NE40E遇到SSH和TELNET使用radius认证10秒后即下线的问题

发布时间:  2015-04-17 浏览次数:  638 下载次数:  0
问题描述
客户网络使用NE40E路由器,版本V600R008,在客户使用SSH和TELNET登陆NE40E通过radius认证成功后,10秒即被踢下线。但是客户现网中同样通过同一台radius服务器认证的S5700没有该问题
处理过程

经过debug radius packet发现,10秒下线的原因是因为NE40E收到了服务发送的10秒后下线报文( [Session-Timeout(27)] [6 ] [10]),用户被踢下线也是NE40E对此报文的正确响应。那为什么S5700没有此问题呢?经过排查发现S5700并不支持对该报文的响应,因此没有出现这个问题。

具体debug信息如下:

<TEST-NE40E>telnet 127
Apr  1 2015 10:03:43 TEST-NE40E DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 16, the change loop count is 0, and the maximum number of records is 4095..
<TEST-NE40E>telnet 127.0.0.1
Trying 127.0.0.1 ...
Press CTRL+K to abort
Connected to 127.0.0.1 ...

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.

Login authentication


Username:hw_jiang
Password:
Apr  1 2015 10:03:50.990.1 TEST-NE40E RDS/7/DEBUG:
  Radius Sent a Packet
  Server Template: 0
  Server IP   : 202.94.242.100
  NAS IP      : 10.98.43.49
  Vpn-Instance: -
  Server Port : 1645
  NAS Port    : 1812
  Protocol: Standard
  Code    : Authentication request
  Len     : 220
  ID      : 5
  [User-Name(1)                       ] [10] [hw_jiang]
  [User-Password(2)                   ] [18] [******]
  [NAS-IP-Address(4)                  ] [6 ] [10.98.43.49]
  [Service-Type(6)                    ] [6 ] [6] [Administrative]
  [Framed-Protocol(7)                 ] [6 ] [6] [X.75 Synchronous]
  [Framed-IP-Address(8)               ] [6 ] [127.0.0.1]
  [NAS-Identifier(32)                 ] [12] [TEST-NE40E]
  [NAS-Port-Type(61)                  ] [6 ] [15] [Ethernet]
  [Login-IP-Host(14)                  ] [6 ] [127.0.0.1]
  [Acct-Session-Id(44)                ] [35] [TEST-NE00000000000000041aac278547]
  [Connect-Info(77)                   ] [12] [1000000000]
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 1.
      The current login time is 2015-04-01 10:03:51+00:00.
Info:  First time access.  Failed: 0

<TEST-NE40E>
Apr  1 2015 10:03:50.990.2 TEST-NE40E RDS/7/DEBUG:
  [HW-NAS-Startup-Time-Stamp(Huawei-59)] [6 ] [1427803124]
  [HW-IP-Host-Address(Huawei-60)      ] [29] [127.0.0.1 ff:ff:ff:ff:ff:ff]
  [HW-Connect-ID(Huawei-26)           ] [6 ] [278547]
  [HW-Version(Huawei-254)             ] [11] [Huawei NE]
  [HW-Product-ID(Huawei-255)          ] [4 ] [NE]
  [HW-Domain-Name(Huawei-138)         ] [15] [default_admin]
Apr  1 2015 10:03:51.0.1 TEST-NE40E RDS/7/DEBUG:
  Radius Received a Packet
  Server Template: 0
  Server IP   : 202.94.242.100
  NAS IP      : 10.98.43.49
  Vpn-Instance: -
  Server Port : 1645
  NAS Port    : 1812
  Protocol: Standard
  Code    : Authentication accept
  Len     : 105
  ID      : 5
  [Class(25)                          ] [61] [53 42 52 32 43 4c 84 ad 9e fb 82 ab f2 fb 9b 80 11 80 28 01 80 04 81 99 8c 86 80 02 80 0a 81 b4 9d eb f6 d3 a5 c2 ee b3 c0 12 80 0e 81 84 ad 9e fb 82 ab f2 fb 9b 81 be 87 8a 80 ]
  [HW-Exec-Privilege(Huawei-29)       ] [6 ] [15]
  [Service-Type(6)                    ] [6 ] [1] [Login]
  [Session-Timeout(27)                ] [6 ] [10]
Apr  1 2015 10:03:51 TEST-NE40E LINE/5/VTYUSERLOGIN:OID 1.3.6.1.4.1.2011.5.25.207.2.2 A user login. (UserIndex=34, UserName=hw_jiang, UserIP=127.0.0.1, UserChannel=VTY0)
<TEST-NE40E>
Info: Receive a message from AAA of cutting user.

Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 0.
Apr  1 2015 10:04:01 TEST-NE40E LINE/5/VTYUSERLOGOUT:OID 1.3.6.1.4.1.2011.5.25.207.2.4 A user logout. (UserIndex=34, UserName=hw_jiang, UserIP=127.0.0.1, UserChannel=VTY0)
Info: The connection was closed by the remote host.
<TEST-NE40E>

解决方案

10秒掉线问题是源于NE40E接收到了客户radius服务器发送的10秒下线指令并响应导致。可通过配置如下命令使NE40E不响应该命令

radius group视图下:

radius-server attribute translate

radius-attribute disable Session-Timeout receive

 

配置完成后问题解决

END