S9300做hwtacacs local认证,用户认证成功后异常掉线故障

发布时间:  2015-06-02 浏览次数:  468 下载次数:  0
问题描述

S9300做hwtacacs  local认证,hwtacacs服务器还未搭建成功,测试local方式认证成功之后又异常掉线

关于认证的配置如下:

aaa
 authentication-scheme etacs
  authentication-mode hwtacacs local
 authorization-scheme etacs
  authorization-mode hwtacacs local
 accounting-scheme etacs
  accounting-mode hwtacacs
recording-scheme etacs
  recording-mode hwtacacs etacs
cmd recording-scheme etacs
domain default
domain default_admin
  authentication-scheme etacs
  accounting-scheme etacs
  authorization-scheme etacs
  hwtacacs-server etacs
local-user admin password cipher %$%$jO,{ETjNWP9fzp$Z>fY7Qqh_%$%$
local-user admin privilege level 15
local-user admin service-type telnet 

做Telnet 测试登陆成功:

Username:admin
Password:
Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 1.
      The current login time is 2015-05-22 15:16:12.
<TH_S9312_AS>
<TH_S9312_AS>

Info: Receive a message from AAA of cutting user. /用户掉线

对认证过程进行debugging:

[TH_S9312_AS-diagnose]debugging aaa all

 [AAA MSG]AAA->UCM:AAA_SRV_MSG_AUTHEN_ACK
    DestIndex:16005 SrcIndex:16005 Slot:4294967295
    Result:1 DomainIndex:1 ServiceScheme:65535
    AuthedPalace:0 VLAN:4294967295 IsCallBackVerify:0 IsCallbackUser:0
    IfSessionTimeout:0 IfRemanentVolume:0 IfIdleCut:0
    SessionTimeout:4294967295 RemanentVolume:4294967295 IdleTimeout:4294967295
    EAPSessionTimeout:4294967295 EAPPasswordRetry:4294967295
    RTAcctInterval:4294967295 Priority:[255,255]
    AdminLevel:255 NextHop:4294967295
    EapSize:0 ReplyMessage:Local authentication is rejected.
    TunnelType:0 MediumType:0 PrivateGroupID:
May 22 2015 15:15:42+08:00 TH_S9312_AS %%01SHELL/4/LOGINFAILED(l)[2]:Failed to login. (Ip=10.253.100.217, UserName=admin, Times=2, AccessType=TELNET)
May 22 2015 15:15:50.540.1+08:00 TH_S9312_AS AAA/7/DEBUG:

在AAA配置了accounting-mode hwtacacs

做本地local认证时由于 hwtacacs 服务器不可达无法实施计费导致认证成功的用户异常掉线

解决方案

建议客户在计费模板添加配置:

[Quidway-aaa] accounting-scheme hwtacacs
[Quidway-aaa-accounting-hwtacacs] accounting start-fail online

END