コントローラ:Aruba7005、スイッチ:Aruba-2930F、認証サーバにClearPassを使用している環境があります。
スイッチに有線で接続した端末をClearPassでPEAP認証させたいのですが、Authenticatorをコントローラにする構成を検討しています。
下記のようなイメージとなります。
現状、コントローラとHUBを直結して、HUBに端末を接続すると問題なく認証ができておりますが、スイッチ経由で端末を接続すると、
コントローラがClearPassに認証パケットが届かないという事象が起きており、設定不備や不足箇所等ありましたら、ご教示いただけませんでしょうか。
スイッチをHUBに変更すると問題なく認証します。
コントローラには以下設定をしておりますが、何か不足箇所などありますでしょうか。
・aaaプロファイルを定義
aaa profile "Wired-Auth"
initial-role "denyall"
authentication-dot1x "auth-dot1x"
dot1x-default-role "authenticated"
dot1x-server-group "Certified-CP"
!
・VLAN100にaaa-profileを適用
vlan 100
wired aaa-profile Wired-Auth
!
・スイッチが接続されているポート設定
interface gigabitethernet 0/0/3
description GE0/0/3
switchport access vlan 100
switchport mode access
trusted
!
コントローラで確認した認証プロセスのログを以下に記載します。
■失敗時のログ
Jun 16 18:32:56 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - open system
Jun 16 18:32:56 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - wired station
Jun 16 18:32:56 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - wired station
Jun 16 18:32:56 eap-id-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 1 5
Jun 16 18:33:01 eap-id-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 1 5
Jun 16 18:33:06 eap-id-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 1 5
Jun 16 18:33:11 dot1x-timeout * 04:20:9a:41:75:5d 01:80:c2:00:00:03 1 1 station timeout
■成功時のログ
Jun 16 18:36:09 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - open system
Jun 16 18:36:09 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - wired station
Jun 16 18:36:09 station-up * 04:20:9a:41:75:5d 01:80:c2:00:00:03 - - wired station
Jun 16 18:36:09 eap-id-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 7 5
Jun 16 18:36:14 eap-id-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 7 5
Jun 16 18:36:17 eap-id-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 7 10 admin
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 31 180 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 31 88
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 8 6
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 8 172
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 32 384 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 32 1124
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 9 1034
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 9 6
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 33 218 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 33 1120
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 10 1030
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 10 6
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 34 218 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 34 811
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 11 725
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 11 136
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 35 348 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 35 139
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 12 57
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 12 6
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 36 218 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 36 122
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 13 40
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 13 41
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 37 253 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 37 144
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 14 62
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 14 95
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 38 307 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 38 164
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 15 82
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 15 37
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 39 249 192.168.1.252
Jun 16 18:36:17 rad-resp <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 39 128
Jun 16 18:36:17 eap-req <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 16 46
Jun 16 18:36:17 eap-resp -> 04:20:9a:41:75:5d 01:80:c2:00:00:03 16 46
Jun 16 18:36:17 rad-req -> 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 40 258 192.168.1.252
Jun 16 18:36:17 rad-accept <- 04:20:9a:41:75:5d 01:80:c2:00:00:03/Certified-CP 40 225
Jun 16 18:36:17 eap-success <- 04:20:9a:41:75:5d 01:80:c2:00:00:03 16 4
以上です。よろしくお願いいたします。