用户通过RADIUS认证仍然无法登录S5700设备

发布时间:  2015-07-21 浏览次数:  1089 下载次数:  0
问题描述
用户通过SSH方式登录S5700交换机,并配置通过RADIUS认证后登录。RADIUS认证服务器上显示用户认证已通过,但是用户仍然登录失败。经排查,原因是RADIUS服务器下发的报文中login-service字段有问题。
告警信息
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.330.1-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish processing Au once, result: 1
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.330.2-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Failure, method: , partial: 0
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.1-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish processing Au once, sub2 fsm: 1, sub3 fsm: 1, result: 1
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.2-05:13 GFR-H5700-MGSE14A SSH/7/AUTH_EVENT:SSH authentication event occurs. Finish Au once, change the fsm, sub2 fsm: 1, sub3 fsm: 1, result: 1
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.3-05:13 GFR-H5700-MGSE14A SSH/7/DISCONNECT:The connection is closed by SSH server, current FSM is SSH_Main_SSHProcess.
<GFR-H5700-MGSE14A>
Jul 12 2000 01:26:46.340.4-05:13 GFR-H5700-MGSE14A SSH/7/FSM_MOVE:FSM moved from SSH_Main_SSHProcess to SSH_Main_Disconnect.
处理过程
查看Debug信息发现用户接入类型是SSH方式,但是服务器下发了login-service是telnet(0),两者不匹配,导致登陆失败。

附上主要配置案例:

#
radius-server template travelsky
radius-server shared-key cipher %@%@\XXoN.b3654./!M|Gp4D*e0A%@%@
radius-server authentication 10.6.177.230 1812 source ip-address 10.6.112.214 weight 80
radius-server accounting 10.6.177.231 1813 source ip-address 10.6.112.214 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme default
authentication-mode radius local
authorization-scheme default
accounting-scheme default
accounting-mode radius
domain default
radius-server travelsky
authentication-scheme default
accounting-scheme default  //这两条命令因为是引用的默认模板,所以配置后不会显示出来
domain default_admin
radius-server travelsky
#
stelnet server enable
ssh authentication-type default password //SSH登录默认类型为password
ssh user koup
ssh user koup authentication-type password //配置认证用户使用的默认类型,如果要把认证用户也配在交换机上,那么这条命令就是必配的。
ssh user koup service-type stelnet
ssh client first-time enable
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound all
根因
用户接入类型是SSH,但是AAA认证服务器下发报文中login-service字段是telnet(0),两者不匹配,会登陆失败。
解决方案
1 服务器不下发login-service字段或者该字段下发用户登陆时使用的正确数值。

2 在设备上使用命令行屏蔽:

在raidus模板视图下配置如下命令

radius-server attribute translate
radius-attribute disable Login-Service receive

END