以下内容,是《Catalyst 3560 Switch Software Configuration Guide》——思科3560交换机配置指南的一个小小小小段落。
之所以翻译这个,是因为目前国内介绍到思科交换机的这个功能的中文文献(指公开文献)为0.000???。可以说,基本无人翻译介绍过。
而思科的IEEE 802.1x协议的实现,又与目前国内华为、锐捷、神州数码等厂商实现的细节有很大不同。自己之前做某些配置的时候,完全被误导。以至于。。。。。。。
所以翻译出来,给大家。
第一次翻译,肯定有不少错误,请各位指出。谢谢
Using IEEE 802.1x Authentication with MAC Authentication Bypass
基于mac地址的IEEE 802.1x免认证
You can configure the switch to authorize clients based on the client
MAC address (see Figure 9-2 onpage 9-4) by using the MAC authentication
bypass feature. For example, you can enable this feature on IEEE 802.1x
ports connected to devices such as printers.
你可以配置交换机使用基于客户端mac地址的免认证特性(参考图9-2)。当启用IEEE 802.1x认证的端口连接的设备是打印机(或者其他无法进行交互认证的设备)时,应当使用此特性。
If IEEE 802.1x authentication times out while waiting for an EAPOL
response from the client, the switch tries to authorize the client by
using MAC authentication bypass.
如果交换机等待客户端返回一个IEEE 802.1x认证的EAPOL响应超时,交换机就会尝试使用基于mac地址的免认证特性来识别客户端。
When the MAC authentication bypass feature is enabled on an IEEE 802.1x
port, the switch uses the MAC address as the client identity.
当某个IEEE 802.1x认证端口启用mac地址的免认证特性时,交换机就会使用mac地址作为客户端的身份标记。
The authentication server has a database of client MAC addresses that
are allowed network access. After detecting a client on an IEEE 802.1x
port, the switch waits for an Ethernet packet from the client. The
switch sends the authentication server a RADIUS-access/request frame
with a username and password based on the MAC address. If authorization
succeeds, the switch grants the client access to the network. If
authorization fails, the switch assigns the port to the guest VLAN if
one is configured.
交换机检测到某个客户端连接到IEEE
802.1x认证端口后,(参考前面,需要超时)当客户端发送以太网数据包时,交换机就把客户端的mac地址作为用户名和密码发送给认证服务器一个
RADIUS-access/request帧。认证服务器有一个允许使用网络的客户端MAC地址数据库。如果认证通过,交换机就会让客户端使用网络;如
果认证失败,则交换机把端口分配到一个预先指定的guest vlan。
If an EAPOL packet is detected on the interface during the lifetime of
the link, the switch determines that the device connected to that
interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x
authentication (not MAC authentication bypass) to authorize the
interface. EAPOL history is cleared if the interface link status goes
down.
如果在端口连接过程中,(mac认证之前)出现EAPOL认证数据包,则交换机会认为该端口所连接的客户端是一个
能够实现IEEE 802.1x认证交互的客户端,因而采用IEEE
802.1x认证来授权端口(而不是采用基于mac地址的免认证)。如果端口连接中断,则清空之前识别到的EAPOL认证数据包,(端口恢复采用基于
mac地址的免认证,并处于等待认证状态)。
If the switch already authorized a port by using MAC authentication
bypass and detects an IEEE 802.1x supplicant, the switch does not
unauthorize the client connected to the port. When re-authentication
occurs, the switch uses IEEE 802.1x authentication as the preferred
re-authentication process if the previous session ended because the
Termination-Action RADIUS attribute value is DEFAULT.
使用基于mac地址的免认证特性的某个端口,如果已经通过了服务器的认证授权之后,又出现了一个具有IEEE
802.1x认证能力的客户端,则交换机会拒绝该客户端连接网络。当后一个连接会话中断后,因为RADIUS的一个默认属性是Termination-
Action,因此重新认证开始,这时交换机会采用IEEE 802.1x认证作为首选的认证方式。
Clients that were authorized with MAC authentication bypass can be
re-authenticated. The re-authentication process is the same as that for
clients that were authenticated with IEEE 802.1x. During
re-authentication, the port remains in the previously assigned VLAN. If
re-authentication is successful, the switch keeps the port in the same
VLAN. If re-authentication fails, the switch assigns the port to the
guest VLAN, if one is configured.
采用基于mac地址免认证特性的时候,也可以实现客户端的重认证。这个与采用普通的IEEE
802.1x认证时的情形一样。在重认证过程中,交换机端口仍然会保留在之前认证后指定/设定的vlan。认证成功,vlan不变;如果认证失败,则交换
机会把端口划分到已经配置的guest VLAN里。
If re-authentication is based on the Session-Timeout RADIUS attribute
(Attribute[27]) and the Termination-Action RADIUS attribute (Attribute
[29]) and if the Termination-Action RADIUS attribute (Attribute [29])
action is Initialize, (the attribute value is DEFAULT), the MAC
authentication bypass session ends, and connectivity is lost during
re-authentication. If MAC authentication bypass is enabled and the IEEE
802.1x authentication times out, the switch uses the MAC authentication
bypass feature to initiate re-authorization. For more information about
these AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial
In User Service (RADIUS) Usage Guidelines.”
如果配置重认证的发起是基于RADIUS的Session-Timeout(连接超时),以及RADIUS的默认
属性是Termination-Action,那么当RADIUS
Termination-Action启动时,基于mac地址免认证客户端,在整个重认证的时间段都会连接中断。
重认证发起后,同样需要一个IEEE 802.1x认证超时等待,然后交换机才会使用基于mac地址的免认证特性来识别客户端(发起认证),以最终实现一个重认证流程。
MAC authentication bypass interacts with the features:
基于mac地址的免认证特性受以下条件限制:
●你只能够在一个已经启用了IEEE 802.1x认证的端口使用基于mac地址的免认证特性。
●如果配置了Guest VLAN,当客户端属于一个非法的mac时,交换机会把客户端分配到Guest VLAN。
●基于mac地址的免认证特性的端口,不支持Restricted VLAN配置。
●关于端口安全的相关内容,请参考“Using IEEE 802.1x Authentication with Port Security”一节。
●关于Voice VLAN的相关内容,请参考“Using IEEE 802.1x Authentication with Voice VLAN Ports” 一节。
●配置了基于mac地址的免认证特性后,你可以分配客户端到某个私有vlan。
●IEEE802.1x和 VMPS 是互斥的,配置了IEEE802.1x就不能配置VMPS,反之亦然。
●配置了基于mac地址的免认证特性后,还是会受到NAC的Layer 2 IP validation影响/限制,包括NAC的“例外名单(exception list)”限制。
? IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x authentication is enabled on the port.
? Guest VLAN—If a client has an invalid MAC address identity, the
switch assigns the client to a guest VLAN if one is configured.
? Restricted VLAN—This feature is not supported when the client
connected to an IEEE 802.lx port is authenticated with MAC
authentication bypass.
? Port security—See the “Using IEEE 802.1x Authentication with Port Security” section on page 9-15.
? Voice VLAN—See the “Using IEEE 802.1x Authentication with Voice VLAN Ports” section on page 9-15.
? VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
? Private VLAN—You can assign a client to a private VLAN.
? Network admission control (NAC) Layer 2 IP validation—This feature
takes effect after an IEEE 802.1x port is authenticated with MAC
authentication bypass, including hosts in the exception list.
阅读(5267) | 评论(0) | 转发(0) |