交换机产品S5700-28C-EI(V200R005C00SPC300)802.1x认证业务出现周期性重复认证故障

发布时间:  2015-02-10 浏览次数:  163 下载次数:  0
问题描述

S5700EI版本:V200R005C00SPC300S5700EI作为接入层交换机配置802.1X认证,对接设备为迪普TAC。如图为现场拓扑。认证配置如下:

#                                                                               

domain tac                                                                     

#                                                                              

dot1x enable                                                                    

dot1x authentication-method eap                                                

dot1x url http://25.20.200.12                                                  

dot1x free-ip 25.20.200.12 255.255.255.255                                      

dot1x free-ip 25.20.200.4 255.255.255.255                                      

dot1x free-ip 25.20.200.33 255.255.255.255                                     

#                                                                                                                                                              

dhcp enable                                                                    

#                                                                              

radius-server template dp                                                      

 radius-server shared-key cipher 123456                             

 radius-server authentication 25.20.200.100 1812 weight 80                     

 radius-server authentication 25.200.200.107 1812 weight 40                    

 radius-server accounting 25.20.200.100 1813 weight 80                         

 radius-server accounting 25.200.200.107 1813 weight 40                        

 radius-server retransmit 1 timeout 10                                          

 radius-server accounting-stop-packet resend 10                                

 radius-server dead-time 1                                                     

 undo radius-server user-name domain-included                                   

#                                                                              

aaa                                                                                                                           

 authentication-scheme dp                                                       

  authentication-mode radius                                                                                                                                                     

 accounting-scheme dp                                                           

  accounting-mode radius                                                                                                                                                                                                            

 domain tac                                                                    

  authentication-scheme dp                                                     

  accounting-scheme dp                                                          

  radius-server dp

#

完成相关配置之后,在PC上安装DPtech TAC V200-B6656客户端,发现客户端周期性重新登录问题,在UMC统一管理界面观察用户上网记录,出现周期性段落间隔上网记录。

处理过程

1.怀疑为计费没有一直在线,添加如下命令:

  accounting-scheme dp                                                           

  accounting-mode radius

  accounting start-fail online //开始计费之后保持用户在线状态

  测试之后周期性登录现象仍然存在

2.抓取debug信息根据debgu信息判断可能是未匹配计费功能,将计费功能删除之后问题仍然存在

3.通过wireshark抓包分析,发现报文如下:

  <HWJ-5A-1>

  Dec 11 2014 18:50:09.230.6-05:13 HWJ-5A-1 DOT1X/7/DEBUG:

  [EAPOL-info] Received logoff packet.(MAC=dc0e-a1d8-a05c, Index=4294967295,

 CMIndex=61

判断为客户端主动发起logoffpacket报文引起下线的,与迪普工程师联系查看服务器上有900s keeplive即保活时长配置,在这个时间段内我方交换机需要向服务器主动发送在线信息,无的话则会引起下线重新认证登录,问题定位。

解决方案

查阅对应产品文档,发现有accounting realtime命令配置当前计费方案启用实时计费及实时计费间隔。缺省情况下,未启用实时计费,没有实时计费间隔。

与迪普工程师沟通,给出结论配置3分钟比较合适,添加命令:

accounting-scheme dp                                                           

accounting-mode radius

accounting realtime 3

问题解决


END