ME60 用户在前域下不能访问放行的ACL资源

发布时间:  2015-04-10 浏览次数:  899 下载次数:  0
问题描述
ME60 在做portal认证时候,出现用户获取到ip地址后所在前域下无法访问在认证前域acl里面放行的资源
处理过程

ME60 在做portal认证时候,出现用户获取到ip地址后所在前域下无法访问在认证前域acl里面放行的资源,例如用户获取到一个地址是211.87.102.41,去访问222.192.6.1,出现无法访问,但是用户认证通过以后可以访问,用户组属性是由radius下发的,如下:

 [NJNU_SY_ME60]dis access-user ip-address 211.87.102.41
  -------------------------------------------------------------------
  User access index             : 213242
  State                         : Used
  User name                     : NJNU_SY_ME60:sy_ykt_server
  Domain name                   :
sy_ykt_server                                //前域
  User backup state             : No
  RUI user state                : -
  User access interface         :
GigabitEthernet5/0/0.2515                  //上线接口
  User access PeVlan/CeVlan     : 2515/-
  User access slot              : 5
  User MAC                      : b8ac-6f56-7b02
  User IP address               : 211.87.102.41
  User IP netmask               : 255.255.255.255
  User gateway address          : 211.87.96.1
  User Primary-DNS              : 202.119.104.7
  User Secondary-DNS            : 202.119.104.31
  User Authen IP Type           : ipv4/-/-
  User Basic IP Type            : -/-/-
  Server IP                     : 211.87.96.1    
  User lease                    : 2015-04-09 12:32:28---2015-04-10 12:32:28
  Remain lease                  : 85108
  User MSIDSN name              : -
  EAP user                      : No
  MD5 end                       : No
  MTU                           : 1500   
  IPv6 MTU                      : 1500
  Vpn-Instance                  : -
  User access type              : IPOE
  User authentication type      : No authentication
  RADIUS-server-template        : jds
  Server-template of second acct: -
  Agent-Circuit-Id              : -
  Agent-Remote-Id               : -
  Access-line-id Information(dhcpv4 option82): -
  Current authen method         : RADIUS authentication
  Authen result                 : Success
  Current author method         : Idle
  Author result                 : Success
  Action flag                   : Idle
  Authen state                  : Authed
  Author state                  : Idle
  Configured accounting method  : RADIUS accounting
  Quota-out                     : Offline
  Current accounting method     : RADIUS accounting
  Realtime-accounting-switch            : Open     
  Realtime-accounting-interval(sec)     : 600      
  Realtime-accounting-send-update       : Yes                
  Realtime-accounting-traffic-update    : No                 
  Access start time             : 2015-04-09 12:32:28
  Accounting start time         : 2015-04-09 12:32:28
  Online time (h:min:sec)       : 00:23:15
  Accounting state              : Accounting
  Idle-cut direction            : Both
  Idle-cut-data (time,rate,idle): 0 sec, 0 kbyte/min, 0 min 0 sec
  Ipv4 Realtime speed           : 0 kbyte/min
  Ipv4 Realtime speed inbound   : 0 kbyte/min
  Ipv4 Realtime speed outbound  : 0 kbyte/min
  Link bandwidth auto adapt     : Disable
  UpPriority                    : Unchangeable
  DownPriority                  : Unchangeable
  Multicast-profile             : -
  Multicast-profile-ipv6        : -
  Max Multicast List Number     : 4
  IGMP enable                   : Yes
  User-Group                    : pre_ipv4(Radius)                         //用户组属性由radius下发
  Next-hop                      : -
  Policy-route-IPV6-address     : -
  If flow info contain l2-head  : Yes
  Flow-Statistic-Up             : Yes
  Flow-Statistic-Down           : Yes
  Up packets number(high,low)   : (0,27)
  Up bytes number(high,low)     : (0,2247)
  Down packets number(high,low) : (0,28) 
  Down bytes number(high,low)   : (0,3742)
  IPV6 Up packets number(high,low)     : (0,0)
  IPV6 Up bytes number(high,low)       : (0,0)
  IPV6 Down packets number(high,low)   : (0,0)
  IPV6 Down bytes number(high,low)     : (0,0)

 

前域用户ping222.192.6.1 这个地址出现无法ping通,但是在认证前域的acl资源列表中存在这段地址,如下:

acl number 6200
 description pre_v4
 rule 0 permit ip source user-group pre_ipv4 destination user-group ok_ipv4
 rule 1 permit ip source user-group pre_ipv4 destination user-group pre_ipv4
 rule 5 permit tcp source user-group pre_ipv4 destination-port eq domain
 rule 25 permit ip source user-group pre_ipv4 destination ip-address 211.65.216.0 0.0.0.255
 rule 30 permit ip source user-group pre_ipv4 destination ip-address 202.119.108.0 0.0.0.255
 rule 34 permit ip source user-group pre_ipv4 destination ip-address 222.192.6.2 0
 rule 35 permit ip source user-group pre_ipv4 destination ip-address 222.192.6.0 0.0.1.255
 rule 36 permit ip source ip-address 222.192.6.0 0.0.1.255 destination user-group pre_ipv4

 rule 40 permit ip source user-group pre_ipv4 destination ip-address 211.65.217.0 0.0.0.255
 rule 45 permit ip source user-group pre_ipv4 destination ip-address 210.29.137.0 0.0.0.255

从配置看,222.192.6.1是服务器地址,也是单独属于域sy_server,是静态绑定用户,不认证不计费;web认证是他们自己一套系统,做的策略重定向方式的portal,这点可不用关注。 服务器域及静态用户绑定配置如下

 

domain sy_server

  authentication-scheme default0

  accounting-scheme default0

  ip-pool sy_server

static-user 222.192.6.2 222.192.6.2 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2538 domain-name sy_server detect

static-user 222.192.6.5 222.192.6.5 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2536 domain-name sy_server detect

static-user 222.192.6.6 222.192.6.8 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2516 domain-name sy_server detect

static-user 222.192.6.9 222.192.6.12 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2521 domain-name sy_server detect

static-user 222.192.6.13 222.192.6.13 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2531 domain-name sy_server detect

static-user 222.192.6.14 222.192.6.14 gateway 222.192.6.1 interface GigabitEthernet5/0/0.400 vlan 376 qinq 2518 domain-name sy_server detect

 

由于务器也是属于域里面的,在sy_server绑定一个用户组,然后在ACL 6200下添加对用户组的规则,问题解决。如下

rule 210 permit ip source user-group pre_ipv4 destination user-group sy_server

根因

由于服务器地址222.192.6.1也是属于域里面的,不是走普通的路由口,根据域要使用user-group实现策略控制。

解决方案
sy_server绑定一个用户组,然后在ACL 6200下添加对用户组的规则,问题解决。

如下

rule 210 permit ip source user-group pre_ipv4 destination user-group sy_server                      //pre_ipv4 前域,sy_server是服务器所在域

END