S9300 由于nas-ip和radius服务器绑定不一致导致radius认证失败 及总结

发布时间:  2012-07-24 浏览次数:  162 下载次数:  0
问题描述
S9300版本信息:
V100R001C02B125+V100R001C02SPH007 
组网:
PC------中间网络-----S9300-------IP承载网------Radius Server
故障现象:
S9300做radius认证失败
告警信息

处理过程
1、经测试,9300能ping通Radius Server,而且不丢包,说明路由可达
2、检查整个配置如下:
<WZ-CX-S9312-1>display radius-server configuration   
  -------------------------------------------------------------------           
  Server-template-name             :  system                                    
  Protocol-version                 :  standard                                  
  Traffic-unit                     :  B                                         
  Shared-secret-key                :  wzwg                                      
  Timeout-interval(in second)      :  5                                         
  Primary-authentication-server    :  60.12.128.82:1645:LoopBack-1   
  Primary-accounting-server        :  0.0.0.0:0:LoopBack0                       
  Secondary-authentication-server  :  0.0.0.0:0:LoopBack0   
  Secondary-accounting-server      :  0.0.0.0:0:LoopBack0       
  Retransmission                   :  3                                         
  Domain-included                  :  NO                                        
  -------------------------------------------------------------------
<WZ-CX-S9312-1>display domain default                                           
  -------------------------------------------------------------------           
  Domain-name                     : default                                     
  Domain-state                    : Active                                      
  Authentication-scheme-name      : default                                     
  Accounting-scheme-name          : default                                     
  Authorization-scheme-name       : default                                     
  Web-IP-address                  : -                                           
  Primary-DNS-IP-address          : -                                           
  Second-DNS-IP-address           : -                                           
  Primary-NBNS-IP-address         : -                                           
  Second-NBNS-IP-address          : -                                           
  Idle-data-attribute (time,flow) : 0, 60                                       
  User-access-limit               : 384                                         
  Online-number                   : 2                                           
  RADIUS-server-template          : system                                      
  HWTACACS-server-template        : -                                           
  ------------------------------------------------------------------- 
认证方案、RADIUS模板、域的配置均没有问题
3、在S9300上打开debug信息,发现只有code=1的radius认证的send报文,没有code=2或者3的回应包文。
<WZ-CX-S9312-1>debug radius packet  
*0.4031110899 WZ-CX-S9312-1 RDS/7/debug2:                                       
  Radius Sent a Packet                                                          
  Server Template: 0                                                            
  Server IP   : 60.12.128.82                                                    
  Protocol: Standard                                                            
  Code    : 1                                                                   
  Len     : 218                                                                 
  ID      : 14                                                                  
…………                           
  [NAS-IP-Address(4)                  ] [6 ] [221.12.71.154]      
由于nas-ip默认为最佳的路由的地址,因此这里出现的nas-ip为上行口出接口的地址221.12.71.154,怀疑是两端nas-ip不一致导致。
4、经确认,Radius Server绑定的地址为9300的loopback地址,因此将S9300的nas-ip地址修改为loopback地址,修改配置如下:
radius-server template system           
 radius-server authentication 60.12.128.82 1645 source LoopBack 0
修改后测试,radius认证成功,故障解决
根因
1、链路或者路由问题
2、配置问题
3、S9300 配置的nas-ip和Radius Server绑定的不一致
4、设备或版本等其他原因
建议与总结
9300配置radius认证完整的配置:
radius-server template system                                                   
 radius-server shared-key wzwg                                                  
 radius-server authentication 60.12.128.82 1645 source LoopBack 0
 undo radius-server user-name domain-included  
 
 #                                                                               
aaa                                                                             
 local-user wznetcom password cipher S""O/9EHNHWQ=^Q`MAF4<1!!                   
 local-user wznetcom service-type ftp telnet ssh                                
 local-user wznetcom level 1                                                    
 local-user wznetcom ftp-directory cfcard:/                                     
 authentication-scheme default                                                  
  authentication-mode  radius  local                                            
 #                                                                              
 authorization-scheme default                                                   
 #                                                                              
 accounting-scheme default                                                      
 #                                                                              
 domain default                                                                 
  radius-server system   
  
  user-interface vty 0 14                                                         
 authentication-mode aaa 

END