ME60radius属性严格检查导致无法将用户踢下线

发布时间:  2015-07-29 浏览次数:  972 下载次数:  0
问题描述
ME60对部分欠费用户无法踢下线。
处理过程

debug radius all发现:

<XZ-DX-BAS-1.MAN.ME60>disp access-user  username  35091128265 

  ------------------------------------------------------------------------------

  UserID  Username                Interface      IP address       MAC

          Vlan          IPv6 address             Access type

  ------------------------------------------------------------------------------

  65549   35091128265             GE1/0/1.20     -                a857-4e48-8fcf

          202/-         -                        PPPoE          

  ------------------------------------------------------------------------------

  Normal users                       : 1

  RUI Local users                    : 0

  RUI Remote users                   : 0

  Total users                        : 1

<XZ-DX-BAS-1.MAN.ME60>

Jul 28 2015 11:28:39.140.1+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:

  Radius Received a Packet

  Server Template: 0

  Server IP   : 219.149.150.9

  NAS IP      : 59.48.70.30

  Vpn-Instance: -

  Server Port : 1812

  NAS Port    : 3799

  Protocol: Standard

  Code    : disconnect request

  Len     : 74

  ID      : 248

  [User-Name(1)                       ] [13] [35091128265]

 [Framed-IP-Address(8)               ] [6 ] [255.255.255.255]

  [Acct-Session-Id(44)                ] [35] [XZ-DX-B010010202000004dff9a065549]

<XZ-DX-BAS-1.MAN.ME60>

Jul 28 2015 11:28:39.140.2+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:

  Radius Sent a Packet

  Server IP   : 219.149.150.9

  NAS IP      : 59.48.70.30

  Vpn-Instance: -

  Server Port : 1812

  NAS Port    : 3799

  Protocol: Standard

  Code    : disconnect nak

  Len     : 80

  ID      : 248

  [User-Name(1)                       ] [13] [35091128265]

  [Framed-IP-Address(8)               ] [6 ] [255.255.255.255]

  [Acct-Session-Id(44)                ] [35] [XZ-DX-B010010202000004dff9a065549]

  [Error-Cause(101)                   ] [6 ] [404] [Invalid Request]

 

可以正常踢下线成功的用户:

<XZ-DX-BAS-1.MAN.ME60>

Jul 28 2015 11:41:20.310.1+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:

  Radius Received a Packet

  Server Template: 0

  Server IP   : 219.149.150.9

  NAS IP      : 59.48.70.30

  Vpn-Instance: -

  Server Port : 1812

  NAS Port    : 3799

  Protocol: Standard

  Code    : disconnect request

  Len     : 77

  ID      : 108

  [User-Name(1)                       ] [16] [n03503322000lb]

  [Framed-IP-Address(8)               ] [6 ] [10.1.19.116]

  [Acct-Session-Id(44)                ] [35] [XZ-DX-B02201227401119945c04000310]

<XZ-DX-BAS-1.MAN.ME60>

Jul 28 2015 11:41:20.310.2+08:00 XZ-DX-BAS-1.MAN.ME60 RDS/7/DEBUG:

  Radius Sent a Packet

  Server IP   : 219.149.150.9

  NAS IP      : 59.48.70.30

  Vpn-Instance: -

  Server Port : 1812

  NAS Port    : 3799

  Protocol: Standard

  Code    : disconnect ack

  Len     : 99

  ID      : 108

  [User-Name(1)                       ] [16] [n03503322000lb]

  [Framed-IP-Address(8)               ] [6 ] [10.1.19.116]

  [Acct-Session-Id(44)                ] [35] [XZ-DX-B02201227401119945c04000310]

  [NAS-Identifier(32)                 ] [22] [XZ-DX-BAS-1.MAN.ME60

通过如上对比分析:ME60收到disconnect request报文后,发送了disconnect nak,而不是正常的disconnect ack。进一步对比发现:ME60收到用户的IP Framed-IP-Address)为255.255.255.255,而不是正常的用户IP

根因

由于ME60添加了严格检查,如果DM消息中携带的IP地址和本地不一致,就会认为DM消息不合法,回复404错误。

 

解决方案

在添加新的radius服务器组,禁掉framed-ip-address属性,然后把该服务器组绑定到授权服务器下:

radius-server group fo

radius-server attribute translate

radius-attribute disable Framed-IP-Address IP 255.255.255.255 receive

 

radius-server authorization x.x.x.x   shared-key xxxxxx  server-group fo     -----授权服务器关联下server-group

END