置了基于mac地址的免认证特性后,还是会受到NACLayer 2 IP validation影响/限制,包括NAC的“例外名单(exception list)”限制。

? IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x authentication is enabled on the port.
? Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured.
? Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is authenticated with MAC authentication bypass.
? Port security—See the “Using IEEE 802.1x Authentication with Port Security” section on page 9-15.
? Voice VLAN—See the “Using IEEE 802.1x Authentication with Voice VLAN Ports” section on page 9-15.
? VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
? Private VLAN—You can assign a client to a private VLAN.
? Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception list.


============暂不提供转载==========