S5700 V200R003C00SPC300基于mac的本地认证故障

发布时间:  2016-12-19 浏览次数:  487 下载次数:  2
问题描述
客户报故障5700 V200R003C00SPC300基于mac的本地认证不能通过, 在v2r1软件版本同样配置方式测试成功。
以下为客户同型号同软件版本同配置故障再现

拓扑图下所示

以下为配置命令

[Quidway]display cu
[Quidway]display current-configuration
!Software Version V200R003C00SPC300
mac-authen
mac-authen domain default
aaa
authentication-scheme default
authentication-scheme abc
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
domain isp1
  authentication-scheme abc
local-user 00e04c96d842@isp1 password cipher 00e04c96d842
local-user 00e04c96d842@isp1 service-type terminal ppp web bind 8021x
local-user 00e0-4c96-d842@isp1 password cipher 00e04c96d842
local-user 00e04c96d842@default password cipher00e04c96d842
local-user 00e04c96d842@default service-type terminal ppp
#
interface Vlanif1
ip address 192.168.1.1 255.255.255.0
dhcp select interface
interface GigabitEthernet0/0/1
port link-type access
mac-authen
mac-authen domain default
告警信息
打开debug 调试aaa 捕获信息如下所示
May 20 2014 17:04:33.150.1+08:00 Quidway AAA/7/DEBUG:
AAA receive AAA_SRV_MSG_AUTHEN_REQ message from UCM module.
[Quidway]
May 20 2014 17:04:33.150.2+08:00 Quidway AAA/7/DEBUG:
    DestIndex:34 SrcIndex:34 Slot:9
    User:00e04c96d842 Password:*** MAC:00e0-4c96-d842
    Slot:0 SubSlot:0 Port:10 VLAN:1
    IP:255.255.255.255 AccessType:Unkown AuthenType:PAP
    AdminLevel:0 EapSize:0 AuthenCode:Invalid
    ulInterface:15 ChallengeLen:0 ChapID:0
    LineType:0 LineIndex:0 PortType:15
    AcctSessionId:Quidway00010000000001f20c84000034
[Quidway]
May 20 2014 17:04:33.150.3+08:00 Quidway AAA/7/DEBUG:
AAA_MAIN initiate NormalAuthenReq event to AAA_AUTHEN module.
    CID:17 Result:0 Info:182533888
[Quidway]
May 20 2014 17:04:33.150.4+08:00 Quidway AAA/7/DEBUG:
[AAA INFO]User authentication domain name is default
[Quidway]
May 20 2014 17:04:33.150.5+08:00 Quidway AAA/7/DEBUG:
[AAA INFO]No such local user exist, send to the next authen place.     [Quidway]
May 20 2014 17:04:33.150.6+08:00 Quidway AAA/7/DEBUG:
AAA send AAA_SRV_MSG_AUTHEN_ACK message to UCM module.
[Quidway]
May 20 2014 17:04:33.150.7+08:00 Quidway AAA/7/DEBUG:
    DestIndex:34 SrcIndex:34 Slot:4294967295
    Result:1 DomainIndex:0 ServiceScheme:65535
    AuthedPalace:2 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0
    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0
    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295
    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295
    RTAcctInterval:4294967295 Priority:[255,255]
    AdminLevel:255 NextHop:4294967295
    EapSize:0 ReplyMessage:Local authentication is rejected.
TunnelType:0 MediumType:0 PrivateGroupID:
处理过程
把认证配置的本地用户数据库的 密码设置为与用户名不一致的固定密码
mac-authen                                                                                                                         
mac-authen username macaddress format without-hyphen password cipher huawei123                       
mac-authen domain ifyu 
#
aaa                                                                                                                                                                       
authentication-scheme abc                                                                                                     
                                                                                                            
domain ifyu                                                                                                                       
  authentication-scheme abc                                                                                                
local-user  00e04c96d842 password cipher huawei123                                                   
#                                                                                                                                                                           

Interface  GigabitEthernet1/0/1      
mac-authen                                                                                                                        
mac-authen domain ifyu 
根因
为什么只能通过固定密码的方式实现,研发解释 此软件版本的安全要求配置本地用户名时用户名与密码不能相同,所以在配置mac的本地认证时用户名与密码相同时认证通不过。

END