web认证页面输入用户名密码后认证失败之一

发布时间:  2014-12-22 浏览次数:  657 下载次数:  0
问题描述
场景:DNS服务器IP地址172.X.X.200 web和radius服务器IP地址为172.X.X.100

背景配置
#bas接口配置
interface GigabitEthernet4/0/1.1
user-vlan 3000
bas
#
  access-type layer2-subscriber default-domain pre-authentication web_pre authentication web
  authentication-method web

环回接口配置
interface LoopBack0
ip address 1.1.1.1 255.255.255.255

用户组配置
user-group web

与radius服务器通信配置
#                                        
radius-server source interface LoopBack0
radius-server group radius
radius-server authentication 172.X.X.100 1812 
radius-server accounting 172.X.X.100 1813 
radius-server shared-key testing1234
radius-server source interface LoopBack0
undo radius-server user-name domain-included
#
#
radius-server authorization 172.X.X.100 shared-key testing1234 server-group radius
#

本地地址池配置
ip pool web bas local
gateway 10.x.x.1 255.255.255.0
section 0 10.x.x.2 10.x.x.254
dns-server 172.X.X.200


前域及认证域配置
 domain web
  authentication-scheme radius
  accounting-scheme radius
  radius-server group radius
domain web_pre
  authentication-scheme default0         
  accounting-scheme default0
  ip-pool web
  user-group web
  web-server 172.X.X.100 
  web-server url http://172.X.X.100 /portal/index.jsp

qos配置
acl number 6000
step 10
rule 10 permit ip source user-group web destination ip-address 127.0.0.1 0
rule 20 permit ip source ip-address 127.0.0.1 0 destination user-group web
rule 30 permit ip source user-group web destination ip-address 172.X.X.100 0
rule 40 permit ip source ip-address 172.X.X.100 0 destination user-group web
rule 50 permit ip source user-group web destination ip-address 172.X.X.200 0
rule 60 permit ip source ip-address 172.X.X.200 0 destination user-group web
#
acl number 6001
rule 10 permit tcp source user-group web destination-port eq www
rule 20 permit tcp source user-group web destination-port eq 8080
rule 30 permit ip source user-group web
#
traffic classifier web_deny operator or
if-match acl 6001
traffic classifier web_permit operator or
if-match acl 6000
#
traffic behavior permit
traffic behavior redirect
http-redirect
#                                        
traffic policy global
share-mode
classifier web_permit behavior permit
classifier web_deny behavior redirect
#
#
traffic-policy global inbound
#

web服务器通信配置
web-auth-server source interface LoopBack0 
web-auth-server version v2
web-auth-server 172.X.X.100 port 50100 key simple testing1234  

故障现象:
PC能够直接打开认证页面,也能通过访问www.baidu.com弹出认证页面,但是输入用户名密码后无反应,后域认证失败
处理过程
分析及排障
检查用户认证的流程信息,判定流程中的故障点 
trace PC mac地址并debug web 发现仅打印出一条信息,如下
[ME60]
Dec  x 2014 14:xx:xx.430.1 ME60 WEB/7/DEBUG:
Received packet from socket (length = 44 Vrf = 0):
Version         : 2
Type            : authentication request
Method          : pap
SerialNo        : 19
RequestID       : 0
UserIP          : 10.0.0.254
ErrorCode       : 0
AttributeNumber : 2 //此信息为bas收到的web弹回的用户认证请求,下一步就是bas与web之间进行携带共享秘钥的认证挑战了

于是查询了web认证的统计信息,发现每一次认证   Authenticator Error就会增加一次 ,如下:25次认证请求,25次验证错误,25次挑战丢弃,可确认共享密码验证失败
<ME60-1>disp web statistics packet
-------------------------------------------------------------------------
  Received Packets                          Accept     Drop
-------------------------------------------------------------------------
    Received from Server
      Challenge Request                    :0              25      
      Authentication Request             :25             0       
      Authenticator Error                      :25      
      Drop Packet Total                        :25        
根因
共享秘钥与web服务器不一致
解决方案
共享秘钥配置一致

END