路由器AR2200(V200R003C01SPC900)在AAA中采用HWTACACS方式认证的local备份认证方式不起效

发布时间:  2015-08-20 浏览次数:  181 下载次数:  0
问题描述

为简化描述,网络拓扑如下;

AR2200上配置hwtacacs服务模板

#

hwtacacs-server template ht

 hwtacacs-server authentication 192.168.2.30

 hwtacacs-server authorization 192.168.2.30

 hwtacacs-server accounting 192.168.2.30

 hwtacacs-server source-ip 192.168.2.29

 hwtacacs-server shared-key cipher %$%$X6IK!,/C(STPR\8a;<9F-"q0%$%$

#

AAA视图下配置hwtacacs认证、授权与计费功能,并采用本地认证为备份认证方式。

#                                                                                                                                  

aaa                                                                                                                                 

 authentication-scheme default                                                                                                     

 authentication-scheme auth                                                                                                         

  authentication-mode hwtacacs local                                                                                               

 authorization-scheme default                                                                                                       

 authorization-scheme autho                                                                                                        

  authorization-mode hwtacacs local                                                                                                

 accounting-scheme default                                                                                                         

 accounting-scheme acc                                                                                                              

  accounting-mode hwtacacs                                                                                                         

 domain default                                                                                                                    

 domain default_admin                                                                                                              

  authentication-scheme auth                                                                                                        

  accounting-scheme acc                                                                                                            

  authorization-scheme autho                                                                                                        

  hwtacacs-server ht                                                                                                               

 local-user huawei password cipher huawei                                                              

 local-user huawei privilege level 15                                                                                              

 local-user huawei service-type telnet                                                                                              

#                          

ARHWTACACS服务器不可达,即如拓扑所示,AR只与SW设备相连。现从SW设备上telnetAR设备,输入用户名与密码后,连接成功,但立刻被远端服务拒绝,强制下线。

 

处理过程

(1)       SWtelnetAR设备:

<S5700>telnet 10.1.1.2                                                                                                             

Trying 10.1.1.2 ...                                                                                                                

Press CTRL+K to abort                                                                                                               

Connected to 10.1.1.2 ...                                                                                                                                                                                                                                    

Login authentication                                                                                                               

 

Username:huawei                                                                                                                     

Password:                                                                                                                          

  -----------------------------------------------------------------------------                                                    

  User last login information:                                                                                                      

  -----------------------------------------------------------------------------                                                    

  Access Type: Telnet                                                                                                               

  IP-Address : 10.1.1.1                                                                                                            

  Time       : 2015-08-18 18:05:37+00:00                                                                                            

  -----------------------------------------------------------------------------                                                    

<Router>                                                                                                                            

                                                                                                                                   

  Configuration console exit, please retry to log on                                                                                

                                                                                                                                   

Info: The connection was closed by the remote host.                                                                                 

<S5700> 

可以看出,可以telnet到设备AR,并且已经采用本地认证进行接入认证。但是在认证成功后,立刻被远端服务器强制下线。

(2)在AR设备上打开调制开关

<Router>

Aug 18 2015 19:01:26+00:00 Router LINE/4/USERLOGIN:OID 1.3.6.1.4.1.2011.5.25.207.2.2 A user login. (UserIndex=129, UserName=huawei, UserIP=10.1.1.1, UserChannel=VTY0)

<Router>

可以看出一个用户已经接入成功。

(3)       将认证与授权模板直接修改为本地认证,计费方式不变。

authentication-scheme auth                                                                                                         

  authentication-mode local                                                                                               

 authorization-scheme default                                                                                                       

 authorization-scheme autho                                                                                                        

  authorization-mode local                                                                                                

 accounting-scheme default                                                                                                         

 accounting-scheme acc                                                                                                              

  accounting-mode hwtacacs

继续从SWtelnetAR设备,得到同样结果,输入用户名密码后,登陆成功,但又立刻强制下线。

(4)

恢复认证域授权模板,认证主用hwtacacs,备用local。但是在域中认证时,删除hwtacacs计费模板:

domain default_admin                                                                                                              

  authentication-scheme auth                                                                                                        

  accounting-scheme acc  (删除此命令)                                                                                                          

  authorization-scheme autho                                                                                                        

  hwtacacs-server ht

重复telnet连接,连接成功:

<S5700>telnet 10.1.1.2                                                                                                             

Trying 10.1.1.2 ...                                                                                                                 

Press CTRL+K to abort                                                                                                              

Connected to 10.1.1.2 ...                                                                                                           

Login authentication                                                                                                                

                                                                                                                           

Username:huawei                                                                                                                     

Password:                                                                                                                          

  -----------------------------------------------------------------------------                                                     

  User last login information:                                                                                                     

  -----------------------------------------------------------------------------                                                     

  Access Type: Telnet                                                                                                              

  IP-Address : 10.1.1.1                                                                                                             

  Time       : 2015-08-18 19:02:04+00:00                                                                                           

  -----------------------------------------------------------------------------                                                     

<Router>                                                                                                                           

<Router>                                                                                                                            

<Router>

并在AR2200上查看到有一个用户上线。

 

根因

设备成功使用备份认证方式(local认证方式)成功登陆后,进入default_admin域,但是在域下配置了计费方式为hwtacacs,但此时hwtacacs服务器不可达,因此又被强制下线。

解决方案
将域下的计费方式删除,或者修改为默认计费方式,既可以从远端通过local认证方式登陆设备。
建议与总结

在实际现网运行中,如果采用使用HWTACAS为首选认证方式,本地认证为备份认证方式的方案。必须要考虑到当配置HWTACAS认证时,配置认证授权后,如果HWTACAS服务器不通时,采用本地认证方式不能正常登陆设备的情况。

如果需要临时进行远程登陆设备进行紧急情况规避,可以采用以上修改认证方案进行配置修改。

END